Extracting prog: 1h21m22.694279135s
Minimizing prog: 33m26.305242016s
Simplifying prog options: 0s
Extracting C: 21.675125194s
Simplifying C: 12m13.71292577s


extracting reproducer from 28 programs
testing a last program of every proc
single: executing 8 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): unshare-socket$inet_tcp-ioctl$sock_inet_SIOCADDRT-openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$selinux_commit_pending_bools-lseek-ioctl$VHOST_VDPA_GET_VQS_COUNT-openat$selinux_status-sendto-mmap-openat$ptmx-prlimit64-ioctl$TIOCGPTPEER-socket$inet6_tcp-setsockopt$inet6_tcp_TLS_TX-ioctl$ASHMEM_SET_NAME-mmap
detailed listing:
executing program 0:
unshare(0x62040200) (async)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @dev}, {0x2, 0x0, @empty}, 0x1c0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x9})
r1 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x40000100000200) (async)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
lseek(r2, 0x0, 0x2) (async)
ioctl$VHOST_VDPA_GET_VQS_COUNT(r2, 0x8004af80, &(0x7f0000000280))
r3 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
sendto(r0, &(0x7f0000000180)="b8fed7c18d8e727fbba33dd92ab6abb735d66790493f3d30b1697f43f8e9854de581364f9821d269486d650bbc20527014c38e877cd4cbb8fd5a3064dfb6186ce9e952b9f41c1688eabca37d1f", 0x4d, 0x24044080, &(0x7f0000000200)=@nfc_llcp={0x27, 0x0, 0x0, 0x5, 0x0, 0x8, "21865b629e1b9a97e49a4fdd8ab7a47ba0a8274722bb48e80adf7495be6ff5080259a7be369e09e2d31eeafd5690ea73dc4f25ab42d210eb49e6c789f6210d", 0x2b}, 0x80) (async)
mmap(&(0x7f0000215000/0x1000)=nil, 0x1000, 0x0, 0x6011, r3, 0x0) (async)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000040)={0x0, 0x100}, 0x0) (async)
ioctl$TIOCGPTPEER(r4, 0x5441, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TLS_TX(r5, 0x11a, 0x1, &(0x7f0000000100)=@gcm_256={{0x304}, "ff8d4b9ce7be848e", "dfdd86d8a0f4a7df387e88f00cebfc2472ce9f48c1a2761247cd247d6307041b", "be7ea708", "9ea2a49b106de4f4"}, 0x38) (async)
ioctl$ASHMEM_SET_NAME(r1, 0x41007701, &(0x7f0000000000)='!(+.\x00') (async)
mmap(&(0x7f0000018000/0x4000)=nil, 0x4000, 0x0, 0x13, r1, 0x85b83000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): unshare-socket$inet_tcp-ioctl$sock_inet_SIOCADDRT-openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$selinux_commit_pending_bools-lseek-ioctl$VHOST_VDPA_GET_VQS_COUNT-openat$selinux_status-sendto-mmap-openat$ptmx-prlimit64-ioctl$TIOCGPTPEER-socket$inet6_tcp-setsockopt$inet6_tcp_TLS_TX-ioctl$ASHMEM_SET_NAME-mmap
detailed listing:
executing program 0:
unshare(0x62040200) (async)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @dev}, {0x2, 0x0, @empty}, 0x1c0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x9})
r1 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x40000100000200) (async)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
lseek(r2, 0x0, 0x2) (async)
ioctl$VHOST_VDPA_GET_VQS_COUNT(r2, 0x8004af80, &(0x7f0000000280))
r3 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
sendto(r0, &(0x7f0000000180)="b8fed7c18d8e727fbba33dd92ab6abb735d66790493f3d30b1697f43f8e9854de581364f9821d269486d650bbc20527014c38e877cd4cbb8fd5a3064dfb6186ce9e952b9f41c1688eabca37d1f", 0x4d, 0x24044080, &(0x7f0000000200)=@nfc_llcp={0x27, 0x0, 0x0, 0x5, 0x0, 0x8, "21865b629e1b9a97e49a4fdd8ab7a47ba0a8274722bb48e80adf7495be6ff5080259a7be369e09e2d31eeafd5690ea73dc4f25ab42d210eb49e6c789f6210d", 0x2b}, 0x80) (async)
mmap(&(0x7f0000215000/0x1000)=nil, 0x1000, 0x0, 0x6011, r3, 0x0) (async)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000040)={0x0, 0x100}, 0x0) (async)
ioctl$TIOCGPTPEER(r4, 0x5441, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TLS_TX(r5, 0x11a, 0x1, &(0x7f0000000100)=@gcm_256={{0x304}, "ff8d4b9ce7be848e", "dfdd86d8a0f4a7df387e88f00cebfc2472ce9f48c1a2761247cd247d6307041b", "be7ea708", "9ea2a49b106de4f4"}, 0x38) (async)
ioctl$ASHMEM_SET_NAME(r1, 0x41007701, &(0x7f0000000000)='!(+.\x00') (async)
mmap(&(0x7f0000018000/0x4000)=nil, 0x4000, 0x0, 0x13, r1, 0x85b83000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-ioctl$BINDER_WRITE_READ-openat$kvm-ioctl$KVM_CREATE_VM-dup-ioctl$KVM_CREATE_VCPU-setsockopt$inet_udp_int
detailed listing:
executing program 0:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): preadv-openat$kvm-socket$inet_udp-setsockopt$inet_group_source_req-ioctl$KVM_CREATE_VM-ioctl$KVM_CAP_EXIT_HYPERCALL-socket$inet6_tcp-getsockopt$inet6_int-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-syz_init_net_socket$bt_hci-setsockopt$sock_int-bind$bt_hci-fsopen-fsconfig$FSCONFIG_CMD_CREATE-fsmount-fchdir-open-lseek-ioctl$KVM_SET_MSRS-socket$inet6-setsockopt$inet6_int-connect$inet6-ioctl$KVM_RUN-fremovexattr-mount$binderfs-ioctl$KVM_CREATE_VCPU-syz_init_net_socket$bt_sco-setsockopt$sock_int-ioctl$KVM_SET_VCPU_EVENTS
detailed listing:
executing program 0:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-madvise-syz_usb_connect-syz_usb_control_io-madvise
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-ioctl$BINDER_WRITE_READ-openat$kvm-ioctl$KVM_CREATE_VM-dup-ioctl$KVM_CREATE_VCPU-setsockopt$inet_udp_int
detailed listing:
executing program 0:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-madvise-syz_usb_connect-syz_usb_control_io-madvise
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): preadv-openat$kvm-socket$inet_udp-setsockopt$inet_group_source_req-ioctl$KVM_CREATE_VM-ioctl$KVM_CAP_EXIT_HYPERCALL-socket$inet6_tcp-getsockopt$inet6_int-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-syz_init_net_socket$bt_hci-setsockopt$sock_int-bind$bt_hci-fsopen-fsconfig$FSCONFIG_CMD_CREATE-fsmount-fchdir-open-lseek-ioctl$KVM_SET_MSRS-socket$inet6-setsockopt$inet6_int-connect$inet6-ioctl$KVM_RUN-fremovexattr-mount$binderfs-ioctl$KVM_CREATE_VCPU-syz_init_net_socket$bt_sco-setsockopt$sock_int-ioctl$KVM_SET_VCPU_EVENTS
detailed listing:
executing program 0:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})

program did not crash
single: failed to extract reproducer
bisect: bisecting 28 programs with base timeout 6m0s
testing program (duration=6m7s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [12, 3, 28, 29, 30, 14, 8, 6, 15, 11, 30, 30, 9, 18, 18, 30, 5, 7, 16, 5, 30, 8, 7, 3, 9, 22, 18, 18]
detailed listing:
executing program 0:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x101, 0x2})
mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1)
lsetxattr$security_selinux(0x0, &(0x7f0000000040), 0x0, 0x0, 0x2)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x44, 0x0, &(0x7f0000000180)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x56, 0x0, &(0x7f0000000200)="c9bac357996de08b7e48f731bfa4ff07fcbe3c53f1e1eee9c14e12b11d39281b63a9cad082ceb2d83206f762f39c5670788d03139be0f70a8780b022dd688c5b166950bc7de4298a9b6eba9895b527af322b7e426703"})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000004c0)={0x8, 0x0, &(0x7f0000000000)=[@increfs], 0x0, 0x0, 0x0})
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0) (async)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x101, 0x2}) (async)
mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) (async)
lsetxattr$security_selinux(0x0, &(0x7f0000000040), 0x0, 0x0, 0x2) (async)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x44, 0x0, &(0x7f0000000180)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x56, 0x0, &(0x7f0000000200)="c9bac357996de08b7e48f731bfa4ff07fcbe3c53f1e1eee9c14e12b11d39281b63a9cad082ceb2d83206f762f39c5670788d03139be0f70a8780b022dd688c5b166950bc7de4298a9b6eba9895b527af322b7e426703"}) (async)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000004c0)={0x8, 0x0, &(0x7f0000000000)=[@increfs], 0x0, 0x0, 0x0}) (async)
executing program 0:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
openat$ppp(0xffffffffffffff9c, &(0x7f0000000140), 0x32000, 0x0) (async)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 0:
mknodat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
socket$netlink(0x10, 0x3, 0x0)
pipe2$9p(&(0x7f0000000240)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff}, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x800, 0x0)
ioctl$KVM_CHECK_EXTENSION(r3, 0xae03, 0x60)
write$P9_RVERSION(r2, 0x0, 0x0)
r4 = dup(r2)
mount$9p_fd(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f0000004380), 0x1814800, &(0x7f0000000080)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r4}, 0x2c, {[{@afid={'afid', 0x3d, 0x8}}], [], 0x6b}})
r5 = syz_open_procfs(0x0, &(0x7f00000003c0)='mountinfo\x00')
r6 = open(&(0x7f0000000200)='./bus\x00', 0x141a42, 0x0)
sendfile(r6, r5, 0x0, 0xffffffff)
mknodat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x0, 0x0) (async)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) (async)
getpid() (async)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) (async)
socket$netlink(0x10, 0x3, 0x0) (async)
pipe2$9p(&(0x7f0000000240), 0x0) (async)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x800, 0x0) (async)
ioctl$KVM_CHECK_EXTENSION(r3, 0xae03, 0x60) (async)
write$P9_RVERSION(r2, 0x0, 0x0) (async)
dup(r2) (async)
mount$9p_fd(0x0, &(0x7f0000000180)='./file0\x00', &(0x7f0000004380), 0x1814800, &(0x7f0000000080)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r4}, 0x2c, {[{@afid={'afid', 0x3d, 0x8}}], [], 0x6b}}) (async)
syz_open_procfs(0x0, &(0x7f00000003c0)='mountinfo\x00') (async)
open(&(0x7f0000000200)='./bus\x00', 0x141a42, 0x0) (async)
sendfile(r6, r5, 0x0, 0xffffffff) (async)
executing program 0:
syz_usb_connect(0x3, 0x3d1, &(0x7f0000000840)=ANY=[@ANYBLOB="120151017cda560899040c504d99010203010902bf030180041010090459fdffffff8c7f0924020240000600100a2401ffff09020102090506102000060e0607250183023edf0905800000045f010e41235272b3f79983c4204f6b756b4be2e54563bb315b16ea4c447f23da826e92c7429a4d313ae69379ba6c045dbe2a0fea020fbf56187121ac7a2b87b21968c7e009050003ff03c507bf07250182460b80110e26920f010407250101d1040009050804ff030c0301072501810401000725010005e894090505102000ffb9109a0fda4ac0cec88ab0546378b0c5400aeb316e7b0436395e6e88ebd8eda3d763a69f5d1a5b5588eeeb62aecf249e70e583a11dd5c7a678fd3754e84b3ddddea45d58e3d8da100a2eb86c18baa82dba8017a4ee34c4553ea3f07851aeabd91495ee278cc88bf4a6a79a770b332c9c1d2616fa1325626322e709d3b1742f6a7039475c650db48674d5ca43cb2a07d08ecc764a1961b68ab571d25909050c00ff03020500ba22729b94adab4afd1d64d6f374d8ffc36591f434058eab6d1a5eef6dfa00f4fc41dbf167b89defe9f39403ec97e9727a761534c934716fdb2ac10b0abdd027d92bfa731c23cd8b53c815fcc87f17c7f19b89fc16cefb4489013a09720defafd803b0625878acc0f8a9848cdb67fcb05422f0662a2f9c6fcef8716b500fc446cbed3c6477a5335840e5de12f9f54e33a71c93eb948690140ada1f7192214fd48695f2b552f278a6d8eeca4d38b555544504f6413d20b579633c26c479e6c71e446907080e41459816481709050a00080008012407250181026a1fbe10cbd9865ad72e8f7224e263d7778537a000ffb875357a8761eabaa65eea295e5565c896dd9a3ab17f87f6e891449ac75a5382e0f9e8a90a3ca4080d41cc27db4a46601af2fe3705f60da560b36fe5d413d64f34f223206e41976e9a26033167e7fd86c7f66ffea026e2ee0f9ebcd301efaf9bd73d5e18b56b70a791efc0bfa1fb431e83f5ef0dd6612957bb7d09a88d134271c79028815cdb7f64aee489aa3ca0222cf8f0f163ce0e4fd69a2ee4441a0b4053ed8c5b738684174fc20d09050600ff03b60502c50aa92b8546660a5b2142b293c978c828093b8fb53ba0a5462a0398176d683e85a77bc1e538411660a0068e0875c33348f426ccaf484aca2320d02c61f5db5c2a06d9fe7cdbc76fbb67786513794818cc4f65bd921e752c193824e6d285d89db3f23df45a6ffeddd4701577e86b8d32e6071787f41ef9ab221adb30b37c85e29d92ed17268ead1c841093b324273d3bdaf4ed36a0f91f60f89f8eaf0848415fdd56ab4c2b604f7ee09a0d175fe7322bf20b07644ee22b714e065cb0fb62e7ba870991a46ec11e2c55697d625b90fa403270a71604d5cfd6f1e9d9efe98911f9e2a2b14f3e06dbb30cb7e5df810d04cd4cab2f0a70f93483a84da26c"], &(0x7f0000000240)={0x0, 0x0, 0x5, &(0x7f0000000180)=ANY=[@ANYBLOB="050f05000017a2a1874d7a"], 0x2, [{0x0, 0x0}, {0x0, 0x0}]})
r0 = memfd_secret(0x80000)
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
r1 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1)
recvmmsg(r1, &(0x7f0000004400), 0x0, 0x10001, 0x0)
ppoll(&(0x7f0000000280)=[{r1, 0xc0}], 0x1, 0x0, 0x0, 0x0)
openat$pidfd(0xffffffffffffff9c, &(0x7f0000000080), 0x400, 0x0)
mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x2, 0x10, r0, 0xf1590000)
r2 = socket$inet6(0xa, 0x80001, 0x0)
r3 = userfaultfd(0x801)
ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000001c0))
ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000580)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x2})
r4 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r4, 0xc018aa3f, &(0x7f00000000c0))
sendmmsg$inet6(0xffffffffffffffff, &(0x7f00000006c0)=[{{0x0, 0x0, 0x0}}, {{&(0x7f0000000100)={0xa, 0x4e23, 0x10001, @remote, 0x2}, 0x1c, 0x0}}], 0x2, 0x4000004)
sendmmsg$inet(0xffffffffffffffff, &(0x7f0000002c40)=[{{0x0, 0x0, &(0x7f0000000e80)}}], 0x1, 0x0)
sendmsg$NFULNL_MSG_CONFIG(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000009c0)=ANY=[], 0x24}}, 0x0)
r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r6, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r6, r5, &(0x7f00003a1000/0x18000)=nil, &(0x7f0000000100)=[@text32={0x20, &(0x7f0000000000)="9a01000000f800b8d58800000f23d00f21f8351000000d0f23f864640f79ea66baf80cb8c85f5480ef66bafc0cecc4c2adac17b9550200000f320f2860c7c4e11751df0f2e2d00000080b9800000c00f3235008000000f30", 0x58}], 0x1, 0x4a, 0x0, 0x0)
ioctl$KVM_SET_GUEST_DEBUG_x86(r7, 0x4048ae9b, &(0x7f0000000080)={0xe0003, 0x0, {[0xffffffffffffffff, 0x1f8, 0x83, 0xffffffffefffff15, 0x3, 0x4, 0x4, 0x4]}})
ioctl$KVM_RUN(r7, 0xae80, 0x0)
ioctl$UFFDIO_REGISTER(r4, 0xc020aa07, &(0x7f00000002c0)={{&(0x7f00005ae000/0x4000)=nil, 0x4000}, 0x3, 0x2})
setsockopt$inet6_MCAST_JOIN_GROUP(r2, 0x29, 0x2a, &(0x7f0000fca000)={0x100000001, {{0xa, 0x0, 0x0, @mcast1}}}, 0x88)
setsockopt$inet6_group_source_req(r2, 0x29, 0x7, &(0x7f0000000200)={0x1, {{0xa, 0x0, 0x0, @local}}, {{0xa, 0x0, 0x0, @ipv4={'\x00', '\xff\xff', @local}}}}, 0x108)
setsockopt$inet6_group_source_req(r2, 0x29, 0x2e, &(0x7f0000000400)={0x5, {{0xa, 0x4e21, 0x200000b, @mcast2, 0x10000}}, {{0xa, 0x4e23, 0x0, @ipv4={'\x00', '\xff\xff', @multicast1}, 0xdbd4}}}, 0x108)
executing program 1:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
socket$igmp6(0xa, 0x3, 0x2)
sigaltstack(&(0x7f0000000000)={0xffffffffffffffff, 0x0, 0xfffffffffffffefa}, &(0x7f0000000080)={&(0x7f0000000040)})
futex(&(0x7f000000cffc)=0x1, 0x6, 0x0, 0x0, 0x0, 0x2)
futex(&(0x7f000000cffc)=0x2, 0x5, 0x10000, 0x0, &(0x7f0000048000)=0xffffffff, 0x0)
r0 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xc, &(0x7f0000000140)={0x1, &(0x7f0000000200)=[{0x6, 0x1, 0x7, 0x7fffffff}]})
socketpair(0x29, 0x1, 0x7, &(0x7f0000000180))
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r2, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
close(r1)
socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f00000000c0)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x2, 0x0, 0x4, 0x3, {0xa, 0x4e23, 0x21, @private2={0xfc, 0x2, '\x00', 0x1}, 0x7}}}, 0x32)
ioctl$PPPIOCGMRU(r1, 0x80047453, &(0x7f00000005c0))
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$SECCOMP_IOCTL_NOTIF_RECV(r0, 0xc0502100, &(0x7f0000000540))
r3 = socket$nl_audit(0x10, 0x3, 0x9)
r4 = socket$unix(0x1, 0x1, 0x0)
ioctl$sock_SIOCETHTOOL(r3, 0x8946, &(0x7f0000000380)={'team_slave_0\x00', &(0x7f00000000c0)=@ethtool_pauseparam={0x8, 0x7, 0x10006, 0x6}})
r5 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000040), 0x161142, 0x0)
r6 = memfd_secret(0x80000)
mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x2, 0x13, r6, 0x0)
ftruncate(r6, 0x3)
write(r5, &(0x7f0000000400)="547bbee68789313efe846d6698abfeac0d12b144933fa6f684f1ba13b34680bf4b9ea70f71faa2a82a45ab47458c1f827355ad34033fbb8b9699eb0b279252dfcf29e377e14dcfbde42857cbf2aa88d3dad8ec2deea7afe4e747fa392fe01d425970fb2dd7a000ea3889f0d9021f347818106963e18c256e3df26b41c61d30284a8ad61c6269756119d62e3a7a24c1dcd09d3eb35dfee6ec945ac190c4797988e0d7f6f38bf9b124431dd8208a9208195a70c8e558c216e78d5f5b3f6df6f155e16bf7dd8f4e9eaf61d5142a82da7a87aeca19c25b631cd8a14ce9f2fc8dbcd05f51dc9260abc82d780c9358bd6411ebf48520694d413024432d0bfc3759a620289c9c8705009fd829da6eb5b72b454436b0af8e9dc4941ca2cff92561cad984e15849dcd73f04c7f70a30304da2fbc17f421767ad5ce47ed79d6698428eada9a39faa02f978699bc8c482224a2d5f85cc1135ea92ac1c610e32f1e7c82da6d91e0c8634da679760c32c3e891db352b76b61a65bbdd023e093a8e0d37fd8cd00679cb1bceaac84b05861740c221b2cb4afa1ce8b091c815fc4bd83995b5bf5dcdf2912572cf6180ec27445404917ff9e8e6604e2afc19a1bb3745914f0a101e03e44ea5f64d40402f12a81310c97086fb01d04e82799c40f29348eb283ad58a40d608a47fbf9a25dbb308aa03b2425ffa896e1a70a37cf49e6dbdeda39ee88aadb26811eba78a0dfe5400a51428c31582edcc5f75b5dd963707a54b9b1e35f9966995d6474acbf7094124cecf38369aba3f6a5e3ad071f5e3df902843a3947623fe01571d97625c3e27721b08a6f85fd7b879acd400de5beabdd2603d566fdb4018bf8bd74c3ea1ae67c988992c7dab4ebcf501a73815e1b527d3ff1cf9e729d55127118565f794d253fef25609e5a415615d1b5fca5381b49446d9b9e75fbfcdd9218b0d8d8d965871b897544e32fd0b4cb5600ffdcdb0056bcad75216759590f8a94db82b0acd2a5a34e5c34241a19f1a7a7cceb894341f55c6b474f3cc052f9863a67519dfadee6576f08d7448929424c13e845e2e636b87dc14e1ab4ad05d69f896ca1bc5c1267befb686c4207e21aa30bdae1d1602d3e4080784834e213c426ba5446f90d3b3885a5d6942c6b0e637f5bb9c7908460bd7d04497ab054c8fc7f89068f7535976ad051bfe94c243ce7604a63b2099b69f1ed73590a318fad9a170fa0cddfe60e981a92de2e1aab3465b11a968108e08deadfa1fa546c4cbc0c34ac28597848562583ae8d93cb60f2e06c7a1f743add51eb8cd732b40d48fde00117cb2d654100dfcc66b7c9fefac80e137caa5cf43ae897780251a3ebbc4ddd3b003168963c9e2c9446cb29731fc4bbb5e551aca6913f7b8576ce34012581b5a363917970399ca369688e637cf06ff3c8114383d2fcbf9c69f1ca63cd21695254a440df5ef0a8abfdbd0a651a533b6cdb82382e3bd70f87c1d3eb0a6e22452605026fafe6d35158c0728c1050a39330c80ee2ee0b09366fc6382883ecd0796feec657b36aee4091471e406e9faffd5ede27943e5fbf1b7249ab8bad71f60063697f04db52e980a9fb3eb5e53b89be8a5f0e6afea7435789ecd444c28eb411cdc2158e434178749f36cc957dbd17efb2b218592f78d6864f2708e8c6db2da0d3f6de53959afec0c90d3d62a13a0bc3857bce58d81223eddd05cf3c1ec6b3fc5307d0f16d470f2065300295197e9fa81d2e5574b2c7b18f1c6c85156a9b1174d62dcd3cb026f4b67e6babd66c8f427b9687585f37b18c82e0100507035e78ce010b78ea1b5d3884db25df36ae929dd535a854a31cba5e47655873df72be7463c600b704e9da0e7cb2d61d0710248814ecced2eef8f227c8aec308c2c9d0a39d1a6b306080e8eaef8edece0f6d0d1612c582d70c3999a1a6bd529538f51ba4869ce74bc8509a7126d96db118cdb55411a36f4361d53c8027c12a7486e9c84e4de445b454630be27bdc2ec268702d9c1890297bdd1fc7a235f1a47f4645d286146f3cb9a7ce650f4157a1e7f134eb1815001d59905d3103efad3c66479330e8a5da941c9c38bf21bc0770e3fd56cafa19ad6e9d51f94ed4f900062b5602653aacdcc956aeecfb1dd613caf918e1ca8ef2e1504c4276", 0x5f5)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
accept4(r4, &(0x7f00000000c0)=@pppoe={0x18, 0x0, {0x0, @link_local}}, &(0x7f0000000140)=0x80, 0x80000)
ioctl$TCSETS(0xffffffffffffffff, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
syz_open_pts(0xffffffffffffffff, 0x0)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
executing program 3:
r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_usb_connect$hid(0x5, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x56a, 0x32b, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x50, 0x3, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x2, 0x0, {0x9, 0x21, 0x0, 0x8, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x0, 0x7, 0xa, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r2, 0x0, 0x0)
sendmsg$netlink(0xffffffffffffffff, &(0x7f0000001080)={0x0, 0x0, &(0x7f00000002c0)=[{&(0x7f0000000300)=ANY=[@ANYBLOB="240000002800010023bd700000000000050000000c000000000000f7ffffffff"], 0x24}], 0x1}, 0x0)
read$FUSE(0xffffffffffffffff, &(0x7f0000001180)={0x2020}, 0x2020)
r3 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000300)=ANY=[@ANYBLOB='0\x00\x00\x00$'], 0x30}], 0x1}, 0x0)
syz_usb_control_io$hid(r2, &(0x7f00000001c0)={0x24, 0x0, 0x0, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\"\a'], 0x0}, 0x0)
r4 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000d80), r1)
sendmsg$IEEE802154_DISASSOCIATE_REQ(r1, &(0x7f0000000e80)={0x0, 0x0, &(0x7f0000000e40)={&(0x7f00000003c0)=ANY=[@ANYBLOB="14000000", @ANYRES16=r4, @ANYBLOB="010129bd70fb979b76e424"], 0x14}, 0x1, 0x0, 0x0, 0x20000040}, 0x4810)
r5 = openat$selinux_avc_hash_stats(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
fsmount(r5, 0x0, 0x1)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xd, 0x10, r0, 0xffffb000)
executing program 3:
r0 = socket$inet(0x2, 0x4000000000000001, 0x0)
bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e23, @local}, 0x10)
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
clock_nanosleep(0x8, 0x0, &(0x7f0000000000)={0x77359400}, 0xfffffffffffffffe)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"})
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil)
executing program 1:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
r1 = openat$selinux_mls(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_NEW(r1, &(0x7f00000002c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f0000000300)={&(0x7f0000000500)={0x130, 0x0, 0x1, 0x3, 0x0, 0x0, {0x5, 0x0, 0x1}, [@CTA_TIMEOUT={0x8, 0x7, 0x1, 0x0, 0x9}, @CTA_HELP={0x10, 0x5, 0x0, 0x1, {0x9, 0x1, 'snmp\x00'}}, @CTA_SEQ_ADJ_ORIG={0x54, 0xf, 0x0, 0x1, [@CTA_SEQADJ_OFFSET_BEFORE={0x8, 0x2, 0x1, 0x0, 0x5}, @CTA_SEQADJ_OFFSET_BEFORE={0x8, 0x2, 0x1, 0x0, 0x7}, @CTA_SEQADJ_CORRECTION_POS={0x8}, @CTA_SEQADJ_CORRECTION_POS={0x8, 0x1, 0x1, 0x0, 0x1}, @CTA_SEQADJ_CORRECTION_POS={0x8, 0x1, 0x1, 0x0, 0xe2}, @CTA_SEQADJ_OFFSET_AFTER={0x8, 0x3, 0x1, 0x0, 0x8}, @CTA_SEQADJ_OFFSET_AFTER={0x8, 0x3, 0x1, 0x0, 0x6ed2be8d}, @CTA_SEQADJ_CORRECTION_POS={0x8, 0x1, 0x1, 0x0, 0x2552}, @CTA_SEQADJ_OFFSET_BEFORE={0x8, 0x2, 0x1, 0x0, 0xe}, @CTA_SEQADJ_CORRECTION_POS={0x8, 0x1, 0x1, 0x0, 0x3}]}, @CTA_TUPLE_ORIG={0x70, 0x1, 0x0, 0x1, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x88}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x6}}, @CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @local}, {0x14, 0x4, @mcast1}}}, @CTA_TUPLE_IP={0x14, 0x1, 0x0, 0x1, @ipv4={{0x8, 0x1, @empty}, {0x8, 0x2, @broadcast}}}, @CTA_TUPLE_IP={0x14, 0x1, 0x0, 0x1, @ipv4={{0x8, 0x1, @initdev={0xac, 0x1e, 0x0, 0x0}}, {0x8, 0x2, @local}}}]}, @CTA_MARK_MASK={0x8, 0x15, 0x1, 0x0, 0x2}, @CTA_TUPLE_ORIG={0x30, 0x1, 0x0, 0x1, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x11}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0xb9}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x1}}, @CTA_TUPLE_ZONE={0x6, 0x3, 0x1, 0x0, 0x1}]}, @CTA_TIMEOUT={0x8, 0x7, 0x1, 0x0, 0xf4}]}, 0x130}, 0x1, 0x0, 0x0, 0x404c000}, 0x240440c0)
sendmsg$nl_xfrm(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000003c0)=@updpolicy={0x13c, 0x19, 0x1, 0x0, 0x0, {{@in6=@private2={0xfc, 0x2, '\x00', 0x3}, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x5e}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4}, {0xfffffffffffffffd}}, [@tmpl={0x84, 0x5, [{{@in6=@empty, 0x0, 0x6c}, 0x0, @in6=@mcast1, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x1}, {{@in6=@mcast1, 0x0, 0x3c}, 0x2, @in6=@dev={0xfe, 0x80, '\x00', 0xe}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3}]}]}, 0x13c}}, 0x50)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_GET_NODE_INFO_FOR_REF(r2, 0xc018620c, &(0x7f0000000000)={0x1})
executing program 1:
mknodat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x0, 0x0)
pipe2$9p(&(0x7f0000000240)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000040)=ANY=[@ANYBLOB="5900000065ffff0010000008023950323030302e75"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000100)={0x18}, 0x18)
r3 = socket$inet6(0xa, 0x3, 0x1)
connect$inet6(r3, &(0x7f0000000200)={0xa, 0x4ea3, 0x0, @mcast2, 0x3}, 0x1c)
sendmsg(r3, &(0x7f00000000c0)={0x0, 0x9511, &(0x7f0000000100)=[{&(0x7f0000000000)="2c10", 0xfff2}], 0x1, 0x0, 0x0, 0x2c}, 0x44004)
write$FUSE_INIT(r2, &(0x7f0000001740)={0x50, 0x0, 0x0, {0x7, 0x21, 0x0, 0x14210000, 0x7d, 0x1005, 0x0, 0x3}}, 0x50)
r4 = syz_genetlink_get_family_id$batadv(&(0x7f0000000140), r1)
sendmsg$BATADV_CMD_GET_BLA_BACKBONE(r2, &(0x7f0000000340)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x34, r4, 0x1, 0x70bd2c, 0x25dfdbff, {}, [@BATADV_ATTR_BONDING_ENABLED={0x5}, @BATADV_ATTR_GW_BANDWIDTH_UP={0x8, 0x32, 0x200}, @BATADV_ATTR_AGGREGATED_OGMS_ENABLED={0x5}, @BATADV_ATTR_ISOLATION_MARK={0x8, 0x2b, 0x11}]}, 0x34}, 0x1, 0x0, 0x0, 0x20000000}, 0x200000c0)
mount$9p_fd(0x0, &(0x7f0000000300)='./file0\x00', &(0x7f0000004380), 0x181c800, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r2}, 0x2c, {[{@uname={'uname', 0x3d, 'igp\xfe\xcb:qv5\x91\x02\xa8\xa9!'}}, {@noxattr}, {@version_L}], [], 0x6b}})
r5 = syz_open_procfs(0x0, &(0x7f00000003c0)='mountinfo\x00')
r6 = open(&(0x7f0000000200)='./bus\x00', 0x141a42, 0x0)
sendfile(r6, r5, 0x0, 0xffffffff)
executing program 1:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000500), 0x0, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x9)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000300)='./binderfs/binder0\x00', 0x0, 0x0)
syz_io_uring_setup(0x149d, &(0x7f0000000280)={0x0, 0x317, 0x1000, 0x3, 0x36b}, 0x0, 0x0)
bind$inet6(0xffffffffffffffff, &(0x7f00000002c0)={0xa, 0x4e24, 0x1, @empty, 0x65}, 0x1c)
r1 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r1, 0x107, 0xf, &(0x7f0000000100)=0x207, 0x4)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000040)={'bridge0\x00', <r2=>0x0})
sendto$packet(r1, &(0x7f00000002c0)="05031600d3fc141200004788031c09102c28", 0xfce0, 0x4, &(0x7f0000000140)={0x11, 0x86dd, r2, 0x1, 0x0, 0x6, @multicast}, 0x14)
mmap(&(0x7f0000701000/0x1000)=nil, 0x1000, 0x0, 0x12, r0, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x36)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/custom0\x00', 0x1003, 0x0)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
close(r1)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @multicast1}, 0x2}}, 0x2e)
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000002700))
r2 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000840)=ANY=[@ANYBLOB="1201000000000040f30455070000000000010902240001000040b109040000010300010009210101000122050009050003ff030c0000ebbac564734796af53f8a5fcbfe39cd1c81963ccf220498f4b260ef6453e08b2e31f03f1f8612ec32fabea6d6d70"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000340)={0x2c, &(0x7f0000000040)=ANY=[], 0x0, 0x0, 0x0, 0x0}, 0x0)
r3 = syz_open_dev$hidraw(&(0x7f0000000240), 0x10007f, 0x10100)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ethtool(&(0x7f00000003c0), r4)
sendmsg$ETHTOOL_MSG_TSINFO_GET(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000500)=ANY=[@ANYBLOB="edfa5358e1cb95f584dedf9479e1337d7c", @ANYBLOB="c5153284fbedf3cf903a41a14adf070731125250c271a679984b55ee432d58", @ANYBLOB="010028bd7000fcdbdf25190000002000018008000300060000001400020076657468315f6d616376746170000000", @ANYRES16=r0, @ANYRES16=r1], 0x34}, 0x1, 0x0, 0x0, 0x20008810}, 0x91)
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r3, 0x81f8943c, 0x0)
r5 = socket$inet(0xa, 0x801, 0x6)
r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0)
ioctl$KVM_GET_PIT(0xffffffffffffffff, 0xc048ae65, &(0x7f0000000280))
accept4(r5, 0x0, 0x0, 0x0)
r8 = pidfd_getfd(0xffffffffffffffff, r0, 0x0)
write$P9_RXATTRCREATE(r8, &(0x7f0000000100)={0x7, 0x21, 0x1}, 0x7)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x138a, 0x1000000003})
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0)
r9 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r9, &(0x7f0000000440)=@name={0x1e, 0x2, 0x2, {{}, 0x2}}, 0x6f)
bind$tipc(r9, &(0x7f0000000080)=@nameseq={0x1e, 0x1, 0x1, {0x41, 0x1, 0xfffffffd}}, 0x10)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
socket(0x840000000002, 0x3, 0xff)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)
executing program 3:
mmap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x1, 0x40010, 0xffffffffffffffff, 0x0) (async)
r0 = socket$netlink(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0xc, &(0x7f00000000c0)=0x8004, 0x4) (async)
sendmsg$netlink(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000580)=[{&(0x7f0000000100)={0x18, 0x56, 0x601, 0x0, 0x0, "", [@typed={0x7, 0x0, 0x0, 0x0, @str='\x00\x00\x00'}]}, 0x18}], 0x1, 0x0, 0x0, 0xea}, 0x0) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000200)='fdinfo/3\x00')
read$FUSE(r2, &(0x7f0000000a40)={0x2020}, 0xc7) (async)
ioctl$SIOCSIFHWADDR(r2, 0x8924, &(0x7f0000000000)={'rose0\x00', @local}) (async)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000fc0)=[@reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})
executing program 0:
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
write$uinput_user_dev(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
mremap(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x3000, 0x0, &(0x7f0000ffd000/0x3000)=nil)
madvise(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x16)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x5}, 0x1c)
setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0)
write(r0, 0x0, 0x0)
r1 = dup(r0)
ioctl$MON_IOCX_GET(r1, 0x40189206, &(0x7f0000000240)={&(0x7f0000000140), &(0x7f0000000180)=""/188, 0xbc})
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='devices.list\x00', 0x275a, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f0000000740)={0x30, 0x5, 0x0, {0x0, 0x2, 0x0, 0x84ae}}, 0x30)
r3 = syz_open_procfs(0x0, &(0x7f0000000040)='fd\x00')
fchdir(r3)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r2, 0x0)
open(&(0x7f0000000000)='./bus\x00', 0x80001, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_FREEZE(r4, 0x400c620e, &(0x7f0000000100)={0x0, 0x1, 0x800})
executing program 3:
r0 = eventfd(0x7e)
write$eventfd(r0, &(0x7f0000000040)=0x5, 0x8)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='cpuacct.usage_percpu_user\x00', 0x275a, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_dev$usbfs(&(0x7f0000000300), 0xb, 0x101301)
ioctl$USBDEVFS_IOCTL(r2, 0xc0105512, &(0x7f0000000200))
ioctl$USBDEVFS_IOCTL(r2, 0x80045505, &(0x7f0000000040)=@usbdevfs_connect)
r3 = fsopen(&(0x7f0000000040)='proc\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r3, 0x6, 0x0, 0x0, 0x0)
fsmount(r3, 0x0, 0x0)
fsconfig$FSCONFIG_CMD_RECONFIGURE(r3, 0x7, 0x0, 0x0, 0x0)
vmsplice(0xffffffffffffffff, &(0x7f00000000c0), 0x0, 0x1)
ioctl$LOOP_SET_STATUS(0xffffffffffffffff, 0x4c02, 0x0)
ioctl$USBDEVFS_RESETEP(r2, 0x80045503, &(0x7f0000000080)={0x7})
sendmmsg$inet6(r1, &(0x7f0000001a00)=[{{0x0, 0x0, &(0x7f0000000880)=[{&(0x7f0000000340)="04f360710f55c24abb24327a6e6ed0f4e530cccaec1dd6d3b7dc2038c5585825495d3466780d7bee13b83a77ff9c973444d97c78f11cf6f57d5685c63b72bac03530b1f4ffe62fc66b4fc769f3f7000852529e188c5b98ffd0fbd433c201988783019775710b0ffaae196584ccc0f0e2d4227f7e8094016e6e236e9576fcbf0a9e237e387c3d3d3171dbdd2c00ae57366006dac5b55742", 0x97}, {&(0x7f0000000400)="859dd2bf22305c73bd05446e0d447ceb336d9e826ea7b1fac9d65a2a239387537a1b2f2826b24da55b34dc74545984982295b15bf2ac67f37424166513c556d69b91ad82d6f47c00a1982e3c6966cfcf56b84cc1d3815f3e889f1769619d7e22874b718c3896a5f9d85328ce043e894e9921f59fd0e8afc8dd44e8ec9563287de69a3fca8a464a954b86f6c5197a48f47b885bab4aca1b742c1f96a551c3c510e684f6c521b5df3c58c305a0e0f4e53788a4e6a3d0aaeeafcbe2ee5d2eba186f75d34fe7f3d515106cc6841bba4f11271f810a35d5c01f412734fbf0912fc54546", 0xe1}, {&(0x7f0000000140)="b7ce648a03711de81bf66009b2678454d32475c161591ff4496792ac4643b2062829c6259e991282c5500e0dc4f7aba86324ee80dbf35d40e0a34627dc74c3d3852396", 0x43}, {&(0x7f0000000500)="2c5b5614d0433fe662721bb3b283ced7310784aa41fb94986c4c3b9e71586ed07fc1d3da35041585523b685d8e921c85eca0888b51f5c200fb1392482b617c5b83520e6fd6b4ae6856c2167368569090658f885586b74f0e368d938b69add358e31975e170c12529f05d6653681ae5c295419972a2b3e217530b8727c601802ee6aa8840d31980645a87c54b2dd5467db81c3dad90bb4f3a0f043bd49d4f21da", 0xa0}, {&(0x7f00000005c0)="e9de4ae9e4421fdcd906e1da59e35aef712c315fe5d9635a1f1d53a79f4176dea5e800bc45150777fba7e002f58e13de984de5d0eed93e14085526b6603f4ebab4b759153a3ab20f7b7c643d2af4aa82954ce34087f8432fe72686f54dfe6c3a8ebcacaba935b3b65a45152413352ecac5383ed9b6e3227db9d630bb4a156e38f6861e289446c3839ba54c1e2427c1dd1cbbbba2e744756bc5d14c9760f3f9e405768563618269bb", 0xa8}, {&(0x7f0000000680)="38d685a7e596c350d0de907c746418c38b6c04bae90deda84d00692839fb7fded1e9bdf7deccb80b52d2acc751e3540ab313fefea86842f86c2ed8268de6664ea19898484707635a64f2f1921d6b4506286e4bbc5bc7fb29dd44dadfedeb9d7a940ac6cd14d067c5e528aecc65276e5268d01efcd53766a7b9bb90232d76944a723d45933aa4b5ce85b30b36bd573700a308966f08c3d0d58ab792a9e803b72009a4be6e09d3232c2d64222e88258ce82bc146aff993bd6b644bbcce044e284dbaf13d8f9c00d302261cecec811ae4498741fb51252acfeba65d0ab647f27b378ada3e5ed5caa2cd62db9b6fed4ac043e531a7ed", 0xf4}, {&(0x7f0000000780)="80b24d90a8995a45ad3ff4a0d49c2b2c53f92634088d51ead6956431dcbcb6d903373250ac3027e7e6", 0x29}, {&(0x7f0000000980)="89642a098141ba4da4c7ab54eeae51ab90d114d1ce91a50d1424e075708f9fb4878af95e05f967416b6fb848e2a924eaa7b71ebc12c3bbb5070686c1d6968efdd311e17f4a3813d26e6b569870d277233caf84928ceed6861420ce415314fd12b76f77eb48bf0dc7174bf377157859e8ced30dbd3633df3bd082ea2c7d7d5b25d31c987f201099bcce7d8652d9fa41556658e71e0c106f83fe088f0667410e1c352125c41c503eae17ee21a1d0edfc671c34840190483b2463e829fae73e1555daea72109fd97f9c1fbe9c193198ca29f9138c24b8079d8eaaeb69affd6edadb29835ece6908ab91bf8fbfe03afa3e61db6359d8d8fc2fdaeb62d3670eeaca93fca1f4f5b3b91a54cd660758a331b02bac80eb483116887ed03f6cf77313d61288ad8dd073b6d51a79d9f62c0cd08399988c017ec2667cd1fdafb3ad80b82fccd03d7a6f8cf054382a6c1e494d429a48e6e1fe89cd4ba13c0b69eb356a5a906f02096890e55f9b9dd7f774d9f56713fbba1fb2705777973355feb14219ad10a130d5376822292472593cc8f054ecc817809b17c25c65ea78a9b91b00e6e3c10f6936bfac0335be3be92576e16e375f0bf26d88cd7ed8e162dc8e826c140e328fa2c0ea5386445372e1ba1f2a9df0d4845d9eba489a566c29842276bd22d6563932cc36b9511c29cc16cf7852dabfb48ad5bd40ca33b5c579950eb70d9a2c38cdfedc375cfef5e81c5c05471cee4fe61bb82670df9b10c4d09cc0e13fe37e6f0e007723b8ab0db1f86b1b00b0dda4bac32574d60d83c1467db4d31ea36c01715835c4b95478e99b845e4e9a8a42e5ea0b8886167da6bf400168515305e509b624ad11ea80cb87984603b7bedae3bb05204117da36218a6cafc2b76de469941b9a86b47eb76abfb903a30d4793eb3d97b7594e92492cddde2c78dffe9e87e2ea9c28611a62fa6f3758e400528bd35e06fdbeeec94b9bdabbd25cb867caf66b4a167b6a58d08c8c9ff8aed00697e46ef60063af7e2187667f24f5cce79da7f915a8a0f61ddb5833133aa60b754fb8632bbc911aea43c9c1a027d4a6d6df93e8dceaabfb815d1a7264dc67b6b088fa9694550283dec8a53a194c0486002f5b04a5c0052b3610b91bade38f38d913d7aea769218d9bdbbf489b5ce4d5cafe1eb780e446834340152e52060d73b3599eaa634dbc8f9d9250a8c386e731b6a8740c78e6ad7c7cca37c1140e676faaf736953463a4985a1c97540569856faf31edb9ce8ececee74eedf7a4e589b8e479b5ec2db4268733411ee691b6b356bbc84c1b0968f5d4bd1f398016089896284be1212bd17d27ebe8ad9cab43c2cf36bde563ce0907267eaeaa367793cad0915c310a6704362ddbaf4724bff4f65f121f45f50f26d69a18a14aabd8d860bdbd3b8a6f109643b8b9794143acbdf4c10c5c32797395f350c7ee7988fd894d4b884517f3f4cf5733c90035fbd5406aea23c4962d253616edd7650cf9adfb0724b09e1f3089025ec073d1672644320605f5fbea2ee7da365847edf7e814b12c5c27a4bdd34256a1874d77f5daa8e714c5814d85d778622af3ec9c8739c5208c2f4ea5f85a28310d1d5c18dafb91b0cf49ae8d75a6a435dac8500529484c718486208cd6a87df303a4dc6a0f337558b8a85b517b26456378e0dbac2aba6bef054de1fdad372692ef0c5264df7a827e5aec9c0e559846d8e267a8b66f46e2affb80a91978eb840f20e15da03817e63a4b37b4faf14ca4edb9b5e5466f002863023ef3fe5dddad697569e3447f29d851b75e5c441e740c39f75e1bb3e9799b91be464ddfba39773183bc9c63c9355b5942b4157eb0610a6f3aaf04558cd5f48310718207328c2e88e5950f5ecb8b1da2c8eec2579735d929f97b9ccc047a60eb3d7b55ad5f16eb78f4209c11af9810e858023bbb8d9abdee5223e468ea5ab7109ec54d7ce4192c7be508bc91d7a185c9a68c5eaaa99d1b2e5c432d163387de21e9a85c863b1d0fc6c376a30f4dc4a531474e843e44568cc47746e5f299613982cc6c02fafcdf7401f316722c54ee415321bbf6550a261ed30e6bd68925f389e9ee04e3d2a38afbeb703c843f0a75af681faab297d2477952dd082f4a97ddfd70f230b16ae71e01cb75edf6032d00b6dbbabd0640196645a23e33891dc5953171e8e0aa3d664a458960e346c95095bd5e60f403334389427e58026b479a41c92629d41047881866409d155f4c7a4ccaebe32290c7fd42b30523fd365a0aa4647e60852a4cc7a7cb1de2b2f5dd0fb13755ad49d78727d3abdfc9bc0f1699ac215d33e04852af816a15211b231a64bf9a22fac18ae3a90a504369bc6dc88a849d8cee562a7dda32a079eecf14943c78b9e426dfa447b523f7451f0a649bf86276d18d6ff3421286ad2e4bc4bedbcd41484e474eba87d174419ef4dfb2f965190ecd837060eeb033582bf16b83b185b7a458329d91597848c0d5b3c141ad8857e634ee3f37883f503b7cf7ba723e7e0d36b6184e812d912c827aab509921bd99f0bb299bbbb4783ff834ae9097689747148b5d84eeffd5ac2227f1099ab60f3244b8de0a0d7c1ec798635fb6a3a45e807b145ddecf01942d061ff6825bce4ca2afcc29d720eda5abac286e0642b583e2f51bddbcca49c0d3e1c37bfe66df56aa42f59bfa2892c19e052f9b661fd84bf5056311495ef9b4b9f1a4c52671b0ef5843aa937cc9bd6fd89335d8781b3954a826657ab0aec2b2b35c99f58a9c190f9d63f7607c8d045da09bec66bc1b1333084bced4c92a80dcd074ff51302da8358451e71394ca9ea1fef026a7b070899bebe3b45ae11a0a8ccb61b46f1f81b73964d88d018f24cd76880e834b57d08f722d882e82737d7cdfcc14b2c3dcac0ca0b88f03221a487d0c052d75901d7dee0ffeec11771ff1c5db961307a0851abd5c2030029041579289d19893637648a52bbf9a636390a2e0c4971a766b8f013a815cf16e440f48b62095f87b0ced8689cf037e6a8a30183a54ea4eea5cf724074ab453defc87f93093065d41a6c2c7b6741308a3e99f2e6b1b031d5d3206adb91a151b2f382291e7111afa8eb92572ebfcba4327cd2444c7ff23ddb6330ed225ddb82686eaa4fc75697ed03f4ceb68abcb46f210403703b4d7097f65a876d2b5bf55667fae1c1cda0247e5961a754b9167cfa74ca89d7774a9f1415ae31479fa0e3877d10b855ff43d2d45508484b4bd2ff348ff6ca5d6d9f06ecd2e8eaff3c9f1e8fe169d76b590038cfa5f7781b7794de906d751dca21af24da422554317e3081dcc6f81d70ea1f833c2047223369f74007963a0229bcfda4aa64c54a523d0fc12f489a29b19e230ff141130dece7f48b81209bcc63cdae3a30fa4cca60e4422bfbfa70545e4907a4d1ffd7bf35fbb4e5e40b162ea87cfddb52d4f4b4178d7e9b9cbe7aef71c4c33b4667d14d5aa0c3a9529790e072425141739f01015f4bf8eac866dfeee11e972ac4c4bbd75c35508d3d40443b5edbd494a414c3db2cabe560e3c8e0b69cac453dc381bcbc84e1eaac5b977c80d15d093f3ebabbd8b253beaab7a3bc8715ae74c3c271ad2fe4dcda3359ef281b94712a899c73bdb209ec35a92eaa97bf9aa347a8c5b33eaa9c327d13cb7d2e0c8f69260788b4c90a42aecfe9fd01a6b1c7b4418e3744bd3c5cdb2ceecd227519be29b6d59e73123f4db6f034d8d7af3c4ef1257e9cdf2a3253496fe854176fc2018f8ae44b1d7eddcea6e37d7bc3424054348df1019a0c149941e430fd037c7f70abf268d55bf8295b0bbdc7f61d1f3b97d11a0754991c594e6a497841c2f7851d7e0e44d2ad10c15102c682b036e8857bd45bb0d9346dd979ec3c30c17109d162865d4c097a843e17d0e0a5bb1d08c3ce581c3a78ce80e05693ed25eb2262d39d4e5c8703a6b2279816833c6f5f19a59f527ea8d81a5d0307622f52dd2475f0d385a0b2af35b28a5242b85cabc89977e2fb19079d9132643cb690a4da32ae07fae823df9f204a9bd5f827c37bb65effca2f9d9460fa5c1db3692bca5eb79b8e39024365a3d58604cc0dbeb46bdddacb0901fc8b2a96cb6d8b20a624c4cfa20ca9de08025185ba297ee267efc9bdeecb1b01b84a9a42959a55637573daf0e10c71f359684336ee3d92d9d3b0f7e520ed59803f2e992c7e3b83425bc55e301f38e89585b47c19e37e965e3b78b0dbfca913308dff85e5bafdb9458e57b35bf34c431a0e8cab25fececdbc18282b31d5681a6a2b3f3bd129ba39dcc6c4b0d14bb140cc237f1f6d82987dc52f79e46611d498607992eed4f40cd85bcfe5d3f03f8bf7f0a3e247e92bac4ef05cf7b9bd13671f6ab075775b1d1ecfb2cfe59ceff3e853c79fbd2c517c6f002217846dbaf93aa44015f7615bdccf8db094836af847304cd35ecc4f2cc31e716203d36e1b4eb12cbdd615e740f57ae19631089393f97f3c239b990ee858d549b0c9d4cf5c8f3cafe176cdc59020565bec06235cf7ca6e34411930ff635ce839254d628581b2a8c0c38190bd00633b08cfc890e36d0eef070065cda1bb6bcbe27387249d0d6c5e2a0e142293a65c36b7f6368f8020ae0e289e24d91d04c389a4acb30a1af5ac5780d11b1016a74a9810a1ed053b97a146041cd3008b23fa74c5f7a4ccd1c00ce3825ac388083bc6c102c73d614cdbeb2f42a6a55c400fa6451faeee801ccc75ab6043a17d26b5b2a5988b211e68c38e75fd7ca6c9effb9934efa0688b02a5b3b2306ff2088bbd41c302fd4802a6d08e968900d719ae137364e610fd03d274ade682bb8c36e69c2fca80a0b4e0f7e40c1246dd70754b99db57bd99f2ecc12d0bec6a553b292a414c859bea5594176d648a24d3b115fe003c064e83af81e9bbf7948dc1d57a3b5b71104164efac2a110ffbbb0439356633052f48c784346ece3817f1039b80647d18e6ec98984bf44f0a062c321065a84ddfcb292fe6004d7efbc91fe0d8cf1bb2af18ed2a109dfb0c022e4aea395e4704e4dd71e452e4fa5c850ad6333b6c3d096f8dc721bd02fce0f8f579181f4fa1ebaa5d1f3e4ffe4d4984fe5fd0a63b31fb0d5f9aadf691dc1018c8c57ed05c9315748051a0a35c504e3ba8e028abe29b09a5c311a675195c5e56f48e63df11760e45cf8822772c78b8a526f702a3c5fe92204bc0a5f6c0f4020095d726add42012487ecadd987eae0b4b2b8cf742e7d068a8ab0a7d8f9fccb5056fa3fa12678a96a04ca7b36ec35f00a818ca3adb1261cacfb9b6e3070a8a20ec4467ec9e24a6fe69e27255385db768c23ca9911a10866bade6c589d017c8683d744b8c9c9a68bd4262a7b66d57a8738bb9f7a2ffd5f5d8a43ba73f53330807dd200a2921d822789ae83e2a8ca62fadb4c2e1dc7ae65eba3ffd9d3a754651f94b9c1b3c00ed1798c541f15e465a00693f23039d3aa2e5fe22624345bdd01eeb57bd8c74a9b34ff574a1fc4da8119788679999d09ee703ddbd95224eb5def3f1843fb5b3292706957e7bbab66356e95931d95f51fbe74d3cdf4886c593c40853d7f7ddac5ee3c594e73feaaf36139d69bd60d978a3c489e2b7e0f9ebec01422c81489823b122d3699d985b62f89235807745cfa6029e14cc59b339ffc615a3dd97212991547935e53fb5daa3e6e98f28077f0ff42374b0c6c8ea8337463031c37b090a1a1665aa61b36b70c8669144d44497c976a5b6ebb542de4d0d5a74c51cfda08db8b8ede621def2bf56b13cfeff9c6af1efa35d239388ec4d1dc6b6b72f996fd72b01d12963d", 0x1000}, {&(0x7f00000007c0)="16ee4048a013c9fa6bc755a208fa1da89aa3a990a7f6b551402e2f0b5c95b822955fb4f0ab4679e6543b575ff0e61cc1ceba31d99a6b283c33ee5ebe8bb2f798523a03b890c5a72f12f66306613459d67b96", 0x52}, {&(0x7f0000000840)}], 0xa, &(0x7f0000001980)=[@dontfrag={{0x14, 0x29, 0x3e, 0xffffffc0}}, @rthdrdstopts={{0x48, 0x29, 0x37, {0x87, 0x6, '\x00', [@enc_lim={0x4, 0x1, 0x1}, @calipso={0x7, 0x20, {0x3, 0x6, 0x5, 0x8, [0xfff, 0x9, 0x2]}}, @padn={0x1, 0x5, [0x0, 0x0, 0x0, 0x0, 0x0]}, @ra={0x5, 0x2, 0x9}]}}}], 0x60}}], 0x1, 0x24000084)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x28011, r1, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs2/binder1\x00', 0x800, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000940)={0x54, 0x0, &(0x7f00000002c0)=[@increfs={0x40046304, 0x3}, @decrefs={0x40046307, 0x1}, @transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x60, 0x18, &(0x7f0000000080)={@ptr={0x70742a85, 0x0, &(0x7f00000001c0)=""/202, 0xca, 0x2, 0x11}, @fda={0x66646185, 0x3, 0x0, 0x25}, @fd}, &(0x7f0000000000)={0x0, 0x28, 0x48}}}], 0x0, 0x0, 0x0})
executing program 1:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)
executing program 2:
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"})
r0 = socket(0x10, 0x3, 0x0)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x8927, &(0x7f0000000280)={'ip6tnl0\x00', 0x0})
r1 = socket$nl_audit(0x10, 0x3, 0x9)
sendmsg$AUDIT_TTY_GET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x10, 0x3f8, 0x10, 0x70bd25, 0x25dfdbfd}, 0x10}, 0x1, 0x0, 0x0, 0x4000080}, 0x40)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil)
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0) (async)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"}) (async)
socket(0x10, 0x3, 0x0) (async)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x8927, &(0x7f0000000280)={'ip6tnl0\x00', 0x0}) (async)
socket$nl_audit(0x10, 0x3, 0x9) (async)
sendmsg$AUDIT_TTY_GET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x10, 0x3f8, 0x10, 0x70bd25, 0x25dfdbfd}, 0x10}, 0x1, 0x0, 0x0, 0x4000080}, 0x40) (async)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) (async)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil) (async)
executing program 32:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)
executing program 33:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})
executing program 2:
r0 = socket(0x10, 0x80000, 0x6)
write(r0, &(0x7f0000000100)="240000001e005f0214ffffffffff03000000000000000000000008000800090020000000", 0x24)
r1 = syz_open_dev$loop(&(0x7f0000000240), 0x3e, 0x6542)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
setsockopt$inet6_tcp_int(r2, 0x6, 0x22, &(0x7f0000000040)=0x9, 0x4)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/power/pm_debug_messages', 0x0, 0x80)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000080)={r3, 0x0, {0x0, 0x0, 0x0, 0x6, 0x4000000000000ffd, 0x0, 0x0, 0x1e, 0xc, "faf98317e5a1149989fc8dbe43ea6acc96e3a2503dc3bd3fe37d58128bbad0099cebdc25f5ab60c9e6d680f985881a7beda9d69098c8b534464c516bdd8a0f35", "32d8cc26f7061a74df2cfc06c89f3d9e234b30c50997d3bef409ff2176ff7bfe55cd4a5d83cd4a524bd3ffe70c7f3f800b2f7b6aa54cc50a1fcaed1e831fa79a", "67523760fd40f78d2cfc03d81a8ca55ba139c01802c4dae4162e43ac61b7ad33", [0x2, 0x7]}})
ioctl$LOOP_SET_STATUS(r1, 0x4c02, &(0x7f0000000280)={0x0, {}, 0x0, {}, 0x800, 0x5, 0x13, 0x4, "37b4d3e0a295c063efbca67058155dae4d051016e2658b6321b6b95afbcccce8383326b28e3bb521f92c100b407eb12bcf8194cd73c1508ac9b61a086cd48fa5", "4f1f59a6a6c31fa7f80111c2fbf28fa76a849280ba805279b0ded705630b65a2", [0x1]})
executing program 34:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x800, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x1381, 0x3})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x8, 0x0, &(0x7f0000000080)=[@acquire], 0x0, 0x0, 0x0})
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1802, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000001c0), 0x82802, 0x0)
ioctl$TIOCSETD(r1, 0x5423, &(0x7f00000000c0)=0xf)
syz_usb_connect$hid(0x6, 0x0, 0x0, 0x0)
rename(&(0x7f0000000080)='./cgroup\x00', &(0x7f00000000c0)='./cgroup/file0\x00') (async)
rename(&(0x7f0000000080)='./cgroup\x00', &(0x7f00000000c0)='./cgroup/file0\x00')
ioctl$TCFLSH(r1, 0x400455c8, 0x1)
close_range(r0, 0xffffffffffffffff, 0x0) (async)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, 0x0)
add_key$fscrypt_v1(0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r2 = socket(0xa, 0x3, 0x87)
socket$inet6_tcp(0xa, 0x1, 0x0)
eventfd2(0x6, 0x800)
socket$nl_xfrm(0x10, 0x3, 0x6)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, 0x0)
r4 = getpgrp(0x0)
ioprio_set$pid(0x1, r4, 0x6000)
ioctl$sock_inet6_SIOCSIFADDR(r2, 0x8916, &(0x7f0000000000)={@ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x32}}, 0x18})
ioctl$sock_inet6_tcp_SIOCINQ(0xffffffffffffffff, 0x8936, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000100))
r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r6 = dup3(r5, r1, 0x0)
r7 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000004a80)={0x73622a85, 0x100, 0x1})
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f00000001c0)={0xa0, 0x0, &(0x7f0000000500)=[@acquire, @increfs={0x40046304, 0x1}, @reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000200)={@flat=@handle={0x73682a85, 0xb, 0x1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x16}, @fd={0x66642a85, 0x0, r1}}, &(0x7f0000000280)={0x0, 0x18, 0x40}}}, @transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x20, 0x0, 0x0, 0x60, 0x18, &(0x7f0000000440)={@fda={0x66646185, 0x0, 0x2, 0x14}, @fd={0x66642a85, 0x0, r0}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x3a}}, &(0x7f00000004c0)={0x0, 0x20, 0x38}}, 0x40}], 0x0, 0x0, 0x0})
socket$packet(0x11, 0x2, 0x300)
executing program 2:
unshare(0x62040200) (async)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @dev}, {0x2, 0x0, @empty}, 0x1c0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x9})
r1 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x40000100000200) (async)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
lseek(r2, 0x0, 0x2) (async)
ioctl$VHOST_VDPA_GET_VQS_COUNT(r2, 0x8004af80, &(0x7f0000000280))
r3 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
sendto(r0, &(0x7f0000000180)="b8fed7c18d8e727fbba33dd92ab6abb735d66790493f3d30b1697f43f8e9854de581364f9821d269486d650bbc20527014c38e877cd4cbb8fd5a3064dfb6186ce9e952b9f41c1688eabca37d1f", 0x4d, 0x24044080, &(0x7f0000000200)=@nfc_llcp={0x27, 0x0, 0x0, 0x5, 0x0, 0x8, "21865b629e1b9a97e49a4fdd8ab7a47ba0a8274722bb48e80adf7495be6ff5080259a7be369e09e2d31eeafd5690ea73dc4f25ab42d210eb49e6c789f6210d", 0x2b}, 0x80) (async)
mmap(&(0x7f0000215000/0x1000)=nil, 0x1000, 0x0, 0x6011, r3, 0x0) (async)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000040)={0x0, 0x100}, 0x0) (async)
ioctl$TIOCGPTPEER(r4, 0x5441, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TLS_TX(r5, 0x11a, 0x1, &(0x7f0000000100)=@gcm_256={{0x304}, "ff8d4b9ce7be848e", "dfdd86d8a0f4a7df387e88f00cebfc2472ce9f48c1a2761247cd247d6307041b", "be7ea708", "9ea2a49b106de4f4"}, 0x38) (async)
ioctl$ASHMEM_SET_NAME(r1, 0x41007701, &(0x7f0000000000)='!(+.\x00') (async)
mmap(&(0x7f0000018000/0x4000)=nil, 0x4000, 0x0, 0x13, r1, 0x85b83000)
executing program 35:
unshare(0x62040200) (async)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @dev}, {0x2, 0x0, @empty}, 0x1c0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x9})
r1 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x40000100000200) (async)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
lseek(r2, 0x0, 0x2) (async)
ioctl$VHOST_VDPA_GET_VQS_COUNT(r2, 0x8004af80, &(0x7f0000000280))
r3 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
sendto(r0, &(0x7f0000000180)="b8fed7c18d8e727fbba33dd92ab6abb735d66790493f3d30b1697f43f8e9854de581364f9821d269486d650bbc20527014c38e877cd4cbb8fd5a3064dfb6186ce9e952b9f41c1688eabca37d1f", 0x4d, 0x24044080, &(0x7f0000000200)=@nfc_llcp={0x27, 0x0, 0x0, 0x5, 0x0, 0x8, "21865b629e1b9a97e49a4fdd8ab7a47ba0a8274722bb48e80adf7495be6ff5080259a7be369e09e2d31eeafd5690ea73dc4f25ab42d210eb49e6c789f6210d", 0x2b}, 0x80) (async)
mmap(&(0x7f0000215000/0x1000)=nil, 0x1000, 0x0, 0x6011, r3, 0x0) (async)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000040)={0x0, 0x100}, 0x0) (async)
ioctl$TIOCGPTPEER(r4, 0x5441, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TLS_TX(r5, 0x11a, 0x1, &(0x7f0000000100)=@gcm_256={{0x304}, "ff8d4b9ce7be848e", "dfdd86d8a0f4a7df387e88f00cebfc2472ce9f48c1a2761247cd247d6307041b", "be7ea708", "9ea2a49b106de4f4"}, 0x38) (async)
ioctl$ASHMEM_SET_NAME(r1, 0x41007701, &(0x7f0000000000)='!(+.\x00') (async)
mmap(&(0x7f0000018000/0x4000)=nil, 0x4000, 0x0, 0x13, r1, 0x85b83000)

program crashed: WARNING in shmem_rmdir
bisect: bisecting 28 programs
bisect: split chunks (needed=false): <28>
bisect: split chunk #0 of len 28 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=6m4s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 30, 9, 18, 18, 30, 5, 7, 16, 5, 30, 8, 7, 3, 9, 22, 18, 18]
detailed listing:
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/custom0\x00', 0x1003, 0x0)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
close(r1)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @multicast1}, 0x2}}, 0x2e)
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000002700))
r2 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000840)=ANY=[@ANYBLOB="1201000000000040f30455070000000000010902240001000040b109040000010300010009210101000122050009050003ff030c0000ebbac564734796af53f8a5fcbfe39cd1c81963ccf220498f4b260ef6453e08b2e31f03f1f8612ec32fabea6d6d70"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000340)={0x2c, &(0x7f0000000040)=ANY=[], 0x0, 0x0, 0x0, 0x0}, 0x0)
r3 = syz_open_dev$hidraw(&(0x7f0000000240), 0x10007f, 0x10100)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ethtool(&(0x7f00000003c0), r4)
sendmsg$ETHTOOL_MSG_TSINFO_GET(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000500)=ANY=[@ANYBLOB="edfa5358e1cb95f584dedf9479e1337d7c", @ANYBLOB="c5153284fbedf3cf903a41a14adf070731125250c271a679984b55ee432d58", @ANYBLOB="010028bd7000fcdbdf25190000002000018008000300060000001400020076657468315f6d616376746170000000", @ANYRES16=r0, @ANYRES16=r1], 0x34}, 0x1, 0x0, 0x0, 0x20008810}, 0x91)
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r3, 0x81f8943c, 0x0)
r5 = socket$inet(0xa, 0x801, 0x6)
r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0)
ioctl$KVM_GET_PIT(0xffffffffffffffff, 0xc048ae65, &(0x7f0000000280))
accept4(r5, 0x0, 0x0, 0x0)
r8 = pidfd_getfd(0xffffffffffffffff, r0, 0x0)
write$P9_RXATTRCREATE(r8, &(0x7f0000000100)={0x7, 0x21, 0x1}, 0x7)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x138a, 0x1000000003})
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0)
r9 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r9, &(0x7f0000000440)=@name={0x1e, 0x2, 0x2, {{}, 0x2}}, 0x6f)
bind$tipc(r9, &(0x7f0000000080)=@nameseq={0x1e, 0x1, 0x1, {0x41, 0x1, 0xfffffffd}}, 0x10)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
socket(0x840000000002, 0x3, 0xff)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)
executing program 3:
mmap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x1, 0x40010, 0xffffffffffffffff, 0x0) (async)
r0 = socket$netlink(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0xc, &(0x7f00000000c0)=0x8004, 0x4) (async)
sendmsg$netlink(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000580)=[{&(0x7f0000000100)={0x18, 0x56, 0x601, 0x0, 0x0, "", [@typed={0x7, 0x0, 0x0, 0x0, @str='\x00\x00\x00'}]}, 0x18}], 0x1, 0x0, 0x0, 0xea}, 0x0) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000200)='fdinfo/3\x00')
read$FUSE(r2, &(0x7f0000000a40)={0x2020}, 0xc7) (async)
ioctl$SIOCSIFHWADDR(r2, 0x8924, &(0x7f0000000000)={'rose0\x00', @local}) (async)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000fc0)=[@reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})
executing program 0:
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
write$uinput_user_dev(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
mremap(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x3000, 0x0, &(0x7f0000ffd000/0x3000)=nil)
madvise(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x16)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x5}, 0x1c)
setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0)
write(r0, 0x0, 0x0)
r1 = dup(r0)
ioctl$MON_IOCX_GET(r1, 0x40189206, &(0x7f0000000240)={&(0x7f0000000140), &(0x7f0000000180)=""/188, 0xbc})
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='devices.list\x00', 0x275a, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f0000000740)={0x30, 0x5, 0x0, {0x0, 0x2, 0x0, 0x84ae}}, 0x30)
r3 = syz_open_procfs(0x0, &(0x7f0000000040)='fd\x00')
fchdir(r3)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r2, 0x0)
open(&(0x7f0000000000)='./bus\x00', 0x80001, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_FREEZE(r4, 0x400c620e, &(0x7f0000000100)={0x0, 0x1, 0x800})
executing program 3:
r0 = eventfd(0x7e)
write$eventfd(r0, &(0x7f0000000040)=0x5, 0x8)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='cpuacct.usage_percpu_user\x00', 0x275a, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_dev$usbfs(&(0x7f0000000300), 0xb, 0x101301)
ioctl$USBDEVFS_IOCTL(r2, 0xc0105512, &(0x7f0000000200))
ioctl$USBDEVFS_IOCTL(r2, 0x80045505, &(0x7f0000000040)=@usbdevfs_connect)
r3 = fsopen(&(0x7f0000000040)='proc\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r3, 0x6, 0x0, 0x0, 0x0)
fsmount(r3, 0x0, 0x0)
fsconfig$FSCONFIG_CMD_RECONFIGURE(r3, 0x7, 0x0, 0x0, 0x0)
vmsplice(0xffffffffffffffff, &(0x7f00000000c0), 0x0, 0x1)
ioctl$LOOP_SET_STATUS(0xffffffffffffffff, 0x4c02, 0x0)
ioctl$USBDEVFS_RESETEP(r2, 0x80045503, &(0x7f0000000080)={0x7})
sendmmsg$inet6(r1, &(0x7f0000001a00)=[{{0x0, 0x0, &(0x7f0000000880)=[{&(0x7f0000000340)="04f360710f55c24abb24327a6e6ed0f4e530cccaec1dd6d3b7dc2038c5585825495d3466780d7bee13b83a77ff9c973444d97c78f11cf6f57d5685c63b72bac03530b1f4ffe62fc66b4fc769f3f7000852529e188c5b98ffd0fbd433c201988783019775710b0ffaae196584ccc0f0e2d4227f7e8094016e6e236e9576fcbf0a9e237e387c3d3d3171dbdd2c00ae57366006dac5b55742", 0x97}, {&(0x7f0000000400)="859dd2bf22305c73bd05446e0d447ceb336d9e826ea7b1fac9d65a2a239387537a1b2f2826b24da55b34dc74545984982295b15bf2ac67f37424166513c556d69b91ad82d6f47c00a1982e3c6966cfcf56b84cc1d3815f3e889f1769619d7e22874b718c3896a5f9d85328ce043e894e9921f59fd0e8afc8dd44e8ec9563287de69a3fca8a464a954b86f6c5197a48f47b885bab4aca1b742c1f96a551c3c510e684f6c521b5df3c58c305a0e0f4e53788a4e6a3d0aaeeafcbe2ee5d2eba186f75d34fe7f3d515106cc6841bba4f11271f810a35d5c01f412734fbf0912fc54546", 0xe1}, {&(0x7f0000000140)="b7ce648a03711de81bf66009b2678454d32475c161591ff4496792ac4643b2062829c6259e991282c5500e0dc4f7aba86324ee80dbf35d40e0a34627dc74c3d3852396", 0x43}, {&(0x7f0000000500)="2c5b5614d0433fe662721bb3b283ced7310784aa41fb94986c4c3b9e71586ed07fc1d3da35041585523b685d8e921c85eca0888b51f5c200fb1392482b617c5b83520e6fd6b4ae6856c2167368569090658f885586b74f0e368d938b69add358e31975e170c12529f05d6653681ae5c295419972a2b3e217530b8727c601802ee6aa8840d31980645a87c54b2dd5467db81c3dad90bb4f3a0f043bd49d4f21da", 0xa0}, {&(0x7f00000005c0)="e9de4ae9e4421fdcd906e1da59e35aef712c315fe5d9635a1f1d53a79f4176dea5e800bc45150777fba7e002f58e13de984de5d0eed93e14085526b6603f4ebab4b759153a3ab20f7b7c643d2af4aa82954ce34087f8432fe72686f54dfe6c3a8ebcacaba935b3b65a45152413352ecac5383ed9b6e3227db9d630bb4a156e38f6861e289446c3839ba54c1e2427c1dd1cbbbba2e744756bc5d14c9760f3f9e405768563618269bb", 0xa8}, {&(0x7f0000000680)="38d685a7e596c350d0de907c746418c38b6c04bae90deda84d00692839fb7fded1e9bdf7deccb80b52d2acc751e3540ab313fefea86842f86c2ed8268de6664ea19898484707635a64f2f1921d6b4506286e4bbc5bc7fb29dd44dadfedeb9d7a940ac6cd14d067c5e528aecc65276e5268d01efcd53766a7b9bb90232d76944a723d45933aa4b5ce85b30b36bd573700a308966f08c3d0d58ab792a9e803b72009a4be6e09d3232c2d64222e88258ce82bc146aff993bd6b644bbcce044e284dbaf13d8f9c00d302261cecec811ae4498741fb51252acfeba65d0ab647f27b378ada3e5ed5caa2cd62db9b6fed4ac043e531a7ed", 0xf4}, {&(0x7f0000000780)="80b24d90a8995a45ad3ff4a0d49c2b2c53f92634088d51ead6956431dcbcb6d903373250ac3027e7e6", 0x29}, {&(0x7f0000000980)="89642a098141ba4da4c7ab54eeae51ab90d114d1ce91a50d1424e075708f9fb4878af95e05f967416b6fb848e2a924eaa7b71ebc12c3bbb5070686c1d6968efdd311e17f4a3813d26e6b569870d277233caf84928ceed6861420ce415314fd12b76f77eb48bf0dc7174bf377157859e8ced30dbd3633df3bd082ea2c7d7d5b25d31c987f201099bcce7d8652d9fa41556658e71e0c106f83fe088f0667410e1c352125c41c503eae17ee21a1d0edfc671c34840190483b2463e829fae73e1555daea72109fd97f9c1fbe9c193198ca29f9138c24b8079d8eaaeb69affd6edadb29835ece6908ab91bf8fbfe03afa3e61db6359d8d8fc2fdaeb62d3670eeaca93fca1f4f5b3b91a54cd660758a331b02bac80eb483116887ed03f6cf77313d61288ad8dd073b6d51a79d9f62c0cd08399988c017ec2667cd1fdafb3ad80b82fccd03d7a6f8cf054382a6c1e494d429a48e6e1fe89cd4ba13c0b69eb356a5a906f02096890e55f9b9dd7f774d9f56713fbba1fb2705777973355feb14219ad10a130d5376822292472593cc8f054ecc817809b17c25c65ea78a9b91b00e6e3c10f6936bfac0335be3be92576e16e375f0bf26d88cd7ed8e162dc8e826c140e328fa2c0ea5386445372e1ba1f2a9df0d4845d9eba489a566c29842276bd22d6563932cc36b9511c29cc16cf7852dabfb48ad5bd40ca33b5c579950eb70d9a2c38cdfedc375cfef5e81c5c05471cee4fe61bb82670df9b10c4d09cc0e13fe37e6f0e007723b8ab0db1f86b1b00b0dda4bac32574d60d83c1467db4d31ea36c01715835c4b95478e99b845e4e9a8a42e5ea0b8886167da6bf400168515305e509b624ad11ea80cb87984603b7bedae3bb05204117da36218a6cafc2b76de469941b9a86b47eb76abfb903a30d4793eb3d97b7594e92492cddde2c78dffe9e87e2ea9c28611a62fa6f3758e400528bd35e06fdbeeec94b9bdabbd25cb867caf66b4a167b6a58d08c8c9ff8aed00697e46ef60063af7e2187667f24f5cce79da7f915a8a0f61ddb5833133aa60b754fb8632bbc911aea43c9c1a027d4a6d6df93e8dceaabfb815d1a7264dc67b6b088fa9694550283dec8a53a194c0486002f5b04a5c0052b3610b91bade38f38d913d7aea769218d9bdbbf489b5ce4d5cafe1eb780e446834340152e52060d73b3599eaa634dbc8f9d9250a8c386e731b6a8740c78e6ad7c7cca37c1140e676faaf736953463a4985a1c97540569856faf31edb9ce8ececee74eedf7a4e589b8e479b5ec2db4268733411ee691b6b356bbc84c1b0968f5d4bd1f398016089896284be1212bd17d27ebe8ad9cab43c2cf36bde563ce0907267eaeaa367793cad0915c310a6704362ddbaf4724bff4f65f121f45f50f26d69a18a14aabd8d860bdbd3b8a6f109643b8b9794143acbdf4c10c5c32797395f350c7ee7988fd894d4b884517f3f4cf5733c90035fbd5406aea23c4962d253616edd7650cf9adfb0724b09e1f3089025ec073d1672644320605f5fbea2ee7da365847edf7e814b12c5c27a4bdd34256a1874d77f5daa8e714c5814d85d778622af3ec9c8739c5208c2f4ea5f85a28310d1d5c18dafb91b0cf49ae8d75a6a435dac8500529484c718486208cd6a87df303a4dc6a0f337558b8a85b517b26456378e0dbac2aba6bef054de1fdad372692ef0c5264df7a827e5aec9c0e559846d8e267a8b66f46e2affb80a91978eb840f20e15da03817e63a4b37b4faf14ca4edb9b5e5466f002863023ef3fe5dddad697569e3447f29d851b75e5c441e740c39f75e1bb3e9799b91be464ddfba39773183bc9c63c9355b5942b4157eb0610a6f3aaf04558cd5f48310718207328c2e88e5950f5ecb8b1da2c8eec2579735d929f97b9ccc047a60eb3d7b55ad5f16eb78f4209c11af9810e858023bbb8d9abdee5223e468ea5ab7109ec54d7ce4192c7be508bc91d7a185c9a68c5eaaa99d1b2e5c432d163387de21e9a85c863b1d0fc6c376a30f4dc4a531474e843e44568cc47746e5f299613982cc6c02fafcdf7401f316722c54ee415321bbf6550a261ed30e6bd68925f389e9ee04e3d2a38afbeb703c843f0a75af681faab297d2477952dd082f4a97ddfd70f230b16ae71e01cb75edf6032d00b6dbbabd0640196645a23e33891dc5953171e8e0aa3d664a458960e346c95095bd5e60f403334389427e58026b479a41c92629d41047881866409d155f4c7a4ccaebe32290c7fd42b30523fd365a0aa4647e60852a4cc7a7cb1de2b2f5dd0fb13755ad49d78727d3abdfc9bc0f1699ac215d33e04852af816a15211b231a64bf9a22fac18ae3a90a504369bc6dc88a849d8cee562a7dda32a079eecf14943c78b9e426dfa447b523f7451f0a649bf86276d18d6ff3421286ad2e4bc4bedbcd41484e474eba87d174419ef4dfb2f965190ecd837060eeb033582bf16b83b185b7a458329d91597848c0d5b3c141ad8857e634ee3f37883f503b7cf7ba723e7e0d36b6184e812d912c827aab509921bd99f0bb299bbbb4783ff834ae9097689747148b5d84eeffd5ac2227f1099ab60f3244b8de0a0d7c1ec798635fb6a3a45e807b145ddecf01942d061ff6825bce4ca2afcc29d720eda5abac286e0642b583e2f51bddbcca49c0d3e1c37bfe66df56aa42f59bfa2892c19e052f9b661fd84bf5056311495ef9b4b9f1a4c52671b0ef5843aa937cc9bd6fd89335d8781b3954a826657ab0aec2b2b35c99f58a9c190f9d63f7607c8d045da09bec66bc1b1333084bced4c92a80dcd074ff51302da8358451e71394ca9ea1fef026a7b070899bebe3b45ae11a0a8ccb61b46f1f81b73964d88d018f24cd76880e834b57d08f722d882e82737d7cdfcc14b2c3dcac0ca0b88f03221a487d0c052d75901d7dee0ffeec11771ff1c5db961307a0851abd5c2030029041579289d19893637648a52bbf9a636390a2e0c4971a766b8f013a815cf16e440f48b62095f87b0ced8689cf037e6a8a30183a54ea4eea5cf724074ab453defc87f93093065d41a6c2c7b6741308a3e99f2e6b1b031d5d3206adb91a151b2f382291e7111afa8eb92572ebfcba4327cd2444c7ff23ddb6330ed225ddb82686eaa4fc75697ed03f4ceb68abcb46f210403703b4d7097f65a876d2b5bf55667fae1c1cda0247e5961a754b9167cfa74ca89d7774a9f1415ae31479fa0e3877d10b855ff43d2d45508484b4bd2ff348ff6ca5d6d9f06ecd2e8eaff3c9f1e8fe169d76b590038cfa5f7781b7794de906d751dca21af24da422554317e3081dcc6f81d70ea1f833c2047223369f74007963a0229bcfda4aa64c54a523d0fc12f489a29b19e230ff141130dece7f48b81209bcc63cdae3a30fa4cca60e4422bfbfa70545e4907a4d1ffd7bf35fbb4e5e40b162ea87cfddb52d4f4b4178d7e9b9cbe7aef71c4c33b4667d14d5aa0c3a9529790e072425141739f01015f4bf8eac866dfeee11e972ac4c4bbd75c35508d3d40443b5edbd494a414c3db2cabe560e3c8e0b69cac453dc381bcbc84e1eaac5b977c80d15d093f3ebabbd8b253beaab7a3bc8715ae74c3c271ad2fe4dcda3359ef281b94712a899c73bdb209ec35a92eaa97bf9aa347a8c5b33eaa9c327d13cb7d2e0c8f69260788b4c90a42aecfe9fd01a6b1c7b4418e3744bd3c5cdb2ceecd227519be29b6d59e73123f4db6f034d8d7af3c4ef1257e9cdf2a3253496fe854176fc2018f8ae44b1d7eddcea6e37d7bc3424054348df1019a0c149941e430fd037c7f70abf268d55bf8295b0bbdc7f61d1f3b97d11a0754991c594e6a497841c2f7851d7e0e44d2ad10c15102c682b036e8857bd45bb0d9346dd979ec3c30c17109d162865d4c097a843e17d0e0a5bb1d08c3ce581c3a78ce80e05693ed25eb2262d39d4e5c8703a6b2279816833c6f5f19a59f527ea8d81a5d0307622f52dd2475f0d385a0b2af35b28a5242b85cabc89977e2fb19079d9132643cb690a4da32ae07fae823df9f204a9bd5f827c37bb65effca2f9d9460fa5c1db3692bca5eb79b8e39024365a3d58604cc0dbeb46bdddacb0901fc8b2a96cb6d8b20a624c4cfa20ca9de08025185ba297ee267efc9bdeecb1b01b84a9a42959a55637573daf0e10c71f359684336ee3d92d9d3b0f7e520ed59803f2e992c7e3b83425bc55e301f38e89585b47c19e37e965e3b78b0dbfca913308dff85e5bafdb9458e57b35bf34c431a0e8cab25fececdbc18282b31d5681a6a2b3f3bd129ba39dcc6c4b0d14bb140cc237f1f6d82987dc52f79e46611d498607992eed4f40cd85bcfe5d3f03f8bf7f0a3e247e92bac4ef05cf7b9bd13671f6ab075775b1d1ecfb2cfe59ceff3e853c79fbd2c517c6f002217846dbaf93aa44015f7615bdccf8db094836af847304cd35ecc4f2cc31e716203d36e1b4eb12cbdd615e740f57ae19631089393f97f3c239b990ee858d549b0c9d4cf5c8f3cafe176cdc59020565bec06235cf7ca6e34411930ff635ce839254d628581b2a8c0c38190bd00633b08cfc890e36d0eef070065cda1bb6bcbe27387249d0d6c5e2a0e142293a65c36b7f6368f8020ae0e289e24d91d04c389a4acb30a1af5ac5780d11b1016a74a9810a1ed053b97a146041cd3008b23fa74c5f7a4ccd1c00ce3825ac388083bc6c102c73d614cdbeb2f42a6a55c400fa6451faeee801ccc75ab6043a17d26b5b2a5988b211e68c38e75fd7ca6c9effb9934efa0688b02a5b3b2306ff2088bbd41c302fd4802a6d08e968900d719ae137364e610fd03d274ade682bb8c36e69c2fca80a0b4e0f7e40c1246dd70754b99db57bd99f2ecc12d0bec6a553b292a414c859bea5594176d648a24d3b115fe003c064e83af81e9bbf7948dc1d57a3b5b71104164efac2a110ffbbb0439356633052f48c784346ece3817f1039b80647d18e6ec98984bf44f0a062c321065a84ddfcb292fe6004d7efbc91fe0d8cf1bb2af18ed2a109dfb0c022e4aea395e4704e4dd71e452e4fa5c850ad6333b6c3d096f8dc721bd02fce0f8f579181f4fa1ebaa5d1f3e4ffe4d4984fe5fd0a63b31fb0d5f9aadf691dc1018c8c57ed05c9315748051a0a35c504e3ba8e028abe29b09a5c311a675195c5e56f48e63df11760e45cf8822772c78b8a526f702a3c5fe92204bc0a5f6c0f4020095d726add42012487ecadd987eae0b4b2b8cf742e7d068a8ab0a7d8f9fccb5056fa3fa12678a96a04ca7b36ec35f00a818ca3adb1261cacfb9b6e3070a8a20ec4467ec9e24a6fe69e27255385db768c23ca9911a10866bade6c589d017c8683d744b8c9c9a68bd4262a7b66d57a8738bb9f7a2ffd5f5d8a43ba73f53330807dd200a2921d822789ae83e2a8ca62fadb4c2e1dc7ae65eba3ffd9d3a754651f94b9c1b3c00ed1798c541f15e465a00693f23039d3aa2e5fe22624345bdd01eeb57bd8c74a9b34ff574a1fc4da8119788679999d09ee703ddbd95224eb5def3f1843fb5b3292706957e7bbab66356e95931d95f51fbe74d3cdf4886c593c40853d7f7ddac5ee3c594e73feaaf36139d69bd60d978a3c489e2b7e0f9ebec01422c81489823b122d3699d985b62f89235807745cfa6029e14cc59b339ffc615a3dd97212991547935e53fb5daa3e6e98f28077f0ff42374b0c6c8ea8337463031c37b090a1a1665aa61b36b70c8669144d44497c976a5b6ebb542de4d0d5a74c51cfda08db8b8ede621def2bf56b13cfeff9c6af1efa35d239388ec4d1dc6b6b72f996fd72b01d12963d", 0x1000}, {&(0x7f00000007c0)="16ee4048a013c9fa6bc755a208fa1da89aa3a990a7f6b551402e2f0b5c95b822955fb4f0ab4679e6543b575ff0e61cc1ceba31d99a6b283c33ee5ebe8bb2f798523a03b890c5a72f12f66306613459d67b96", 0x52}, {&(0x7f0000000840)}], 0xa, &(0x7f0000001980)=[@dontfrag={{0x14, 0x29, 0x3e, 0xffffffc0}}, @rthdrdstopts={{0x48, 0x29, 0x37, {0x87, 0x6, '\x00', [@enc_lim={0x4, 0x1, 0x1}, @calipso={0x7, 0x20, {0x3, 0x6, 0x5, 0x8, [0xfff, 0x9, 0x2]}}, @padn={0x1, 0x5, [0x0, 0x0, 0x0, 0x0, 0x0]}, @ra={0x5, 0x2, 0x9}]}}}], 0x60}}], 0x1, 0x24000084)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x28011, r1, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs2/binder1\x00', 0x800, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000940)={0x54, 0x0, &(0x7f00000002c0)=[@increfs={0x40046304, 0x3}, @decrefs={0x40046307, 0x1}, @transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x60, 0x18, &(0x7f0000000080)={@ptr={0x70742a85, 0x0, &(0x7f00000001c0)=""/202, 0xca, 0x2, 0x11}, @fda={0x66646185, 0x3, 0x0, 0x25}, @fd}, &(0x7f0000000000)={0x0, 0x28, 0x48}}}], 0x0, 0x0, 0x0})
executing program 1:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)
executing program 2:
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"})
r0 = socket(0x10, 0x3, 0x0)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x8927, &(0x7f0000000280)={'ip6tnl0\x00', 0x0})
r1 = socket$nl_audit(0x10, 0x3, 0x9)
sendmsg$AUDIT_TTY_GET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x10, 0x3f8, 0x10, 0x70bd25, 0x25dfdbfd}, 0x10}, 0x1, 0x0, 0x0, 0x4000080}, 0x40)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil)
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0) (async)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"}) (async)
socket(0x10, 0x3, 0x0) (async)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x8927, &(0x7f0000000280)={'ip6tnl0\x00', 0x0}) (async)
socket$nl_audit(0x10, 0x3, 0x9) (async)
sendmsg$AUDIT_TTY_GET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x10, 0x3f8, 0x10, 0x70bd25, 0x25dfdbfd}, 0x10}, 0x1, 0x0, 0x0, 0x4000080}, 0x40) (async)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) (async)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil) (async)
executing program 32:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)
executing program 33:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})
executing program 2:
r0 = socket(0x10, 0x80000, 0x6)
write(r0, &(0x7f0000000100)="240000001e005f0214ffffffffff03000000000000000000000008000800090020000000", 0x24)
r1 = syz_open_dev$loop(&(0x7f0000000240), 0x3e, 0x6542)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
setsockopt$inet6_tcp_int(r2, 0x6, 0x22, &(0x7f0000000040)=0x9, 0x4)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/power/pm_debug_messages', 0x0, 0x80)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000080)={r3, 0x0, {0x0, 0x0, 0x0, 0x6, 0x4000000000000ffd, 0x0, 0x0, 0x1e, 0xc, "faf98317e5a1149989fc8dbe43ea6acc96e3a2503dc3bd3fe37d58128bbad0099cebdc25f5ab60c9e6d680f985881a7beda9d69098c8b534464c516bdd8a0f35", "32d8cc26f7061a74df2cfc06c89f3d9e234b30c50997d3bef409ff2176ff7bfe55cd4a5d83cd4a524bd3ffe70c7f3f800b2f7b6aa54cc50a1fcaed1e831fa79a", "67523760fd40f78d2cfc03d81a8ca55ba139c01802c4dae4162e43ac61b7ad33", [0x2, 0x7]}})
ioctl$LOOP_SET_STATUS(r1, 0x4c02, &(0x7f0000000280)={0x0, {}, 0x0, {}, 0x800, 0x5, 0x13, 0x4, "37b4d3e0a295c063efbca67058155dae4d051016e2658b6321b6b95afbcccce8383326b28e3bb521f92c100b407eb12bcf8194cd73c1508ac9b61a086cd48fa5", "4f1f59a6a6c31fa7f80111c2fbf28fa76a849280ba805279b0ded705630b65a2", [0x1]})
executing program 34:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x800, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x1381, 0x3})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x8, 0x0, &(0x7f0000000080)=[@acquire], 0x0, 0x0, 0x0})
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1802, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000001c0), 0x82802, 0x0)
ioctl$TIOCSETD(r1, 0x5423, &(0x7f00000000c0)=0xf)
syz_usb_connect$hid(0x6, 0x0, 0x0, 0x0)
rename(&(0x7f0000000080)='./cgroup\x00', &(0x7f00000000c0)='./cgroup/file0\x00') (async)
rename(&(0x7f0000000080)='./cgroup\x00', &(0x7f00000000c0)='./cgroup/file0\x00')
ioctl$TCFLSH(r1, 0x400455c8, 0x1)
close_range(r0, 0xffffffffffffffff, 0x0) (async)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, 0x0)
add_key$fscrypt_v1(0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r2 = socket(0xa, 0x3, 0x87)
socket$inet6_tcp(0xa, 0x1, 0x0)
eventfd2(0x6, 0x800)
socket$nl_xfrm(0x10, 0x3, 0x6)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, 0x0)
r4 = getpgrp(0x0)
ioprio_set$pid(0x1, r4, 0x6000)
ioctl$sock_inet6_SIOCSIFADDR(r2, 0x8916, &(0x7f0000000000)={@ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x32}}, 0x18})
ioctl$sock_inet6_tcp_SIOCINQ(0xffffffffffffffff, 0x8936, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000100))
r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r6 = dup3(r5, r1, 0x0)
r7 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000004a80)={0x73622a85, 0x100, 0x1})
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f00000001c0)={0xa0, 0x0, &(0x7f0000000500)=[@acquire, @increfs={0x40046304, 0x1}, @reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000200)={@flat=@handle={0x73682a85, 0xb, 0x1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x16}, @fd={0x66642a85, 0x0, r1}}, &(0x7f0000000280)={0x0, 0x18, 0x40}}}, @transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x20, 0x0, 0x0, 0x60, 0x18, &(0x7f0000000440)={@fda={0x66646185, 0x0, 0x2, 0x14}, @fd={0x66642a85, 0x0, r0}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x3a}}, &(0x7f00000004c0)={0x0, 0x20, 0x38}}, 0x40}], 0x0, 0x0, 0x0})
socket$packet(0x11, 0x2, 0x300)
executing program 2:
unshare(0x62040200) (async)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @dev}, {0x2, 0x0, @empty}, 0x1c0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x9})
r1 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x40000100000200) (async)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
lseek(r2, 0x0, 0x2) (async)
ioctl$VHOST_VDPA_GET_VQS_COUNT(r2, 0x8004af80, &(0x7f0000000280))
r3 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
sendto(r0, &(0x7f0000000180)="b8fed7c18d8e727fbba33dd92ab6abb735d66790493f3d30b1697f43f8e9854de581364f9821d269486d650bbc20527014c38e877cd4cbb8fd5a3064dfb6186ce9e952b9f41c1688eabca37d1f", 0x4d, 0x24044080, &(0x7f0000000200)=@nfc_llcp={0x27, 0x0, 0x0, 0x5, 0x0, 0x8, "21865b629e1b9a97e49a4fdd8ab7a47ba0a8274722bb48e80adf7495be6ff5080259a7be369e09e2d31eeafd5690ea73dc4f25ab42d210eb49e6c789f6210d", 0x2b}, 0x80) (async)
mmap(&(0x7f0000215000/0x1000)=nil, 0x1000, 0x0, 0x6011, r3, 0x0) (async)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000040)={0x0, 0x100}, 0x0) (async)
ioctl$TIOCGPTPEER(r4, 0x5441, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TLS_TX(r5, 0x11a, 0x1, &(0x7f0000000100)=@gcm_256={{0x304}, "ff8d4b9ce7be848e", "dfdd86d8a0f4a7df387e88f00cebfc2472ce9f48c1a2761247cd247d6307041b", "be7ea708", "9ea2a49b106de4f4"}, 0x38) (async)
ioctl$ASHMEM_SET_NAME(r1, 0x41007701, &(0x7f0000000000)='!(+.\x00') (async)
mmap(&(0x7f0000018000/0x4000)=nil, 0x4000, 0x0, 0x13, r1, 0x85b83000)
executing program 35:
unshare(0x62040200) (async)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @dev}, {0x2, 0x0, @empty}, 0x1c0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x9})
r1 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x40000100000200) (async)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
lseek(r2, 0x0, 0x2) (async)
ioctl$VHOST_VDPA_GET_VQS_COUNT(r2, 0x8004af80, &(0x7f0000000280))
r3 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
sendto(r0, &(0x7f0000000180)="b8fed7c18d8e727fbba33dd92ab6abb735d66790493f3d30b1697f43f8e9854de581364f9821d269486d650bbc20527014c38e877cd4cbb8fd5a3064dfb6186ce9e952b9f41c1688eabca37d1f", 0x4d, 0x24044080, &(0x7f0000000200)=@nfc_llcp={0x27, 0x0, 0x0, 0x5, 0x0, 0x8, "21865b629e1b9a97e49a4fdd8ab7a47ba0a8274722bb48e80adf7495be6ff5080259a7be369e09e2d31eeafd5690ea73dc4f25ab42d210eb49e6c789f6210d", 0x2b}, 0x80) (async)
mmap(&(0x7f0000215000/0x1000)=nil, 0x1000, 0x0, 0x6011, r3, 0x0) (async)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000040)={0x0, 0x100}, 0x0) (async)
ioctl$TIOCGPTPEER(r4, 0x5441, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TLS_TX(r5, 0x11a, 0x1, &(0x7f0000000100)=@gcm_256={{0x304}, "ff8d4b9ce7be848e", "dfdd86d8a0f4a7df387e88f00cebfc2472ce9f48c1a2761247cd247d6307041b", "be7ea708", "9ea2a49b106de4f4"}, 0x38) (async)
ioctl$ASHMEM_SET_NAME(r1, 0x41007701, &(0x7f0000000000)='!(+.\x00') (async)
mmap(&(0x7f0000018000/0x4000)=nil, 0x4000, 0x0, 0x13, r1, 0x85b83000)

program crashed: WARNING in shmem_rmdir
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/3
testing program (duration=6m2s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 8, 7, 3, 9, 22, 18, 18]
detailed listing:
executing program 33:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})
executing program 2:
r0 = socket(0x10, 0x80000, 0x6)
write(r0, &(0x7f0000000100)="240000001e005f0214ffffffffff03000000000000000000000008000800090020000000", 0x24)
r1 = syz_open_dev$loop(&(0x7f0000000240), 0x3e, 0x6542)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
setsockopt$inet6_tcp_int(r2, 0x6, 0x22, &(0x7f0000000040)=0x9, 0x4)
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f00000001c0)='/sys/power/pm_debug_messages', 0x0, 0x80)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000080)={r3, 0x0, {0x0, 0x0, 0x0, 0x6, 0x4000000000000ffd, 0x0, 0x0, 0x1e, 0xc, "faf98317e5a1149989fc8dbe43ea6acc96e3a2503dc3bd3fe37d58128bbad0099cebdc25f5ab60c9e6d680f985881a7beda9d69098c8b534464c516bdd8a0f35", "32d8cc26f7061a74df2cfc06c89f3d9e234b30c50997d3bef409ff2176ff7bfe55cd4a5d83cd4a524bd3ffe70c7f3f800b2f7b6aa54cc50a1fcaed1e831fa79a", "67523760fd40f78d2cfc03d81a8ca55ba139c01802c4dae4162e43ac61b7ad33", [0x2, 0x7]}})
ioctl$LOOP_SET_STATUS(r1, 0x4c02, &(0x7f0000000280)={0x0, {}, 0x0, {}, 0x800, 0x5, 0x13, 0x4, "37b4d3e0a295c063efbca67058155dae4d051016e2658b6321b6b95afbcccce8383326b28e3bb521f92c100b407eb12bcf8194cd73c1508ac9b61a086cd48fa5", "4f1f59a6a6c31fa7f80111c2fbf28fa76a849280ba805279b0ded705630b65a2", [0x1]})
executing program 34:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x800, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x1381, 0x3})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x8, 0x0, &(0x7f0000000080)=[@acquire], 0x0, 0x0, 0x0})
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1802, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000001c0), 0x82802, 0x0)
ioctl$TIOCSETD(r1, 0x5423, &(0x7f00000000c0)=0xf)
syz_usb_connect$hid(0x6, 0x0, 0x0, 0x0)
rename(&(0x7f0000000080)='./cgroup\x00', &(0x7f00000000c0)='./cgroup/file0\x00') (async)
rename(&(0x7f0000000080)='./cgroup\x00', &(0x7f00000000c0)='./cgroup/file0\x00')
ioctl$TCFLSH(r1, 0x400455c8, 0x1)
close_range(r0, 0xffffffffffffffff, 0x0) (async)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, 0x0)
add_key$fscrypt_v1(0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r2 = socket(0xa, 0x3, 0x87)
socket$inet6_tcp(0xa, 0x1, 0x0)
eventfd2(0x6, 0x800)
socket$nl_xfrm(0x10, 0x3, 0x6)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, 0x0)
r4 = getpgrp(0x0)
ioprio_set$pid(0x1, r4, 0x6000)
ioctl$sock_inet6_SIOCSIFADDR(r2, 0x8916, &(0x7f0000000000)={@ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x32}}, 0x18})
ioctl$sock_inet6_tcp_SIOCINQ(0xffffffffffffffff, 0x8936, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000100))
r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r6 = dup3(r5, r1, 0x0)
r7 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000004a80)={0x73622a85, 0x100, 0x1})
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f00000001c0)={0xa0, 0x0, &(0x7f0000000500)=[@acquire, @increfs={0x40046304, 0x1}, @reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000200)={@flat=@handle={0x73682a85, 0xb, 0x1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x16}, @fd={0x66642a85, 0x0, r1}}, &(0x7f0000000280)={0x0, 0x18, 0x40}}}, @transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x20, 0x0, 0x0, 0x60, 0x18, &(0x7f0000000440)={@fda={0x66646185, 0x0, 0x2, 0x14}, @fd={0x66642a85, 0x0, r0}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x3a}}, &(0x7f00000004c0)={0x0, 0x20, 0x38}}, 0x40}], 0x0, 0x0, 0x0})
socket$packet(0x11, 0x2, 0x300)
executing program 2:
unshare(0x62040200) (async)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @dev}, {0x2, 0x0, @empty}, 0x1c0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x9})
r1 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x40000100000200) (async)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
lseek(r2, 0x0, 0x2) (async)
ioctl$VHOST_VDPA_GET_VQS_COUNT(r2, 0x8004af80, &(0x7f0000000280))
r3 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
sendto(r0, &(0x7f0000000180)="b8fed7c18d8e727fbba33dd92ab6abb735d66790493f3d30b1697f43f8e9854de581364f9821d269486d650bbc20527014c38e877cd4cbb8fd5a3064dfb6186ce9e952b9f41c1688eabca37d1f", 0x4d, 0x24044080, &(0x7f0000000200)=@nfc_llcp={0x27, 0x0, 0x0, 0x5, 0x0, 0x8, "21865b629e1b9a97e49a4fdd8ab7a47ba0a8274722bb48e80adf7495be6ff5080259a7be369e09e2d31eeafd5690ea73dc4f25ab42d210eb49e6c789f6210d", 0x2b}, 0x80) (async)
mmap(&(0x7f0000215000/0x1000)=nil, 0x1000, 0x0, 0x6011, r3, 0x0) (async)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000040)={0x0, 0x100}, 0x0) (async)
ioctl$TIOCGPTPEER(r4, 0x5441, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TLS_TX(r5, 0x11a, 0x1, &(0x7f0000000100)=@gcm_256={{0x304}, "ff8d4b9ce7be848e", "dfdd86d8a0f4a7df387e88f00cebfc2472ce9f48c1a2761247cd247d6307041b", "be7ea708", "9ea2a49b106de4f4"}, 0x38) (async)
ioctl$ASHMEM_SET_NAME(r1, 0x41007701, &(0x7f0000000000)='!(+.\x00') (async)
mmap(&(0x7f0000018000/0x4000)=nil, 0x4000, 0x0, 0x13, r1, 0x85b83000)
executing program 35:
unshare(0x62040200) (async)
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @dev}, {0x2, 0x0, @empty}, 0x1c0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x9})
r1 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$ASHMEM_SET_SIZE(r1, 0x40087703, 0x40000100000200) (async)
r2 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
lseek(r2, 0x0, 0x2) (async)
ioctl$VHOST_VDPA_GET_VQS_COUNT(r2, 0x8004af80, &(0x7f0000000280))
r3 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
sendto(r0, &(0x7f0000000180)="b8fed7c18d8e727fbba33dd92ab6abb735d66790493f3d30b1697f43f8e9854de581364f9821d269486d650bbc20527014c38e877cd4cbb8fd5a3064dfb6186ce9e952b9f41c1688eabca37d1f", 0x4d, 0x24044080, &(0x7f0000000200)=@nfc_llcp={0x27, 0x0, 0x0, 0x5, 0x0, 0x8, "21865b629e1b9a97e49a4fdd8ab7a47ba0a8274722bb48e80adf7495be6ff5080259a7be369e09e2d31eeafd5690ea73dc4f25ab42d210eb49e6c789f6210d", 0x2b}, 0x80) (async)
mmap(&(0x7f0000215000/0x1000)=nil, 0x1000, 0x0, 0x6011, r3, 0x0) (async)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000040)={0x0, 0x100}, 0x0) (async)
ioctl$TIOCGPTPEER(r4, 0x5441, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TLS_TX(r5, 0x11a, 0x1, &(0x7f0000000100)=@gcm_256={{0x304}, "ff8d4b9ce7be848e", "dfdd86d8a0f4a7df387e88f00cebfc2472ce9f48c1a2761247cd247d6307041b", "be7ea708", "9ea2a49b106de4f4"}, 0x38) (async)
ioctl$ASHMEM_SET_NAME(r1, 0x41007701, &(0x7f0000000000)='!(+.\x00') (async)
mmap(&(0x7f0000018000/0x4000)=nil, 0x4000, 0x0, 0x13, r1, 0x85b83000)

program did not crash
bisect: testing without sub-chunk 3/3
testing program (duration=6m2s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 30, 9, 18, 18, 30, 5, 7, 16, 5]
detailed listing:
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/custom0\x00', 0x1003, 0x0)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
close(r1)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @multicast1}, 0x2}}, 0x2e)
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000002700))
r2 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000840)=ANY=[@ANYBLOB="1201000000000040f30455070000000000010902240001000040b109040000010300010009210101000122050009050003ff030c0000ebbac564734796af53f8a5fcbfe39cd1c81963ccf220498f4b260ef6453e08b2e31f03f1f8612ec32fabea6d6d70"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000340)={0x2c, &(0x7f0000000040)=ANY=[], 0x0, 0x0, 0x0, 0x0}, 0x0)
r3 = syz_open_dev$hidraw(&(0x7f0000000240), 0x10007f, 0x10100)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ethtool(&(0x7f00000003c0), r4)
sendmsg$ETHTOOL_MSG_TSINFO_GET(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000500)=ANY=[@ANYBLOB="edfa5358e1cb95f584dedf9479e1337d7c", @ANYBLOB="c5153284fbedf3cf903a41a14adf070731125250c271a679984b55ee432d58", @ANYBLOB="010028bd7000fcdbdf25190000002000018008000300060000001400020076657468315f6d616376746170000000", @ANYRES16=r0, @ANYRES16=r1], 0x34}, 0x1, 0x0, 0x0, 0x20008810}, 0x91)
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r3, 0x81f8943c, 0x0)
r5 = socket$inet(0xa, 0x801, 0x6)
r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0)
ioctl$KVM_GET_PIT(0xffffffffffffffff, 0xc048ae65, &(0x7f0000000280))
accept4(r5, 0x0, 0x0, 0x0)
r8 = pidfd_getfd(0xffffffffffffffff, r0, 0x0)
write$P9_RXATTRCREATE(r8, &(0x7f0000000100)={0x7, 0x21, 0x1}, 0x7)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x138a, 0x1000000003})
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0)
r9 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r9, &(0x7f0000000440)=@name={0x1e, 0x2, 0x2, {{}, 0x2}}, 0x6f)
bind$tipc(r9, &(0x7f0000000080)=@nameseq={0x1e, 0x1, 0x1, {0x41, 0x1, 0xfffffffd}}, 0x10)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
socket(0x840000000002, 0x3, 0xff)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)
executing program 3:
mmap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x1, 0x40010, 0xffffffffffffffff, 0x0) (async)
r0 = socket$netlink(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0xc, &(0x7f00000000c0)=0x8004, 0x4) (async)
sendmsg$netlink(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000580)=[{&(0x7f0000000100)={0x18, 0x56, 0x601, 0x0, 0x0, "", [@typed={0x7, 0x0, 0x0, 0x0, @str='\x00\x00\x00'}]}, 0x18}], 0x1, 0x0, 0x0, 0xea}, 0x0) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000200)='fdinfo/3\x00')
read$FUSE(r2, &(0x7f0000000a40)={0x2020}, 0xc7) (async)
ioctl$SIOCSIFHWADDR(r2, 0x8924, &(0x7f0000000000)={'rose0\x00', @local}) (async)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000fc0)=[@reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})
executing program 0:
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
write$uinput_user_dev(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
mremap(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x3000, 0x0, &(0x7f0000ffd000/0x3000)=nil)
madvise(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x16)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x5}, 0x1c)
setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0)
write(r0, 0x0, 0x0)
r1 = dup(r0)
ioctl$MON_IOCX_GET(r1, 0x40189206, &(0x7f0000000240)={&(0x7f0000000140), &(0x7f0000000180)=""/188, 0xbc})
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='devices.list\x00', 0x275a, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f0000000740)={0x30, 0x5, 0x0, {0x0, 0x2, 0x0, 0x84ae}}, 0x30)
r3 = syz_open_procfs(0x0, &(0x7f0000000040)='fd\x00')
fchdir(r3)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r2, 0x0)
open(&(0x7f0000000000)='./bus\x00', 0x80001, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_FREEZE(r4, 0x400c620e, &(0x7f0000000100)={0x0, 0x1, 0x800})
executing program 3:
r0 = eventfd(0x7e)
write$eventfd(r0, &(0x7f0000000040)=0x5, 0x8)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='cpuacct.usage_percpu_user\x00', 0x275a, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_dev$usbfs(&(0x7f0000000300), 0xb, 0x101301)
ioctl$USBDEVFS_IOCTL(r2, 0xc0105512, &(0x7f0000000200))
ioctl$USBDEVFS_IOCTL(r2, 0x80045505, &(0x7f0000000040)=@usbdevfs_connect)
r3 = fsopen(&(0x7f0000000040)='proc\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r3, 0x6, 0x0, 0x0, 0x0)
fsmount(r3, 0x0, 0x0)
fsconfig$FSCONFIG_CMD_RECONFIGURE(r3, 0x7, 0x0, 0x0, 0x0)
vmsplice(0xffffffffffffffff, &(0x7f00000000c0), 0x0, 0x1)
ioctl$LOOP_SET_STATUS(0xffffffffffffffff, 0x4c02, 0x0)
ioctl$USBDEVFS_RESETEP(r2, 0x80045503, &(0x7f0000000080)={0x7})
sendmmsg$inet6(r1, &(0x7f0000001a00)=[{{0x0, 0x0, &(0x7f0000000880)=[{&(0x7f0000000340)="04f360710f55c24abb24327a6e6ed0f4e530cccaec1dd6d3b7dc2038c5585825495d3466780d7bee13b83a77ff9c973444d97c78f11cf6f57d5685c63b72bac03530b1f4ffe62fc66b4fc769f3f7000852529e188c5b98ffd0fbd433c201988783019775710b0ffaae196584ccc0f0e2d4227f7e8094016e6e236e9576fcbf0a9e237e387c3d3d3171dbdd2c00ae57366006dac5b55742", 0x97}, {&(0x7f0000000400)="859dd2bf22305c73bd05446e0d447ceb336d9e826ea7b1fac9d65a2a239387537a1b2f2826b24da55b34dc74545984982295b15bf2ac67f37424166513c556d69b91ad82d6f47c00a1982e3c6966cfcf56b84cc1d3815f3e889f1769619d7e22874b718c3896a5f9d85328ce043e894e9921f59fd0e8afc8dd44e8ec9563287de69a3fca8a464a954b86f6c5197a48f47b885bab4aca1b742c1f96a551c3c510e684f6c521b5df3c58c305a0e0f4e53788a4e6a3d0aaeeafcbe2ee5d2eba186f75d34fe7f3d515106cc6841bba4f11271f810a35d5c01f412734fbf0912fc54546", 0xe1}, {&(0x7f0000000140)="b7ce648a03711de81bf66009b2678454d32475c161591ff4496792ac4643b2062829c6259e991282c5500e0dc4f7aba86324ee80dbf35d40e0a34627dc74c3d3852396", 0x43}, {&(0x7f0000000500)="2c5b5614d0433fe662721bb3b283ced7310784aa41fb94986c4c3b9e71586ed07fc1d3da35041585523b685d8e921c85eca0888b51f5c200fb1392482b617c5b83520e6fd6b4ae6856c2167368569090658f885586b74f0e368d938b69add358e31975e170c12529f05d6653681ae5c295419972a2b3e217530b8727c601802ee6aa8840d31980645a87c54b2dd5467db81c3dad90bb4f3a0f043bd49d4f21da", 0xa0}, {&(0x7f00000005c0)="e9de4ae9e4421fdcd906e1da59e35aef712c315fe5d9635a1f1d53a79f4176dea5e800bc45150777fba7e002f58e13de984de5d0eed93e14085526b6603f4ebab4b759153a3ab20f7b7c643d2af4aa82954ce34087f8432fe72686f54dfe6c3a8ebcacaba935b3b65a45152413352ecac5383ed9b6e3227db9d630bb4a156e38f6861e289446c3839ba54c1e2427c1dd1cbbbba2e744756bc5d14c9760f3f9e405768563618269bb", 0xa8}, {&(0x7f0000000680)="38d685a7e596c350d0de907c746418c38b6c04bae90deda84d00692839fb7fded1e9bdf7deccb80b52d2acc751e3540ab313fefea86842f86c2ed8268de6664ea19898484707635a64f2f1921d6b4506286e4bbc5bc7fb29dd44dadfedeb9d7a940ac6cd14d067c5e528aecc65276e5268d01efcd53766a7b9bb90232d76944a723d45933aa4b5ce85b30b36bd573700a308966f08c3d0d58ab792a9e803b72009a4be6e09d3232c2d64222e88258ce82bc146aff993bd6b644bbcce044e284dbaf13d8f9c00d302261cecec811ae4498741fb51252acfeba65d0ab647f27b378ada3e5ed5caa2cd62db9b6fed4ac043e531a7ed", 0xf4}, {&(0x7f0000000780)="80b24d90a8995a45ad3ff4a0d49c2b2c53f92634088d51ead6956431dcbcb6d903373250ac3027e7e6", 0x29}, {&(0x7f0000000980)="89642a098141ba4da4c7ab54eeae51ab90d114d1ce91a50d1424e075708f9fb4878af95e05f967416b6fb848e2a924eaa7b71ebc12c3bbb5070686c1d6968efdd311e17f4a3813d26e6b569870d277233caf84928ceed6861420ce415314fd12b76f77eb48bf0dc7174bf377157859e8ced30dbd3633df3bd082ea2c7d7d5b25d31c987f201099bcce7d8652d9fa41556658e71e0c106f83fe088f0667410e1c352125c41c503eae17ee21a1d0edfc671c34840190483b2463e829fae73e1555daea72109fd97f9c1fbe9c193198ca29f9138c24b8079d8eaaeb69affd6edadb29835ece6908ab91bf8fbfe03afa3e61db6359d8d8fc2fdaeb62d3670eeaca93fca1f4f5b3b91a54cd660758a331b02bac80eb483116887ed03f6cf77313d61288ad8dd073b6d51a79d9f62c0cd08399988c017ec2667cd1fdafb3ad80b82fccd03d7a6f8cf054382a6c1e494d429a48e6e1fe89cd4ba13c0b69eb356a5a906f02096890e55f9b9dd7f774d9f56713fbba1fb2705777973355feb14219ad10a130d5376822292472593cc8f054ecc817809b17c25c65ea78a9b91b00e6e3c10f6936bfac0335be3be92576e16e375f0bf26d88cd7ed8e162dc8e826c140e328fa2c0ea5386445372e1ba1f2a9df0d4845d9eba489a566c29842276bd22d6563932cc36b9511c29cc16cf7852dabfb48ad5bd40ca33b5c579950eb70d9a2c38cdfedc375cfef5e81c5c05471cee4fe61bb82670df9b10c4d09cc0e13fe37e6f0e007723b8ab0db1f86b1b00b0dda4bac32574d60d83c1467db4d31ea36c01715835c4b95478e99b845e4e9a8a42e5ea0b8886167da6bf400168515305e509b624ad11ea80cb87984603b7bedae3bb05204117da36218a6cafc2b76de469941b9a86b47eb76abfb903a30d4793eb3d97b7594e92492cddde2c78dffe9e87e2ea9c28611a62fa6f3758e400528bd35e06fdbeeec94b9bdabbd25cb867caf66b4a167b6a58d08c8c9ff8aed00697e46ef60063af7e2187667f24f5cce79da7f915a8a0f61ddb5833133aa60b754fb8632bbc911aea43c9c1a027d4a6d6df93e8dceaabfb815d1a7264dc67b6b088fa9694550283dec8a53a194c0486002f5b04a5c0052b3610b91bade38f38d913d7aea769218d9bdbbf489b5ce4d5cafe1eb780e446834340152e52060d73b3599eaa634dbc8f9d9250a8c386e731b6a8740c78e6ad7c7cca37c1140e676faaf736953463a4985a1c97540569856faf31edb9ce8ececee74eedf7a4e589b8e479b5ec2db4268733411ee691b6b356bbc84c1b0968f5d4bd1f398016089896284be1212bd17d27ebe8ad9cab43c2cf36bde563ce0907267eaeaa367793cad0915c310a6704362ddbaf4724bff4f65f121f45f50f26d69a18a14aabd8d860bdbd3b8a6f109643b8b9794143acbdf4c10c5c32797395f350c7ee7988fd894d4b884517f3f4cf5733c90035fbd5406aea23c4962d253616edd7650cf9adfb0724b09e1f3089025ec073d1672644320605f5fbea2ee7da365847edf7e814b12c5c27a4bdd34256a1874d77f5daa8e714c5814d85d778622af3ec9c8739c5208c2f4ea5f85a28310d1d5c18dafb91b0cf49ae8d75a6a435dac8500529484c718486208cd6a87df303a4dc6a0f337558b8a85b517b26456378e0dbac2aba6bef054de1fdad372692ef0c5264df7a827e5aec9c0e559846d8e267a8b66f46e2affb80a91978eb840f20e15da03817e63a4b37b4faf14ca4edb9b5e5466f002863023ef3fe5dddad697569e3447f29d851b75e5c441e740c39f75e1bb3e9799b91be464ddfba39773183bc9c63c9355b5942b4157eb0610a6f3aaf04558cd5f48310718207328c2e88e5950f5ecb8b1da2c8eec2579735d929f97b9ccc047a60eb3d7b55ad5f16eb78f4209c11af9810e858023bbb8d9abdee5223e468ea5ab7109ec54d7ce4192c7be508bc91d7a185c9a68c5eaaa99d1b2e5c432d163387de21e9a85c863b1d0fc6c376a30f4dc4a531474e843e44568cc47746e5f299613982cc6c02fafcdf7401f316722c54ee415321bbf6550a261ed30e6bd68925f389e9ee04e3d2a38afbeb703c843f0a75af681faab297d2477952dd082f4a97ddfd70f230b16ae71e01cb75edf6032d00b6dbbabd0640196645a23e33891dc5953171e8e0aa3d664a458960e346c95095bd5e60f403334389427e58026b479a41c92629d41047881866409d155f4c7a4ccaebe32290c7fd42b30523fd365a0aa4647e60852a4cc7a7cb1de2b2f5dd0fb13755ad49d78727d3abdfc9bc0f1699ac215d33e04852af816a15211b231a64bf9a22fac18ae3a90a504369bc6dc88a849d8cee562a7dda32a079eecf14943c78b9e426dfa447b523f7451f0a649bf86276d18d6ff3421286ad2e4bc4bedbcd41484e474eba87d174419ef4dfb2f965190ecd837060eeb033582bf16b83b185b7a458329d91597848c0d5b3c141ad8857e634ee3f37883f503b7cf7ba723e7e0d36b6184e812d912c827aab509921bd99f0bb299bbbb4783ff834ae9097689747148b5d84eeffd5ac2227f1099ab60f3244b8de0a0d7c1ec798635fb6a3a45e807b145ddecf01942d061ff6825bce4ca2afcc29d720eda5abac286e0642b583e2f51bddbcca49c0d3e1c37bfe66df56aa42f59bfa2892c19e052f9b661fd84bf5056311495ef9b4b9f1a4c52671b0ef5843aa937cc9bd6fd89335d8781b3954a826657ab0aec2b2b35c99f58a9c190f9d63f7607c8d045da09bec66bc1b1333084bced4c92a80dcd074ff51302da8358451e71394ca9ea1fef026a7b070899bebe3b45ae11a0a8ccb61b46f1f81b73964d88d018f24cd76880e834b57d08f722d882e82737d7cdfcc14b2c3dcac0ca0b88f03221a487d0c052d75901d7dee0ffeec11771ff1c5db961307a0851abd5c2030029041579289d19893637648a52bbf9a636390a2e0c4971a766b8f013a815cf16e440f48b62095f87b0ced8689cf037e6a8a30183a54ea4eea5cf724074ab453defc87f93093065d41a6c2c7b6741308a3e99f2e6b1b031d5d3206adb91a151b2f382291e7111afa8eb92572ebfcba4327cd2444c7ff23ddb6330ed225ddb82686eaa4fc75697ed03f4ceb68abcb46f210403703b4d7097f65a876d2b5bf55667fae1c1cda0247e5961a754b9167cfa74ca89d7774a9f1415ae31479fa0e3877d10b855ff43d2d45508484b4bd2ff348ff6ca5d6d9f06ecd2e8eaff3c9f1e8fe169d76b590038cfa5f7781b7794de906d751dca21af24da422554317e3081dcc6f81d70ea1f833c2047223369f74007963a0229bcfda4aa64c54a523d0fc12f489a29b19e230ff141130dece7f48b81209bcc63cdae3a30fa4cca60e4422bfbfa70545e4907a4d1ffd7bf35fbb4e5e40b162ea87cfddb52d4f4b4178d7e9b9cbe7aef71c4c33b4667d14d5aa0c3a9529790e072425141739f01015f4bf8eac866dfeee11e972ac4c4bbd75c35508d3d40443b5edbd494a414c3db2cabe560e3c8e0b69cac453dc381bcbc84e1eaac5b977c80d15d093f3ebabbd8b253beaab7a3bc8715ae74c3c271ad2fe4dcda3359ef281b94712a899c73bdb209ec35a92eaa97bf9aa347a8c5b33eaa9c327d13cb7d2e0c8f69260788b4c90a42aecfe9fd01a6b1c7b4418e3744bd3c5cdb2ceecd227519be29b6d59e73123f4db6f034d8d7af3c4ef1257e9cdf2a3253496fe854176fc2018f8ae44b1d7eddcea6e37d7bc3424054348df1019a0c149941e430fd037c7f70abf268d55bf8295b0bbdc7f61d1f3b97d11a0754991c594e6a497841c2f7851d7e0e44d2ad10c15102c682b036e8857bd45bb0d9346dd979ec3c30c17109d162865d4c097a843e17d0e0a5bb1d08c3ce581c3a78ce80e05693ed25eb2262d39d4e5c8703a6b2279816833c6f5f19a59f527ea8d81a5d0307622f52dd2475f0d385a0b2af35b28a5242b85cabc89977e2fb19079d9132643cb690a4da32ae07fae823df9f204a9bd5f827c37bb65effca2f9d9460fa5c1db3692bca5eb79b8e39024365a3d58604cc0dbeb46bdddacb0901fc8b2a96cb6d8b20a624c4cfa20ca9de08025185ba297ee267efc9bdeecb1b01b84a9a42959a55637573daf0e10c71f359684336ee3d92d9d3b0f7e520ed59803f2e992c7e3b83425bc55e301f38e89585b47c19e37e965e3b78b0dbfca913308dff85e5bafdb9458e57b35bf34c431a0e8cab25fececdbc18282b31d5681a6a2b3f3bd129ba39dcc6c4b0d14bb140cc237f1f6d82987dc52f79e46611d498607992eed4f40cd85bcfe5d3f03f8bf7f0a3e247e92bac4ef05cf7b9bd13671f6ab075775b1d1ecfb2cfe59ceff3e853c79fbd2c517c6f002217846dbaf93aa44015f7615bdccf8db094836af847304cd35ecc4f2cc31e716203d36e1b4eb12cbdd615e740f57ae19631089393f97f3c239b990ee858d549b0c9d4cf5c8f3cafe176cdc59020565bec06235cf7ca6e34411930ff635ce839254d628581b2a8c0c38190bd00633b08cfc890e36d0eef070065cda1bb6bcbe27387249d0d6c5e2a0e142293a65c36b7f6368f8020ae0e289e24d91d04c389a4acb30a1af5ac5780d11b1016a74a9810a1ed053b97a146041cd3008b23fa74c5f7a4ccd1c00ce3825ac388083bc6c102c73d614cdbeb2f42a6a55c400fa6451faeee801ccc75ab6043a17d26b5b2a5988b211e68c38e75fd7ca6c9effb9934efa0688b02a5b3b2306ff2088bbd41c302fd4802a6d08e968900d719ae137364e610fd03d274ade682bb8c36e69c2fca80a0b4e0f7e40c1246dd70754b99db57bd99f2ecc12d0bec6a553b292a414c859bea5594176d648a24d3b115fe003c064e83af81e9bbf7948dc1d57a3b5b71104164efac2a110ffbbb0439356633052f48c784346ece3817f1039b80647d18e6ec98984bf44f0a062c321065a84ddfcb292fe6004d7efbc91fe0d8cf1bb2af18ed2a109dfb0c022e4aea395e4704e4dd71e452e4fa5c850ad6333b6c3d096f8dc721bd02fce0f8f579181f4fa1ebaa5d1f3e4ffe4d4984fe5fd0a63b31fb0d5f9aadf691dc1018c8c57ed05c9315748051a0a35c504e3ba8e028abe29b09a5c311a675195c5e56f48e63df11760e45cf8822772c78b8a526f702a3c5fe92204bc0a5f6c0f4020095d726add42012487ecadd987eae0b4b2b8cf742e7d068a8ab0a7d8f9fccb5056fa3fa12678a96a04ca7b36ec35f00a818ca3adb1261cacfb9b6e3070a8a20ec4467ec9e24a6fe69e27255385db768c23ca9911a10866bade6c589d017c8683d744b8c9c9a68bd4262a7b66d57a8738bb9f7a2ffd5f5d8a43ba73f53330807dd200a2921d822789ae83e2a8ca62fadb4c2e1dc7ae65eba3ffd9d3a754651f94b9c1b3c00ed1798c541f15e465a00693f23039d3aa2e5fe22624345bdd01eeb57bd8c74a9b34ff574a1fc4da8119788679999d09ee703ddbd95224eb5def3f1843fb5b3292706957e7bbab66356e95931d95f51fbe74d3cdf4886c593c40853d7f7ddac5ee3c594e73feaaf36139d69bd60d978a3c489e2b7e0f9ebec01422c81489823b122d3699d985b62f89235807745cfa6029e14cc59b339ffc615a3dd97212991547935e53fb5daa3e6e98f28077f0ff42374b0c6c8ea8337463031c37b090a1a1665aa61b36b70c8669144d44497c976a5b6ebb542de4d0d5a74c51cfda08db8b8ede621def2bf56b13cfeff9c6af1efa35d239388ec4d1dc6b6b72f996fd72b01d12963d", 0x1000}, {&(0x7f00000007c0)="16ee4048a013c9fa6bc755a208fa1da89aa3a990a7f6b551402e2f0b5c95b822955fb4f0ab4679e6543b575ff0e61cc1ceba31d99a6b283c33ee5ebe8bb2f798523a03b890c5a72f12f66306613459d67b96", 0x52}, {&(0x7f0000000840)}], 0xa, &(0x7f0000001980)=[@dontfrag={{0x14, 0x29, 0x3e, 0xffffffc0}}, @rthdrdstopts={{0x48, 0x29, 0x37, {0x87, 0x6, '\x00', [@enc_lim={0x4, 0x1, 0x1}, @calipso={0x7, 0x20, {0x3, 0x6, 0x5, 0x8, [0xfff, 0x9, 0x2]}}, @padn={0x1, 0x5, [0x0, 0x0, 0x0, 0x0, 0x0]}, @ra={0x5, 0x2, 0x9}]}}}], 0x60}}], 0x1, 0x24000084)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x28011, r1, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs2/binder1\x00', 0x800, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000940)={0x54, 0x0, &(0x7f00000002c0)=[@increfs={0x40046304, 0x3}, @decrefs={0x40046307, 0x1}, @transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x60, 0x18, &(0x7f0000000080)={@ptr={0x70742a85, 0x0, &(0x7f00000001c0)=""/202, 0xca, 0x2, 0x11}, @fda={0x66646185, 0x3, 0x0, 0x25}, @fd}, &(0x7f0000000000)={0x0, 0x28, 0x48}}}], 0x0, 0x0, 0x0})
executing program 1:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)
executing program 2:
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"})
r0 = socket(0x10, 0x3, 0x0)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x8927, &(0x7f0000000280)={'ip6tnl0\x00', 0x0})
r1 = socket$nl_audit(0x10, 0x3, 0x9)
sendmsg$AUDIT_TTY_GET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x10, 0x3f8, 0x10, 0x70bd25, 0x25dfdbfd}, 0x10}, 0x1, 0x0, 0x0, 0x4000080}, 0x40)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil)
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0) (async)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"}) (async)
socket(0x10, 0x3, 0x0) (async)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x8927, &(0x7f0000000280)={'ip6tnl0\x00', 0x0}) (async)
socket$nl_audit(0x10, 0x3, 0x9) (async)
sendmsg$AUDIT_TTY_GET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x10, 0x3f8, 0x10, 0x70bd25, 0x25dfdbfd}, 0x10}, 0x1, 0x0, 0x0, 0x4000080}, 0x40) (async)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) (async)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil) (async)
executing program 32:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)

program crashed: WARNING in shmem_rmdir
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <10>
bisect: split chunk #0 of len 10 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=6m1s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 5, 7, 16, 5]
detailed listing:
executing program 1:
preadv(0xffffffffffffffff, 0x0, 0x0, 0xfff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_group_source_req(r1, 0x0, 0x2c, &(0x7f00000004c0)={0xffffffff, {{0x2, 0xfffc, @multicast2}}, {{0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x108)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r2, 0x4068aea3, &(0x7f0000000200)={0x79, 0x0, 0xc})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
getsockopt$inet6_int(r3, 0x29, 0x16, 0x0, &(0x7f0000000180))
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, &(0x7f0000000080)="470f08b99c030000b800000000ba000000000f3066bad004b011ee66ba4000b800000000ef47cf66b824018ec0c7442400c1000000c744240226ea6e57ff1c24430f0198acb500003e67410fc7590066470f6f3e", 0x54}], 0x1, 0x16, 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setsockopt$sock_int(r5, 0x1, 0x28, &(0x7f0000000000)=0x1, 0x4)
bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x2}, 0x6)
r6 = fsopen(&(0x7f0000000240)='ramfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r6, 0x6, 0x0, 0x0, 0x0)
r7 = fsmount(r6, 0x0, 0x0)
fchdir(r7)
r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x100)
lseek(r8, 0x1, 0x2)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f00000002c0)=ANY=[@ANYBLOB="0100000000000000024d564b000000000b"])
r9 = socket$inet6(0xa, 0x3, 0x7)
setsockopt$inet6_int(r9, 0x29, 0x1000000000021, &(0x7f00000005c0)=0x7fff, 0x4)
connect$inet6(r9, &(0x7f0000000000)={0xa, 0x4e24, 0x0, @loopback, 0x8}, 0x1c)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fremovexattr(r0, 0x0)
mount$binderfs(0x0, &(0x7f0000000040)='./binderfs\x00', &(0x7f0000000140), 0x94893, &(0x7f0000000300)=ANY=[@ANYBLOB="73746174733d676c6f62616c2c73746174733d676c6f62616c2c6c617a7974696d652c00e948845b239e6682aaae76fd62d8"])
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x6)
r10 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$sock_int(r10, 0x1, 0x1d, &(0x7f0000000000)=0x1, 0x4)
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4040aea0, &(0x7f0000000100)=@arm64={0x75, 0x0, 0x6, '\x00', 0x4be})
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x14, 0x4c, &(0x7f0000000500)=[@increfs_done={0x40106308, 0x2}], 0x0, 0x0, 0x0})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = dup(r2)
ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
setsockopt$inet_udp_int(r3, 0x11, 0x1, &(0x7f0000000000)=0x1, 0x4)
executing program 2:
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"})
r0 = socket(0x10, 0x3, 0x0)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x8927, &(0x7f0000000280)={'ip6tnl0\x00', 0x0})
r1 = socket$nl_audit(0x10, 0x3, 0x9)
sendmsg$AUDIT_TTY_GET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x10, 0x3f8, 0x10, 0x70bd25, 0x25dfdbfd}, 0x10}, 0x1, 0x0, 0x0, 0x4000080}, 0x40)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil)
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0) (async)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000380)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"}) (async)
socket(0x10, 0x3, 0x0) (async)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x8927, &(0x7f0000000280)={'ip6tnl0\x00', 0x0}) (async)
socket$nl_audit(0x10, 0x3, 0x9) (async)
sendmsg$AUDIT_TTY_GET(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x10, 0x3f8, 0x10, 0x70bd25, 0x25dfdbfd}, 0x10}, 0x1, 0x0, 0x0, 0x4000080}, 0x40) (async)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) (async)
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3, &(0x7f0000007000/0x1000)=nil) (async)
executing program 32:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x19)
r0 = syz_usb_connect(0x5, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b8e0102030109021b0001000000b3090400000101293000090509"], 0x0)
syz_usb_control_io(r0, &(0x7f0000000240)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000006c0)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
madvise(&(0x7f0000029000/0x3000)=nil, 0x3000, 0x16)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=6m1s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 30, 9, 18, 18]
detailed listing:
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/custom0\x00', 0x1003, 0x0)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
close(r1)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @multicast1}, 0x2}}, 0x2e)
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000002700))
r2 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000840)=ANY=[@ANYBLOB="1201000000000040f30455070000000000010902240001000040b109040000010300010009210101000122050009050003ff030c0000ebbac564734796af53f8a5fcbfe39cd1c81963ccf220498f4b260ef6453e08b2e31f03f1f8612ec32fabea6d6d70"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000340)={0x2c, &(0x7f0000000040)=ANY=[], 0x0, 0x0, 0x0, 0x0}, 0x0)
r3 = syz_open_dev$hidraw(&(0x7f0000000240), 0x10007f, 0x10100)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ethtool(&(0x7f00000003c0), r4)
sendmsg$ETHTOOL_MSG_TSINFO_GET(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000500)=ANY=[@ANYBLOB="edfa5358e1cb95f584dedf9479e1337d7c", @ANYBLOB="c5153284fbedf3cf903a41a14adf070731125250c271a679984b55ee432d58", @ANYBLOB="010028bd7000fcdbdf25190000002000018008000300060000001400020076657468315f6d616376746170000000", @ANYRES16=r0, @ANYRES16=r1], 0x34}, 0x1, 0x0, 0x0, 0x20008810}, 0x91)
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r3, 0x81f8943c, 0x0)
r5 = socket$inet(0xa, 0x801, 0x6)
r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0)
ioctl$KVM_GET_PIT(0xffffffffffffffff, 0xc048ae65, &(0x7f0000000280))
accept4(r5, 0x0, 0x0, 0x0)
r8 = pidfd_getfd(0xffffffffffffffff, r0, 0x0)
write$P9_RXATTRCREATE(r8, &(0x7f0000000100)={0x7, 0x21, 0x1}, 0x7)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x138a, 0x1000000003})
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0)
r9 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r9, &(0x7f0000000440)=@name={0x1e, 0x2, 0x2, {{}, 0x2}}, 0x6f)
bind$tipc(r9, &(0x7f0000000080)=@nameseq={0x1e, 0x1, 0x1, {0x41, 0x1, 0xfffffffd}}, 0x10)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
socket(0x840000000002, 0x3, 0xff)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)
executing program 3:
mmap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x1, 0x40010, 0xffffffffffffffff, 0x0) (async)
r0 = socket$netlink(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0xc, &(0x7f00000000c0)=0x8004, 0x4) (async)
sendmsg$netlink(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000580)=[{&(0x7f0000000100)={0x18, 0x56, 0x601, 0x0, 0x0, "", [@typed={0x7, 0x0, 0x0, 0x0, @str='\x00\x00\x00'}]}, 0x18}], 0x1, 0x0, 0x0, 0xea}, 0x0) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000200)='fdinfo/3\x00')
read$FUSE(r2, &(0x7f0000000a40)={0x2020}, 0xc7) (async)
ioctl$SIOCSIFHWADDR(r2, 0x8924, &(0x7f0000000000)={'rose0\x00', @local}) (async)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000fc0)=[@reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})
executing program 0:
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
write$uinput_user_dev(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
mremap(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x3000, 0x0, &(0x7f0000ffd000/0x3000)=nil)
madvise(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x16)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x5}, 0x1c)
setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0)
write(r0, 0x0, 0x0)
r1 = dup(r0)
ioctl$MON_IOCX_GET(r1, 0x40189206, &(0x7f0000000240)={&(0x7f0000000140), &(0x7f0000000180)=""/188, 0xbc})
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='devices.list\x00', 0x275a, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f0000000740)={0x30, 0x5, 0x0, {0x0, 0x2, 0x0, 0x84ae}}, 0x30)
r3 = syz_open_procfs(0x0, &(0x7f0000000040)='fd\x00')
fchdir(r3)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r2, 0x0)
open(&(0x7f0000000000)='./bus\x00', 0x80001, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_FREEZE(r4, 0x400c620e, &(0x7f0000000100)={0x0, 0x1, 0x800})
executing program 3:
r0 = eventfd(0x7e)
write$eventfd(r0, &(0x7f0000000040)=0x5, 0x8)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='cpuacct.usage_percpu_user\x00', 0x275a, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_dev$usbfs(&(0x7f0000000300), 0xb, 0x101301)
ioctl$USBDEVFS_IOCTL(r2, 0xc0105512, &(0x7f0000000200))
ioctl$USBDEVFS_IOCTL(r2, 0x80045505, &(0x7f0000000040)=@usbdevfs_connect)
r3 = fsopen(&(0x7f0000000040)='proc\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r3, 0x6, 0x0, 0x0, 0x0)
fsmount(r3, 0x0, 0x0)
fsconfig$FSCONFIG_CMD_RECONFIGURE(r3, 0x7, 0x0, 0x0, 0x0)
vmsplice(0xffffffffffffffff, &(0x7f00000000c0), 0x0, 0x1)
ioctl$LOOP_SET_STATUS(0xffffffffffffffff, 0x4c02, 0x0)
ioctl$USBDEVFS_RESETEP(r2, 0x80045503, &(0x7f0000000080)={0x7})
sendmmsg$inet6(r1, &(0x7f0000001a00)=[{{0x0, 0x0, &(0x7f0000000880)=[{&(0x7f0000000340)="04f360710f55c24abb24327a6e6ed0f4e530cccaec1dd6d3b7dc2038c5585825495d3466780d7bee13b83a77ff9c973444d97c78f11cf6f57d5685c63b72bac03530b1f4ffe62fc66b4fc769f3f7000852529e188c5b98ffd0fbd433c201988783019775710b0ffaae196584ccc0f0e2d4227f7e8094016e6e236e9576fcbf0a9e237e387c3d3d3171dbdd2c00ae57366006dac5b55742", 0x97}, {&(0x7f0000000400)="859dd2bf22305c73bd05446e0d447ceb336d9e826ea7b1fac9d65a2a239387537a1b2f2826b24da55b34dc74545984982295b15bf2ac67f37424166513c556d69b91ad82d6f47c00a1982e3c6966cfcf56b84cc1d3815f3e889f1769619d7e22874b718c3896a5f9d85328ce043e894e9921f59fd0e8afc8dd44e8ec9563287de69a3fca8a464a954b86f6c5197a48f47b885bab4aca1b742c1f96a551c3c510e684f6c521b5df3c58c305a0e0f4e53788a4e6a3d0aaeeafcbe2ee5d2eba186f75d34fe7f3d515106cc6841bba4f11271f810a35d5c01f412734fbf0912fc54546", 0xe1}, {&(0x7f0000000140)="b7ce648a03711de81bf66009b2678454d32475c161591ff4496792ac4643b2062829c6259e991282c5500e0dc4f7aba86324ee80dbf35d40e0a34627dc74c3d3852396", 0x43}, {&(0x7f0000000500)="2c5b5614d0433fe662721bb3b283ced7310784aa41fb94986c4c3b9e71586ed07fc1d3da35041585523b685d8e921c85eca0888b51f5c200fb1392482b617c5b83520e6fd6b4ae6856c2167368569090658f885586b74f0e368d938b69add358e31975e170c12529f05d6653681ae5c295419972a2b3e217530b8727c601802ee6aa8840d31980645a87c54b2dd5467db81c3dad90bb4f3a0f043bd49d4f21da", 0xa0}, {&(0x7f00000005c0)="e9de4ae9e4421fdcd906e1da59e35aef712c315fe5d9635a1f1d53a79f4176dea5e800bc45150777fba7e002f58e13de984de5d0eed93e14085526b6603f4ebab4b759153a3ab20f7b7c643d2af4aa82954ce34087f8432fe72686f54dfe6c3a8ebcacaba935b3b65a45152413352ecac5383ed9b6e3227db9d630bb4a156e38f6861e289446c3839ba54c1e2427c1dd1cbbbba2e744756bc5d14c9760f3f9e405768563618269bb", 0xa8}, {&(0x7f0000000680)="38d685a7e596c350d0de907c746418c38b6c04bae90deda84d00692839fb7fded1e9bdf7deccb80b52d2acc751e3540ab313fefea86842f86c2ed8268de6664ea19898484707635a64f2f1921d6b4506286e4bbc5bc7fb29dd44dadfedeb9d7a940ac6cd14d067c5e528aecc65276e5268d01efcd53766a7b9bb90232d76944a723d45933aa4b5ce85b30b36bd573700a308966f08c3d0d58ab792a9e803b72009a4be6e09d3232c2d64222e88258ce82bc146aff993bd6b644bbcce044e284dbaf13d8f9c00d302261cecec811ae4498741fb51252acfeba65d0ab647f27b378ada3e5ed5caa2cd62db9b6fed4ac043e531a7ed", 0xf4}, {&(0x7f0000000780)="80b24d90a8995a45ad3ff4a0d49c2b2c53f92634088d51ead6956431dcbcb6d903373250ac3027e7e6", 0x29}, {&(0x7f0000000980)="89642a098141ba4da4c7ab54eeae51ab90d114d1ce91a50d1424e075708f9fb4878af95e05f967416b6fb848e2a924eaa7b71ebc12c3bbb5070686c1d6968efdd311e17f4a3813d26e6b569870d277233caf84928ceed6861420ce415314fd12b76f77eb48bf0dc7174bf377157859e8ced30dbd3633df3bd082ea2c7d7d5b25d31c987f201099bcce7d8652d9fa41556658e71e0c106f83fe088f0667410e1c352125c41c503eae17ee21a1d0edfc671c34840190483b2463e829fae73e1555daea72109fd97f9c1fbe9c193198ca29f9138c24b8079d8eaaeb69affd6edadb29835ece6908ab91bf8fbfe03afa3e61db6359d8d8fc2fdaeb62d3670eeaca93fca1f4f5b3b91a54cd660758a331b02bac80eb483116887ed03f6cf77313d61288ad8dd073b6d51a79d9f62c0cd08399988c017ec2667cd1fdafb3ad80b82fccd03d7a6f8cf054382a6c1e494d429a48e6e1fe89cd4ba13c0b69eb356a5a906f02096890e55f9b9dd7f774d9f56713fbba1fb2705777973355feb14219ad10a130d5376822292472593cc8f054ecc817809b17c25c65ea78a9b91b00e6e3c10f6936bfac0335be3be92576e16e375f0bf26d88cd7ed8e162dc8e826c140e328fa2c0ea5386445372e1ba1f2a9df0d4845d9eba489a566c29842276bd22d6563932cc36b9511c29cc16cf7852dabfb48ad5bd40ca33b5c579950eb70d9a2c38cdfedc375cfef5e81c5c05471cee4fe61bb82670df9b10c4d09cc0e13fe37e6f0e007723b8ab0db1f86b1b00b0dda4bac32574d60d83c1467db4d31ea36c01715835c4b95478e99b845e4e9a8a42e5ea0b8886167da6bf400168515305e509b624ad11ea80cb87984603b7bedae3bb05204117da36218a6cafc2b76de469941b9a86b47eb76abfb903a30d4793eb3d97b7594e92492cddde2c78dffe9e87e2ea9c28611a62fa6f3758e400528bd35e06fdbeeec94b9bdabbd25cb867caf66b4a167b6a58d08c8c9ff8aed00697e46ef60063af7e2187667f24f5cce79da7f915a8a0f61ddb5833133aa60b754fb8632bbc911aea43c9c1a027d4a6d6df93e8dceaabfb815d1a7264dc67b6b088fa9694550283dec8a53a194c0486002f5b04a5c0052b3610b91bade38f38d913d7aea769218d9bdbbf489b5ce4d5cafe1eb780e446834340152e52060d73b3599eaa634dbc8f9d9250a8c386e731b6a8740c78e6ad7c7cca37c1140e676faaf736953463a4985a1c97540569856faf31edb9ce8ececee74eedf7a4e589b8e479b5ec2db4268733411ee691b6b356bbc84c1b0968f5d4bd1f398016089896284be1212bd17d27ebe8ad9cab43c2cf36bde563ce0907267eaeaa367793cad0915c310a6704362ddbaf4724bff4f65f121f45f50f26d69a18a14aabd8d860bdbd3b8a6f109643b8b9794143acbdf4c10c5c32797395f350c7ee7988fd894d4b884517f3f4cf5733c90035fbd5406aea23c4962d253616edd7650cf9adfb0724b09e1f3089025ec073d1672644320605f5fbea2ee7da365847edf7e814b12c5c27a4bdd34256a1874d77f5daa8e714c5814d85d778622af3ec9c8739c5208c2f4ea5f85a28310d1d5c18dafb91b0cf49ae8d75a6a435dac8500529484c718486208cd6a87df303a4dc6a0f337558b8a85b517b26456378e0dbac2aba6bef054de1fdad372692ef0c5264df7a827e5aec9c0e559846d8e267a8b66f46e2affb80a91978eb840f20e15da03817e63a4b37b4faf14ca4edb9b5e5466f002863023ef3fe5dddad697569e3447f29d851b75e5c441e740c39f75e1bb3e9799b91be464ddfba39773183bc9c63c9355b5942b4157eb0610a6f3aaf04558cd5f48310718207328c2e88e5950f5ecb8b1da2c8eec2579735d929f97b9ccc047a60eb3d7b55ad5f16eb78f4209c11af9810e858023bbb8d9abdee5223e468ea5ab7109ec54d7ce4192c7be508bc91d7a185c9a68c5eaaa99d1b2e5c432d163387de21e9a85c863b1d0fc6c376a30f4dc4a531474e843e44568cc47746e5f299613982cc6c02fafcdf7401f316722c54ee415321bbf6550a261ed30e6bd68925f389e9ee04e3d2a38afbeb703c843f0a75af681faab297d2477952dd082f4a97ddfd70f230b16ae71e01cb75edf6032d00b6dbbabd0640196645a23e33891dc5953171e8e0aa3d664a458960e346c95095bd5e60f403334389427e58026b479a41c92629d41047881866409d155f4c7a4ccaebe32290c7fd42b30523fd365a0aa4647e60852a4cc7a7cb1de2b2f5dd0fb13755ad49d78727d3abdfc9bc0f1699ac215d33e04852af816a15211b231a64bf9a22fac18ae3a90a504369bc6dc88a849d8cee562a7dda32a079eecf14943c78b9e426dfa447b523f7451f0a649bf86276d18d6ff3421286ad2e4bc4bedbcd41484e474eba87d174419ef4dfb2f965190ecd837060eeb033582bf16b83b185b7a458329d91597848c0d5b3c141ad8857e634ee3f37883f503b7cf7ba723e7e0d36b6184e812d912c827aab509921bd99f0bb299bbbb4783ff834ae9097689747148b5d84eeffd5ac2227f1099ab60f3244b8de0a0d7c1ec798635fb6a3a45e807b145ddecf01942d061ff6825bce4ca2afcc29d720eda5abac286e0642b583e2f51bddbcca49c0d3e1c37bfe66df56aa42f59bfa2892c19e052f9b661fd84bf5056311495ef9b4b9f1a4c52671b0ef5843aa937cc9bd6fd89335d8781b3954a826657ab0aec2b2b35c99f58a9c190f9d63f7607c8d045da09bec66bc1b1333084bced4c92a80dcd074ff51302da8358451e71394ca9ea1fef026a7b070899bebe3b45ae11a0a8ccb61b46f1f81b73964d88d018f24cd76880e834b57d08f722d882e82737d7cdfcc14b2c3dcac0ca0b88f03221a487d0c052d75901d7dee0ffeec11771ff1c5db961307a0851abd5c2030029041579289d19893637648a52bbf9a636390a2e0c4971a766b8f013a815cf16e440f48b62095f87b0ced8689cf037e6a8a30183a54ea4eea5cf724074ab453defc87f93093065d41a6c2c7b6741308a3e99f2e6b1b031d5d3206adb91a151b2f382291e7111afa8eb92572ebfcba4327cd2444c7ff23ddb6330ed225ddb82686eaa4fc75697ed03f4ceb68abcb46f210403703b4d7097f65a876d2b5bf55667fae1c1cda0247e5961a754b9167cfa74ca89d7774a9f1415ae31479fa0e3877d10b855ff43d2d45508484b4bd2ff348ff6ca5d6d9f06ecd2e8eaff3c9f1e8fe169d76b590038cfa5f7781b7794de906d751dca21af24da422554317e3081dcc6f81d70ea1f833c2047223369f74007963a0229bcfda4aa64c54a523d0fc12f489a29b19e230ff141130dece7f48b81209bcc63cdae3a30fa4cca60e4422bfbfa70545e4907a4d1ffd7bf35fbb4e5e40b162ea87cfddb52d4f4b4178d7e9b9cbe7aef71c4c33b4667d14d5aa0c3a9529790e072425141739f01015f4bf8eac866dfeee11e972ac4c4bbd75c35508d3d40443b5edbd494a414c3db2cabe560e3c8e0b69cac453dc381bcbc84e1eaac5b977c80d15d093f3ebabbd8b253beaab7a3bc8715ae74c3c271ad2fe4dcda3359ef281b94712a899c73bdb209ec35a92eaa97bf9aa347a8c5b33eaa9c327d13cb7d2e0c8f69260788b4c90a42aecfe9fd01a6b1c7b4418e3744bd3c5cdb2ceecd227519be29b6d59e73123f4db6f034d8d7af3c4ef1257e9cdf2a3253496fe854176fc2018f8ae44b1d7eddcea6e37d7bc3424054348df1019a0c149941e430fd037c7f70abf268d55bf8295b0bbdc7f61d1f3b97d11a0754991c594e6a497841c2f7851d7e0e44d2ad10c15102c682b036e8857bd45bb0d9346dd979ec3c30c17109d162865d4c097a843e17d0e0a5bb1d08c3ce581c3a78ce80e05693ed25eb2262d39d4e5c8703a6b2279816833c6f5f19a59f527ea8d81a5d0307622f52dd2475f0d385a0b2af35b28a5242b85cabc89977e2fb19079d9132643cb690a4da32ae07fae823df9f204a9bd5f827c37bb65effca2f9d9460fa5c1db3692bca5eb79b8e39024365a3d58604cc0dbeb46bdddacb0901fc8b2a96cb6d8b20a624c4cfa20ca9de08025185ba297ee267efc9bdeecb1b01b84a9a42959a55637573daf0e10c71f359684336ee3d92d9d3b0f7e520ed59803f2e992c7e3b83425bc55e301f38e89585b47c19e37e965e3b78b0dbfca913308dff85e5bafdb9458e57b35bf34c431a0e8cab25fececdbc18282b31d5681a6a2b3f3bd129ba39dcc6c4b0d14bb140cc237f1f6d82987dc52f79e46611d498607992eed4f40cd85bcfe5d3f03f8bf7f0a3e247e92bac4ef05cf7b9bd13671f6ab075775b1d1ecfb2cfe59ceff3e853c79fbd2c517c6f002217846dbaf93aa44015f7615bdccf8db094836af847304cd35ecc4f2cc31e716203d36e1b4eb12cbdd615e740f57ae19631089393f97f3c239b990ee858d549b0c9d4cf5c8f3cafe176cdc59020565bec06235cf7ca6e34411930ff635ce839254d628581b2a8c0c38190bd00633b08cfc890e36d0eef070065cda1bb6bcbe27387249d0d6c5e2a0e142293a65c36b7f6368f8020ae0e289e24d91d04c389a4acb30a1af5ac5780d11b1016a74a9810a1ed053b97a146041cd3008b23fa74c5f7a4ccd1c00ce3825ac388083bc6c102c73d614cdbeb2f42a6a55c400fa6451faeee801ccc75ab6043a17d26b5b2a5988b211e68c38e75fd7ca6c9effb9934efa0688b02a5b3b2306ff2088bbd41c302fd4802a6d08e968900d719ae137364e610fd03d274ade682bb8c36e69c2fca80a0b4e0f7e40c1246dd70754b99db57bd99f2ecc12d0bec6a553b292a414c859bea5594176d648a24d3b115fe003c064e83af81e9bbf7948dc1d57a3b5b71104164efac2a110ffbbb0439356633052f48c784346ece3817f1039b80647d18e6ec98984bf44f0a062c321065a84ddfcb292fe6004d7efbc91fe0d8cf1bb2af18ed2a109dfb0c022e4aea395e4704e4dd71e452e4fa5c850ad6333b6c3d096f8dc721bd02fce0f8f579181f4fa1ebaa5d1f3e4ffe4d4984fe5fd0a63b31fb0d5f9aadf691dc1018c8c57ed05c9315748051a0a35c504e3ba8e028abe29b09a5c311a675195c5e56f48e63df11760e45cf8822772c78b8a526f702a3c5fe92204bc0a5f6c0f4020095d726add42012487ecadd987eae0b4b2b8cf742e7d068a8ab0a7d8f9fccb5056fa3fa12678a96a04ca7b36ec35f00a818ca3adb1261cacfb9b6e3070a8a20ec4467ec9e24a6fe69e27255385db768c23ca9911a10866bade6c589d017c8683d744b8c9c9a68bd4262a7b66d57a8738bb9f7a2ffd5f5d8a43ba73f53330807dd200a2921d822789ae83e2a8ca62fadb4c2e1dc7ae65eba3ffd9d3a754651f94b9c1b3c00ed1798c541f15e465a00693f23039d3aa2e5fe22624345bdd01eeb57bd8c74a9b34ff574a1fc4da8119788679999d09ee703ddbd95224eb5def3f1843fb5b3292706957e7bbab66356e95931d95f51fbe74d3cdf4886c593c40853d7f7ddac5ee3c594e73feaaf36139d69bd60d978a3c489e2b7e0f9ebec01422c81489823b122d3699d985b62f89235807745cfa6029e14cc59b339ffc615a3dd97212991547935e53fb5daa3e6e98f28077f0ff42374b0c6c8ea8337463031c37b090a1a1665aa61b36b70c8669144d44497c976a5b6ebb542de4d0d5a74c51cfda08db8b8ede621def2bf56b13cfeff9c6af1efa35d239388ec4d1dc6b6b72f996fd72b01d12963d", 0x1000}, {&(0x7f00000007c0)="16ee4048a013c9fa6bc755a208fa1da89aa3a990a7f6b551402e2f0b5c95b822955fb4f0ab4679e6543b575ff0e61cc1ceba31d99a6b283c33ee5ebe8bb2f798523a03b890c5a72f12f66306613459d67b96", 0x52}, {&(0x7f0000000840)}], 0xa, &(0x7f0000001980)=[@dontfrag={{0x14, 0x29, 0x3e, 0xffffffc0}}, @rthdrdstopts={{0x48, 0x29, 0x37, {0x87, 0x6, '\x00', [@enc_lim={0x4, 0x1, 0x1}, @calipso={0x7, 0x20, {0x3, 0x6, 0x5, 0x8, [0xfff, 0x9, 0x2]}}, @padn={0x1, 0x5, [0x0, 0x0, 0x0, 0x0, 0x0]}, @ra={0x5, 0x2, 0x9}]}}}], 0x60}}], 0x1, 0x24000084)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x28011, r1, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs2/binder1\x00', 0x800, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000940)={0x54, 0x0, &(0x7f00000002c0)=[@increfs={0x40046304, 0x3}, @decrefs={0x40046307, 0x1}, @transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x60, 0x18, &(0x7f0000000080)={@ptr={0x70742a85, 0x0, &(0x7f00000001c0)=""/202, 0xca, 0x2, 0x11}, @fda={0x66646185, 0x3, 0x0, 0x25}, @fd}, &(0x7f0000000000)={0x0, 0x28, 0x48}}}], 0x0, 0x0, 0x0})

program crashed: WARNING in shmem_rmdir
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <5>
bisect: split chunk #0 of len 5 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [18, 18]
detailed listing:
executing program 0:
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
write$uinput_user_dev(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
mremap(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x3000, 0x0, &(0x7f0000ffd000/0x3000)=nil)
madvise(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x16)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @mcast2, 0x5}, 0x1c)
setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0)
write(r0, 0x0, 0x0)
r1 = dup(r0)
ioctl$MON_IOCX_GET(r1, 0x40189206, &(0x7f0000000240)={&(0x7f0000000140), &(0x7f0000000180)=""/188, 0xbc})
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='devices.list\x00', 0x275a, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f0000000740)={0x30, 0x5, 0x0, {0x0, 0x2, 0x0, 0x84ae}}, 0x30)
r3 = syz_open_procfs(0x0, &(0x7f0000000040)='fd\x00')
fchdir(r3)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r2, 0x0)
open(&(0x7f0000000000)='./bus\x00', 0x80001, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
ioctl$BINDER_FREEZE(r4, 0x400c620e, &(0x7f0000000100)={0x0, 0x1, 0x800})
executing program 3:
r0 = eventfd(0x7e)
write$eventfd(r0, &(0x7f0000000040)=0x5, 0x8)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='cpuacct.usage_percpu_user\x00', 0x275a, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000400)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_dev$usbfs(&(0x7f0000000300), 0xb, 0x101301)
ioctl$USBDEVFS_IOCTL(r2, 0xc0105512, &(0x7f0000000200))
ioctl$USBDEVFS_IOCTL(r2, 0x80045505, &(0x7f0000000040)=@usbdevfs_connect)
r3 = fsopen(&(0x7f0000000040)='proc\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r3, 0x6, 0x0, 0x0, 0x0)
fsmount(r3, 0x0, 0x0)
fsconfig$FSCONFIG_CMD_RECONFIGURE(r3, 0x7, 0x0, 0x0, 0x0)
vmsplice(0xffffffffffffffff, &(0x7f00000000c0), 0x0, 0x1)
ioctl$LOOP_SET_STATUS(0xffffffffffffffff, 0x4c02, 0x0)
ioctl$USBDEVFS_RESETEP(r2, 0x80045503, &(0x7f0000000080)={0x7})
sendmmsg$inet6(r1, &(0x7f0000001a00)=[{{0x0, 0x0, &(0x7f0000000880)=[{&(0x7f0000000340)="04f360710f55c24abb24327a6e6ed0f4e530cccaec1dd6d3b7dc2038c5585825495d3466780d7bee13b83a77ff9c973444d97c78f11cf6f57d5685c63b72bac03530b1f4ffe62fc66b4fc769f3f7000852529e188c5b98ffd0fbd433c201988783019775710b0ffaae196584ccc0f0e2d4227f7e8094016e6e236e9576fcbf0a9e237e387c3d3d3171dbdd2c00ae57366006dac5b55742", 0x97}, {&(0x7f0000000400)="859dd2bf22305c73bd05446e0d447ceb336d9e826ea7b1fac9d65a2a239387537a1b2f2826b24da55b34dc74545984982295b15bf2ac67f37424166513c556d69b91ad82d6f47c00a1982e3c6966cfcf56b84cc1d3815f3e889f1769619d7e22874b718c3896a5f9d85328ce043e894e9921f59fd0e8afc8dd44e8ec9563287de69a3fca8a464a954b86f6c5197a48f47b885bab4aca1b742c1f96a551c3c510e684f6c521b5df3c58c305a0e0f4e53788a4e6a3d0aaeeafcbe2ee5d2eba186f75d34fe7f3d515106cc6841bba4f11271f810a35d5c01f412734fbf0912fc54546", 0xe1}, {&(0x7f0000000140)="b7ce648a03711de81bf66009b2678454d32475c161591ff4496792ac4643b2062829c6259e991282c5500e0dc4f7aba86324ee80dbf35d40e0a34627dc74c3d3852396", 0x43}, {&(0x7f0000000500)="2c5b5614d0433fe662721bb3b283ced7310784aa41fb94986c4c3b9e71586ed07fc1d3da35041585523b685d8e921c85eca0888b51f5c200fb1392482b617c5b83520e6fd6b4ae6856c2167368569090658f885586b74f0e368d938b69add358e31975e170c12529f05d6653681ae5c295419972a2b3e217530b8727c601802ee6aa8840d31980645a87c54b2dd5467db81c3dad90bb4f3a0f043bd49d4f21da", 0xa0}, {&(0x7f00000005c0)="e9de4ae9e4421fdcd906e1da59e35aef712c315fe5d9635a1f1d53a79f4176dea5e800bc45150777fba7e002f58e13de984de5d0eed93e14085526b6603f4ebab4b759153a3ab20f7b7c643d2af4aa82954ce34087f8432fe72686f54dfe6c3a8ebcacaba935b3b65a45152413352ecac5383ed9b6e3227db9d630bb4a156e38f6861e289446c3839ba54c1e2427c1dd1cbbbba2e744756bc5d14c9760f3f9e405768563618269bb", 0xa8}, {&(0x7f0000000680)="38d685a7e596c350d0de907c746418c38b6c04bae90deda84d00692839fb7fded1e9bdf7deccb80b52d2acc751e3540ab313fefea86842f86c2ed8268de6664ea19898484707635a64f2f1921d6b4506286e4bbc5bc7fb29dd44dadfedeb9d7a940ac6cd14d067c5e528aecc65276e5268d01efcd53766a7b9bb90232d76944a723d45933aa4b5ce85b30b36bd573700a308966f08c3d0d58ab792a9e803b72009a4be6e09d3232c2d64222e88258ce82bc146aff993bd6b644bbcce044e284dbaf13d8f9c00d302261cecec811ae4498741fb51252acfeba65d0ab647f27b378ada3e5ed5caa2cd62db9b6fed4ac043e531a7ed", 0xf4}, {&(0x7f0000000780)="80b24d90a8995a45ad3ff4a0d49c2b2c53f92634088d51ead6956431dcbcb6d903373250ac3027e7e6", 0x29}, {&(0x7f0000000980)="89642a098141ba4da4c7ab54eeae51ab90d114d1ce91a50d1424e075708f9fb4878af95e05f967416b6fb848e2a924eaa7b71ebc12c3bbb5070686c1d6968efdd311e17f4a3813d26e6b569870d277233caf84928ceed6861420ce415314fd12b76f77eb48bf0dc7174bf377157859e8ced30dbd3633df3bd082ea2c7d7d5b25d31c987f201099bcce7d8652d9fa41556658e71e0c106f83fe088f0667410e1c352125c41c503eae17ee21a1d0edfc671c34840190483b2463e829fae73e1555daea72109fd97f9c1fbe9c193198ca29f9138c24b8079d8eaaeb69affd6edadb29835ece6908ab91bf8fbfe03afa3e61db6359d8d8fc2fdaeb62d3670eeaca93fca1f4f5b3b91a54cd660758a331b02bac80eb483116887ed03f6cf77313d61288ad8dd073b6d51a79d9f62c0cd08399988c017ec2667cd1fdafb3ad80b82fccd03d7a6f8cf054382a6c1e494d429a48e6e1fe89cd4ba13c0b69eb356a5a906f02096890e55f9b9dd7f774d9f56713fbba1fb2705777973355feb14219ad10a130d5376822292472593cc8f054ecc817809b17c25c65ea78a9b91b00e6e3c10f6936bfac0335be3be92576e16e375f0bf26d88cd7ed8e162dc8e826c140e328fa2c0ea5386445372e1ba1f2a9df0d4845d9eba489a566c29842276bd22d6563932cc36b9511c29cc16cf7852dabfb48ad5bd40ca33b5c579950eb70d9a2c38cdfedc375cfef5e81c5c05471cee4fe61bb82670df9b10c4d09cc0e13fe37e6f0e007723b8ab0db1f86b1b00b0dda4bac32574d60d83c1467db4d31ea36c01715835c4b95478e99b845e4e9a8a42e5ea0b8886167da6bf400168515305e509b624ad11ea80cb87984603b7bedae3bb05204117da36218a6cafc2b76de469941b9a86b47eb76abfb903a30d4793eb3d97b7594e92492cddde2c78dffe9e87e2ea9c28611a62fa6f3758e400528bd35e06fdbeeec94b9bdabbd25cb867caf66b4a167b6a58d08c8c9ff8aed00697e46ef60063af7e2187667f24f5cce79da7f915a8a0f61ddb5833133aa60b754fb8632bbc911aea43c9c1a027d4a6d6df93e8dceaabfb815d1a7264dc67b6b088fa9694550283dec8a53a194c0486002f5b04a5c0052b3610b91bade38f38d913d7aea769218d9bdbbf489b5ce4d5cafe1eb780e446834340152e52060d73b3599eaa634dbc8f9d9250a8c386e731b6a8740c78e6ad7c7cca37c1140e676faaf736953463a4985a1c97540569856faf31edb9ce8ececee74eedf7a4e589b8e479b5ec2db4268733411ee691b6b356bbc84c1b0968f5d4bd1f398016089896284be1212bd17d27ebe8ad9cab43c2cf36bde563ce0907267eaeaa367793cad0915c310a6704362ddbaf4724bff4f65f121f45f50f26d69a18a14aabd8d860bdbd3b8a6f109643b8b9794143acbdf4c10c5c32797395f350c7ee7988fd894d4b884517f3f4cf5733c90035fbd5406aea23c4962d253616edd7650cf9adfb0724b09e1f3089025ec073d1672644320605f5fbea2ee7da365847edf7e814b12c5c27a4bdd34256a1874d77f5daa8e714c5814d85d778622af3ec9c8739c5208c2f4ea5f85a28310d1d5c18dafb91b0cf49ae8d75a6a435dac8500529484c718486208cd6a87df303a4dc6a0f337558b8a85b517b26456378e0dbac2aba6bef054de1fdad372692ef0c5264df7a827e5aec9c0e559846d8e267a8b66f46e2affb80a91978eb840f20e15da03817e63a4b37b4faf14ca4edb9b5e5466f002863023ef3fe5dddad697569e3447f29d851b75e5c441e740c39f75e1bb3e9799b91be464ddfba39773183bc9c63c9355b5942b4157eb0610a6f3aaf04558cd5f48310718207328c2e88e5950f5ecb8b1da2c8eec2579735d929f97b9ccc047a60eb3d7b55ad5f16eb78f4209c11af9810e858023bbb8d9abdee5223e468ea5ab7109ec54d7ce4192c7be508bc91d7a185c9a68c5eaaa99d1b2e5c432d163387de21e9a85c863b1d0fc6c376a30f4dc4a531474e843e44568cc47746e5f299613982cc6c02fafcdf7401f316722c54ee415321bbf6550a261ed30e6bd68925f389e9ee04e3d2a38afbeb703c843f0a75af681faab297d2477952dd082f4a97ddfd70f230b16ae71e01cb75edf6032d00b6dbbabd0640196645a23e33891dc5953171e8e0aa3d664a458960e346c95095bd5e60f403334389427e58026b479a41c92629d41047881866409d155f4c7a4ccaebe32290c7fd42b30523fd365a0aa4647e60852a4cc7a7cb1de2b2f5dd0fb13755ad49d78727d3abdfc9bc0f1699ac215d33e04852af816a15211b231a64bf9a22fac18ae3a90a504369bc6dc88a849d8cee562a7dda32a079eecf14943c78b9e426dfa447b523f7451f0a649bf86276d18d6ff3421286ad2e4bc4bedbcd41484e474eba87d174419ef4dfb2f965190ecd837060eeb033582bf16b83b185b7a458329d91597848c0d5b3c141ad8857e634ee3f37883f503b7cf7ba723e7e0d36b6184e812d912c827aab509921bd99f0bb299bbbb4783ff834ae9097689747148b5d84eeffd5ac2227f1099ab60f3244b8de0a0d7c1ec798635fb6a3a45e807b145ddecf01942d061ff6825bce4ca2afcc29d720eda5abac286e0642b583e2f51bddbcca49c0d3e1c37bfe66df56aa42f59bfa2892c19e052f9b661fd84bf5056311495ef9b4b9f1a4c52671b0ef5843aa937cc9bd6fd89335d8781b3954a826657ab0aec2b2b35c99f58a9c190f9d63f7607c8d045da09bec66bc1b1333084bced4c92a80dcd074ff51302da8358451e71394ca9ea1fef026a7b070899bebe3b45ae11a0a8ccb61b46f1f81b73964d88d018f24cd76880e834b57d08f722d882e82737d7cdfcc14b2c3dcac0ca0b88f03221a487d0c052d75901d7dee0ffeec11771ff1c5db961307a0851abd5c2030029041579289d19893637648a52bbf9a636390a2e0c4971a766b8f013a815cf16e440f48b62095f87b0ced8689cf037e6a8a30183a54ea4eea5cf724074ab453defc87f93093065d41a6c2c7b6741308a3e99f2e6b1b031d5d3206adb91a151b2f382291e7111afa8eb92572ebfcba4327cd2444c7ff23ddb6330ed225ddb82686eaa4fc75697ed03f4ceb68abcb46f210403703b4d7097f65a876d2b5bf55667fae1c1cda0247e5961a754b9167cfa74ca89d7774a9f1415ae31479fa0e3877d10b855ff43d2d45508484b4bd2ff348ff6ca5d6d9f06ecd2e8eaff3c9f1e8fe169d76b590038cfa5f7781b7794de906d751dca21af24da422554317e3081dcc6f81d70ea1f833c2047223369f74007963a0229bcfda4aa64c54a523d0fc12f489a29b19e230ff141130dece7f48b81209bcc63cdae3a30fa4cca60e4422bfbfa70545e4907a4d1ffd7bf35fbb4e5e40b162ea87cfddb52d4f4b4178d7e9b9cbe7aef71c4c33b4667d14d5aa0c3a9529790e072425141739f01015f4bf8eac866dfeee11e972ac4c4bbd75c35508d3d40443b5edbd494a414c3db2cabe560e3c8e0b69cac453dc381bcbc84e1eaac5b977c80d15d093f3ebabbd8b253beaab7a3bc8715ae74c3c271ad2fe4dcda3359ef281b94712a899c73bdb209ec35a92eaa97bf9aa347a8c5b33eaa9c327d13cb7d2e0c8f69260788b4c90a42aecfe9fd01a6b1c7b4418e3744bd3c5cdb2ceecd227519be29b6d59e73123f4db6f034d8d7af3c4ef1257e9cdf2a3253496fe854176fc2018f8ae44b1d7eddcea6e37d7bc3424054348df1019a0c149941e430fd037c7f70abf268d55bf8295b0bbdc7f61d1f3b97d11a0754991c594e6a497841c2f7851d7e0e44d2ad10c15102c682b036e8857bd45bb0d9346dd979ec3c30c17109d162865d4c097a843e17d0e0a5bb1d08c3ce581c3a78ce80e05693ed25eb2262d39d4e5c8703a6b2279816833c6f5f19a59f527ea8d81a5d0307622f52dd2475f0d385a0b2af35b28a5242b85cabc89977e2fb19079d9132643cb690a4da32ae07fae823df9f204a9bd5f827c37bb65effca2f9d9460fa5c1db3692bca5eb79b8e39024365a3d58604cc0dbeb46bdddacb0901fc8b2a96cb6d8b20a624c4cfa20ca9de08025185ba297ee267efc9bdeecb1b01b84a9a42959a55637573daf0e10c71f359684336ee3d92d9d3b0f7e520ed59803f2e992c7e3b83425bc55e301f38e89585b47c19e37e965e3b78b0dbfca913308dff85e5bafdb9458e57b35bf34c431a0e8cab25fececdbc18282b31d5681a6a2b3f3bd129ba39dcc6c4b0d14bb140cc237f1f6d82987dc52f79e46611d498607992eed4f40cd85bcfe5d3f03f8bf7f0a3e247e92bac4ef05cf7b9bd13671f6ab075775b1d1ecfb2cfe59ceff3e853c79fbd2c517c6f002217846dbaf93aa44015f7615bdccf8db094836af847304cd35ecc4f2cc31e716203d36e1b4eb12cbdd615e740f57ae19631089393f97f3c239b990ee858d549b0c9d4cf5c8f3cafe176cdc59020565bec06235cf7ca6e34411930ff635ce839254d628581b2a8c0c38190bd00633b08cfc890e36d0eef070065cda1bb6bcbe27387249d0d6c5e2a0e142293a65c36b7f6368f8020ae0e289e24d91d04c389a4acb30a1af5ac5780d11b1016a74a9810a1ed053b97a146041cd3008b23fa74c5f7a4ccd1c00ce3825ac388083bc6c102c73d614cdbeb2f42a6a55c400fa6451faeee801ccc75ab6043a17d26b5b2a5988b211e68c38e75fd7ca6c9effb9934efa0688b02a5b3b2306ff2088bbd41c302fd4802a6d08e968900d719ae137364e610fd03d274ade682bb8c36e69c2fca80a0b4e0f7e40c1246dd70754b99db57bd99f2ecc12d0bec6a553b292a414c859bea5594176d648a24d3b115fe003c064e83af81e9bbf7948dc1d57a3b5b71104164efac2a110ffbbb0439356633052f48c784346ece3817f1039b80647d18e6ec98984bf44f0a062c321065a84ddfcb292fe6004d7efbc91fe0d8cf1bb2af18ed2a109dfb0c022e4aea395e4704e4dd71e452e4fa5c850ad6333b6c3d096f8dc721bd02fce0f8f579181f4fa1ebaa5d1f3e4ffe4d4984fe5fd0a63b31fb0d5f9aadf691dc1018c8c57ed05c9315748051a0a35c504e3ba8e028abe29b09a5c311a675195c5e56f48e63df11760e45cf8822772c78b8a526f702a3c5fe92204bc0a5f6c0f4020095d726add42012487ecadd987eae0b4b2b8cf742e7d068a8ab0a7d8f9fccb5056fa3fa12678a96a04ca7b36ec35f00a818ca3adb1261cacfb9b6e3070a8a20ec4467ec9e24a6fe69e27255385db768c23ca9911a10866bade6c589d017c8683d744b8c9c9a68bd4262a7b66d57a8738bb9f7a2ffd5f5d8a43ba73f53330807dd200a2921d822789ae83e2a8ca62fadb4c2e1dc7ae65eba3ffd9d3a754651f94b9c1b3c00ed1798c541f15e465a00693f23039d3aa2e5fe22624345bdd01eeb57bd8c74a9b34ff574a1fc4da8119788679999d09ee703ddbd95224eb5def3f1843fb5b3292706957e7bbab66356e95931d95f51fbe74d3cdf4886c593c40853d7f7ddac5ee3c594e73feaaf36139d69bd60d978a3c489e2b7e0f9ebec01422c81489823b122d3699d985b62f89235807745cfa6029e14cc59b339ffc615a3dd97212991547935e53fb5daa3e6e98f28077f0ff42374b0c6c8ea8337463031c37b090a1a1665aa61b36b70c8669144d44497c976a5b6ebb542de4d0d5a74c51cfda08db8b8ede621def2bf56b13cfeff9c6af1efa35d239388ec4d1dc6b6b72f996fd72b01d12963d", 0x1000}, {&(0x7f00000007c0)="16ee4048a013c9fa6bc755a208fa1da89aa3a990a7f6b551402e2f0b5c95b822955fb4f0ab4679e6543b575ff0e61cc1ceba31d99a6b283c33ee5ebe8bb2f798523a03b890c5a72f12f66306613459d67b96", 0x52}, {&(0x7f0000000840)}], 0xa, &(0x7f0000001980)=[@dontfrag={{0x14, 0x29, 0x3e, 0xffffffc0}}, @rthdrdstopts={{0x48, 0x29, 0x37, {0x87, 0x6, '\x00', [@enc_lim={0x4, 0x1, 0x1}, @calipso={0x7, 0x20, {0x3, 0x6, 0x5, 0x8, [0xfff, 0x9, 0x2]}}, @padn={0x1, 0x5, [0x0, 0x0, 0x0, 0x0, 0x0]}, @ra={0x5, 0x2, 0x9}]}}}], 0x60}}], 0x1, 0x24000084)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x28011, r1, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs2/binder1\x00', 0x800, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000940)={0x54, 0x0, &(0x7f00000002c0)=[@increfs={0x40046304, 0x3}, @decrefs={0x40046307, 0x1}, @transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x60, 0x18, &(0x7f0000000080)={@ptr={0x70742a85, 0x0, &(0x7f00000001c0)=""/202, 0xca, 0x2, 0x11}, @fda={0x66646185, 0x3, 0x0, 0x25}, @fd}, &(0x7f0000000000)={0x0, 0x28, 0x48}}}], 0x0, 0x0, 0x0})

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 30, 9]
detailed listing:
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/custom0\x00', 0x1003, 0x0)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
close(r1)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @multicast1}, 0x2}}, 0x2e)
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000002700))
r2 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000840)=ANY=[@ANYBLOB="1201000000000040f30455070000000000010902240001000040b109040000010300010009210101000122050009050003ff030c0000ebbac564734796af53f8a5fcbfe39cd1c81963ccf220498f4b260ef6453e08b2e31f03f1f8612ec32fabea6d6d70"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000340)={0x2c, &(0x7f0000000040)=ANY=[], 0x0, 0x0, 0x0, 0x0}, 0x0)
r3 = syz_open_dev$hidraw(&(0x7f0000000240), 0x10007f, 0x10100)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ethtool(&(0x7f00000003c0), r4)
sendmsg$ETHTOOL_MSG_TSINFO_GET(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000500)=ANY=[@ANYBLOB="edfa5358e1cb95f584dedf9479e1337d7c", @ANYBLOB="c5153284fbedf3cf903a41a14adf070731125250c271a679984b55ee432d58", @ANYBLOB="010028bd7000fcdbdf25190000002000018008000300060000001400020076657468315f6d616376746170000000", @ANYRES16=r0, @ANYRES16=r1], 0x34}, 0x1, 0x0, 0x0, 0x20008810}, 0x91)
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r3, 0x81f8943c, 0x0)
r5 = socket$inet(0xa, 0x801, 0x6)
r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0)
ioctl$KVM_GET_PIT(0xffffffffffffffff, 0xc048ae65, &(0x7f0000000280))
accept4(r5, 0x0, 0x0, 0x0)
r8 = pidfd_getfd(0xffffffffffffffff, r0, 0x0)
write$P9_RXATTRCREATE(r8, &(0x7f0000000100)={0x7, 0x21, 0x1}, 0x7)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x138a, 0x1000000003})
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0)
r9 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r9, &(0x7f0000000440)=@name={0x1e, 0x2, 0x2, {{}, 0x2}}, 0x6f)
bind$tipc(r9, &(0x7f0000000080)=@nameseq={0x1e, 0x1, 0x1, {0x41, 0x1, 0xfffffffd}}, 0x10)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
socket(0x840000000002, 0x3, 0xff)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)
executing program 3:
mmap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x1, 0x40010, 0xffffffffffffffff, 0x0) (async)
r0 = socket$netlink(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0xc, &(0x7f00000000c0)=0x8004, 0x4) (async)
sendmsg$netlink(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000580)=[{&(0x7f0000000100)={0x18, 0x56, 0x601, 0x0, 0x0, "", [@typed={0x7, 0x0, 0x0, 0x0, @str='\x00\x00\x00'}]}, 0x18}], 0x1, 0x0, 0x0, 0xea}, 0x0) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000200)='fdinfo/3\x00')
read$FUSE(r2, &(0x7f0000000a40)={0x2020}, 0xc7) (async)
ioctl$SIOCSIFHWADDR(r2, 0x8924, &(0x7f0000000000)={'rose0\x00', @local}) (async)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000fc0)=[@reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})

program crashed: WARNING in shmem_rmdir
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <3>
bisect: split chunk #0 of len 3 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-socket$netlink-setsockopt$netlink_NETLINK_DROP_MEMBERSHIP-sendmsg$netlink-openat$binderfs-syz_open_procfs-read$FUSE-ioctl$SIOCSIFHWADDR-ioctl$BINDER_WRITE_READ
detailed listing:
executing program 3:
mmap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x1, 0x40010, 0xffffffffffffffff, 0x0) (async)
r0 = socket$netlink(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_DROP_MEMBERSHIP(r0, 0x10e, 0xc, &(0x7f00000000c0)=0x8004, 0x4) (async)
sendmsg$netlink(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000580)=[{&(0x7f0000000100)={0x18, 0x56, 0x601, 0x0, 0x0, "", [@typed={0x7, 0x0, 0x0, 0x0, @str='\x00\x00\x00'}]}, 0x18}], 0x1, 0x0, 0x0, 0xea}, 0x0) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000200)='fdinfo/3\x00')
read$FUSE(r2, &(0x7f0000000a40)={0x2020}, 0xc7) (async)
ioctl$SIOCSIFHWADDR(r2, 0x8924, &(0x7f0000000000)={'rose0\x00', @local}) (async)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x44, 0x0, &(0x7f0000000fc0)=[@reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 30]
detailed listing:
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/custom0\x00', 0x1003, 0x0)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
close(r1)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @multicast1}, 0x2}}, 0x2e)
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000002700))
r2 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000840)=ANY=[@ANYBLOB="1201000000000040f30455070000000000010902240001000040b109040000010300010009210101000122050009050003ff030c0000ebbac564734796af53f8a5fcbfe39cd1c81963ccf220498f4b260ef6453e08b2e31f03f1f8612ec32fabea6d6d70"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000340)={0x2c, &(0x7f0000000040)=ANY=[], 0x0, 0x0, 0x0, 0x0}, 0x0)
r3 = syz_open_dev$hidraw(&(0x7f0000000240), 0x10007f, 0x10100)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ethtool(&(0x7f00000003c0), r4)
sendmsg$ETHTOOL_MSG_TSINFO_GET(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000500)=ANY=[@ANYBLOB="edfa5358e1cb95f584dedf9479e1337d7c", @ANYBLOB="c5153284fbedf3cf903a41a14adf070731125250c271a679984b55ee432d58", @ANYBLOB="010028bd7000fcdbdf25190000002000018008000300060000001400020076657468315f6d616376746170000000", @ANYRES16=r0, @ANYRES16=r1], 0x34}, 0x1, 0x0, 0x0, 0x20008810}, 0x91)
ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r3, 0x81f8943c, 0x0)
r5 = socket$inet(0xa, 0x801, 0x6)
r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0)
ioctl$KVM_GET_PIT(0xffffffffffffffff, 0xc048ae65, &(0x7f0000000280))
accept4(r5, 0x0, 0x0, 0x0)
r8 = pidfd_getfd(0xffffffffffffffff, r0, 0x0)
write$P9_RXATTRCREATE(r8, &(0x7f0000000100)={0x7, 0x21, 0x1}, 0x7)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x138a, 0x1000000003})
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0)
r9 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r9, &(0x7f0000000440)=@name={0x1e, 0x2, 0x2, {{}, 0x2}}, 0x6f)
bind$tipc(r9, &(0x7f0000000080)=@nameseq={0x1e, 0x1, 0x1, {0x41, 0x1, 0xfffffffd}}, 0x10)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
prctl$PR_SET_CHILD_SUBREAPER(0x24, 0x1)
socket(0x840000000002, 0x3, 0xff)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)

program crashed: WARNING in shmem_rmdir
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <2>
bisect: split chunk #0 of len 2 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile-io_setup-syz_open_dev$tty1-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_ADD_IFACE-setsockopt$SO_TIMESTAMPING-ioctl$TIOCSIG
detailed listing:
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)

program crashed: WARNING in shmem_rmdir
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <1>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 1 programs left: 

executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)


bisect: trying to concatenate
bisect: concatenate 1 entries
testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile-io_setup-syz_open_dev$tty1-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_ADD_IFACE-setsockopt$SO_TIMESTAMPING-ioctl$TIOCSIG
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
r6 = syz_open_dev$tty1(0xc, 0x4, 0x2)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r7)
sendmsg$IEEE802154_ADD_IFACE(r7, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r8, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)
ioctl$TIOCSIG(r6, 0x40045436, 0x6)

program crashed: WARNING in shmem_rmdir
bisect: concatenation succeeded
found reproducer with 30 syscalls
minimizing guilty program
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile-io_setup-syz_open_dev$tty1-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_ADD_IFACE-setsockopt$SO_TIMESTAMPING
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
r3 = openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r4, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r4, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r4, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r5, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r4, r5, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
syz_open_dev$tty1(0xc, 0x4, 0x2)
r6 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r7 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r6)
sendmsg$IEEE802154_ADD_IFACE(r6, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r7, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)
setsockopt$SO_TIMESTAMPING(r3, 0x1, 0x41, &(0x7f00000001c0)=0x2000, 0x4)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile-io_setup-syz_open_dev$tty1-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_ADD_IFACE
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r4, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r3, r4, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
syz_open_dev$tty1(0xc, 0x4, 0x2)
r5 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r5)
sendmsg$IEEE802154_ADD_IFACE(r5, &(0x7f0000001c00)={0x0, 0x0, &(0x7f0000001bc0)={&(0x7f0000000600)={0x2c, r6, 0x1, 0x70bd29, 0x25dfdbfc, {}, [@IEEE802154_ATTR_PHY_NAME={0x9, 0x1f, 'phy1\x00'}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan3\x00'}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40060}, 0x10)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile-io_setup-syz_open_dev$tty1-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r4, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r3, r4, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
syz_open_dev$tty1(0xc, 0x4, 0x2)
r5 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ieee802154(&(0x7f0000001b00), r5)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile-io_setup-syz_open_dev$tty1-syz_init_net_socket$nl_generic
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r4, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r3, r4, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
syz_open_dev$tty1(0xc, 0x4, 0x2)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile-io_setup-syz_open_dev$tty1
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r4, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r3, r4, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))
syz_open_dev$tty1(0xc, 0x4, 0x2)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile-io_setup
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r4, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r3, r4, &(0x7f0000000100)=0x10, 0x746)
io_setup(0x7, &(0x7f0000000140))

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script-sendfile
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r4, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)
sendfile(r3, r4, &(0x7f0000000100)=0x10, 0x746)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro-write$binfmt_script
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)
write$binfmt_script(r4, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6-openat$cgroup_ro
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE-connect$inet6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int-setsockopt$inet6_tcp_TCP_REPAIR_QUEUE
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)
setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r3, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp-setsockopt$inet6_tcp_int
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r3, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup-socket$inet6_tcp
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))
socket$inet6_tcp(0xa, 0x1, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect-io_setup
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)
io_setup(0xe4, &(0x7f0000000000))

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup-syz_usb_connect
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat-syz_io_uring_setup
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)
syz_io_uring_setup(0x1e72, 0x0, 0x0, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3-openat
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
r2 = dup3(r1, r0, 0x0)
openat(r2, &(0x7f00000000c0)='./file0\x00', 0x600900, 0x70)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts-dup3
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
r1 = syz_open_pts(r0, 0x0)
dup3(r1, r0, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS-syz_open_pts
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})
syz_open_pts(r0, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx-ioctl$TCSETS
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)
ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, 0x83, "00000000000000000000ffff00"})

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay-openat$ptmx
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0x482, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse-mount$overlay
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir-mount$fuse
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./bus/file0\x00', 0x0, 0x80, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat-mkdir
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
mkdir(&(0x7f0000000040)='./file1\x00', 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir-mkdirat
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs-chdir
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir-mount$incfs
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mkdir
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)

program did not crash
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-mount$incfs
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder1\x00', 0x1002, 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program did not crash
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
detailed listing:
executing program 0:
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
detailed listing:
executing program 0:
mkdir(0x0, 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program did not crash
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
detailed listing:
executing program 0:
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(0x0, &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program did not crash
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
detailed listing:
executing program 0:
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', 0x0, &(0x7f0000000840), 0x1004002, 0x0)

program did not crash
testing program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
detailed listing:
executing program 0:
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', 0x0, 0x1004002, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=44.628664116s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
simplifying C reproducer
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program did not crash
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program did not crash
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program did not crash
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing compiled C program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
program crashed: WARNING in shmem_rmdir
testing program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
detailed listing:
executing program 0:
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: WARNING in shmem_rmdir
validation run: crashed=true
testing program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
detailed listing:
executing program 0:
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: WARNING in shmem_rmdir
validation run: crashed=true
testing program (duration=44.628664116s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$incfs
detailed listing:
executing program 0:
mkdir(&(0x7f00000000c0)='./bus\x00', 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: WARNING in shmem_rmdir
validation run: crashed=true
reproducing took 2h9m57.95759505s
repro crashed as (corrupted=false):
veth0_vlan: entered promiscuous mode
veth1_macvtap: entered promiscuous mode
------------[ cut here ]------------
WARNING: CPU: 0 PID: 374 at fs/inode.c:340 drop_nlink+0xce/0x110 fs/inode.c:340
Modules linked in:
CPU: 0 UID: 0 PID: 374 Comm: syz-executor Not tainted syzkaller #0 0b5ffdee5fcd2f7749818d1ff954e9c21353764e
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:drop_nlink+0xce/0x110 fs/inode.c:340
Code: 04 00 00 be 08 00 00 00 e8 cf 54 ee ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 32 e4 97 ff <0f> 0b eb 81 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 59 ff ff ff 4c
RSP: 0018:ffffc9000128fc60 EFLAGS: 00010293
RAX: ffffffff81ee1a7e RBX: ffff88811628c070 RCX: ffff888113068000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000128fc88 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000251f7c R12: dffffc0000000000
R13: 1ffff11022c51817 R14: ffff88811628c0b8 R15: 0000000000000000
FS:  00005555697af500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555697d24e8 CR3: 0000000114336000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 shmem_rmdir+0x5f/0x90 mm/shmem.c:3733
 vfs_rmdir+0x3dd/0x560 fs/namei.c:4340
 incfs_kill_sb+0x109/0x230 fs/incfs/vfs.c:1968
 deactivate_locked_super+0xd5/0x2a0 fs/super.c:476
 deactivate_super+0xb8/0xe0 fs/super.c:509
 cleanup_mnt+0x3f1/0x480 fs/namespace.c:1370
 __cleanup_mnt+0x1d/0x40 fs/namespace.c:1377
 task_work_run+0x1e0/0x250 kernel/task_work.c:240
 resume_user_mode_work+0x36/0x50 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x64/0xb0 kernel/entry/common.c:218
 do_syscall_64+0x64/0xf0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f3e89b902f7
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd6099f708 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3e89b902f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd6099f7c0
RBP: 00007ffd6099f7c0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd609a0850
R13: 00007f3e89c11d7d R14: 00000000000060dc R15: 00007ffd609a0890
 </TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic/atomic-instrumented.h:453 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x24/0x70 fs/inode.c:452
Write of size 4 at addr 0000000000000168 by task syz-executor/374

CPU: 1 UID: 0 PID: 374 Comm: syz-executor Tainted: G        W          syzkaller #0 0b5ffdee5fcd2f7749818d1ff954e9c21353764e
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 __dump_stack+0x21/0x30 lib/dump_stack.c:94
 dump_stack_lvl+0x10c/0x190 lib/dump_stack.c:120
 print_report+0x3d/0x70 mm/kasan/report.c:484
 kasan_report+0x163/0x1a0 mm/kasan/report.c:594
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x299/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x18/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_inc_return include/linux/atomic/atomic-instrumented.h:453 [inline]
 ihold+0x24/0x70 fs/inode.c:452
 d_delete_notify include/linux/fsnotify.h:357 [inline]
 vfs_rmdir+0x26a/0x560 fs/namei.c:4353
 incfs_kill_sb+0x109/0x230 fs/incfs/vfs.c:1968
 deactivate_locked_super+0xd5/0x2a0 fs/super.c:476
 deactivate_super+0xb8/0xe0 fs/super.c:509
 cleanup_mnt+0x3f1/0x480 fs/namespace.c:1370
 __cleanup_mnt+0x1d/0x40 fs/namespace.c:1377
 task_work_run+0x1e0/0x250 kernel/task_work.c:240
 resume_user_mode_work+0x36/0x50 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x64/0xb0 kernel/entry/common.c:218
 do_syscall_64+0x64/0xf0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f3e89b902f7
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd6099f708 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3e89b902f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd6099f7c0
RBP: 00007ffd6099f7c0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd609a0850
R13: 00007f3e89c11d7d R14: 00000000000060dc R15: 00007ffd609a0890
 </TASK>
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000168
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 80000001164e8067 P4D 80000001164e8067 PUD 0 
Oops: Oops: 0002 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 374 Comm: syz-executor Tainted: G    B   W          syzkaller #0 0b5ffdee5fcd2f7749818d1ff954e9c21353764e
Tainted: [B]=BAD_PAGE, [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_add_return include/linux/atomic/atomic-arch-fallback.h:564 [inline]
RIP: 0010:raw_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:1020 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:454 [inline]
RIP: 0010:ihold+0x2a/0x70 fs/inode.c:452
Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 1d db 97 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 8c 4b ee ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 2d
RSP: 0018:ffffc9000128fca0 EFLAGS: 00010246
RAX: ffff888113068000 RBX: 0000000000000000 RCX: ffff888113068000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000128fcb0 R08: ffffffff88972947 R09: 1ffffffff112e528
R10: dffffc0000000000 R11: fffffbfff112e529 R12: ffff88811628c07c
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  00005555697af500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000168 CR3: 0000000114336000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 d_delete_notify include/linux/fsnotify.h:357 [inline]
 vfs_rmdir+0x26a/0x560 fs/namei.c:4353
 incfs_kill_sb+0x109/0x230 fs/incfs/vfs.c:1968
 deactivate_locked_super+0xd5/0x2a0 fs/super.c:476
 deactivate_super+0xb8/0xe0 fs/super.c:509
 cleanup_mnt+0x3f1/0x480 fs/namespace.c:1370
 __cleanup_mnt+0x1d/0x40 fs/namespace.c:1377
 task_work_run+0x1e0/0x250 kernel/task_work.c:240
 resume_user_mode_work+0x36/0x50 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x64/0xb0 kernel/entry/common.c:218
 do_syscall_64+0x64/0xf0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f3e89b902f7
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd6099f708 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3e89b902f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd6099f7c0
RBP: 00007ffd6099f7c0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd609a0850
R13: 00007f3e89c11d7d R14: 00000000000060dc R15: 00007ffd609a0890
 </TASK>
Modules linked in:
CR2: 0000000000000168
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_add_return include/linux/atomic/atomic-arch-fallback.h:564 [inline]
RIP: 0010:raw_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:1020 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:454 [inline]
RIP: 0010:ihold+0x2a/0x70 fs/inode.c:452
Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 1d db 97 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 8c 4b ee ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 2d
RSP: 0018:ffffc9000128fca0 EFLAGS: 00010246
RAX: ffff888113068000 RBX: 0000000000000000 RCX: ffff888113068000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000128fcb0 R08: ffffffff88972947 R09: 1ffffffff112e528
R10: dffffc0000000000 R11: fffffbfff112e529 R12: ffff88811628c07c
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  00005555697af500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000168 CR3: 0000000114336000 CR4: 00000000003526b0
----------------
Code disassembly (best guess):
   0:	f3 0f 1e fa          	endbr64
   4:	55                   	push   %rbp
   5:	48 89 e5             	mov    %rsp,%rbp
   8:	41 56                	push   %r14
   a:	53                   	push   %rbx
   b:	48 89 fb             	mov    %rdi,%rbx
   e:	e8 1d db 97 ff       	call   0xff97db30
  13:	48 8d bb 68 01 00 00 	lea    0x168(%rbx),%rdi
  1a:	be 04 00 00 00       	mov    $0x4,%esi
  1f:	e8 8c 4b ee ff       	call   0xffee4bb0
  24:	41 be 01 00 00 00    	mov    $0x1,%r14d
* 2a:	f0 44 0f c1 b3 68 01 	lock xadd %r14d,0x168(%rbx) <-- trapping instruction
  31:	00 00
  33:	41 ff c6             	inc    %r14d
  36:	bf 02 00 00 00       	mov    $0x2,%edi
  3b:	44 89 f6             	mov    %r14d,%esi
  3e:	e8                   	.byte 0xe8
  3f:	2d                   	.byte 0x2d

final repro crashed as (corrupted=false):
veth0_vlan: entered promiscuous mode
veth1_macvtap: entered promiscuous mode
------------[ cut here ]------------
WARNING: CPU: 0 PID: 374 at fs/inode.c:340 drop_nlink+0xce/0x110 fs/inode.c:340
Modules linked in:
CPU: 0 UID: 0 PID: 374 Comm: syz-executor Not tainted syzkaller #0 0b5ffdee5fcd2f7749818d1ff954e9c21353764e
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:drop_nlink+0xce/0x110 fs/inode.c:340
Code: 04 00 00 be 08 00 00 00 e8 cf 54 ee ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 32 e4 97 ff <0f> 0b eb 81 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 59 ff ff ff 4c
RSP: 0018:ffffc9000128fc60 EFLAGS: 00010293
RAX: ffffffff81ee1a7e RBX: ffff88811628c070 RCX: ffff888113068000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000128fc88 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000251f7c R12: dffffc0000000000
R13: 1ffff11022c51817 R14: ffff88811628c0b8 R15: 0000000000000000
FS:  00005555697af500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555697d24e8 CR3: 0000000114336000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 shmem_rmdir+0x5f/0x90 mm/shmem.c:3733
 vfs_rmdir+0x3dd/0x560 fs/namei.c:4340
 incfs_kill_sb+0x109/0x230 fs/incfs/vfs.c:1968
 deactivate_locked_super+0xd5/0x2a0 fs/super.c:476
 deactivate_super+0xb8/0xe0 fs/super.c:509
 cleanup_mnt+0x3f1/0x480 fs/namespace.c:1370
 __cleanup_mnt+0x1d/0x40 fs/namespace.c:1377
 task_work_run+0x1e0/0x250 kernel/task_work.c:240
 resume_user_mode_work+0x36/0x50 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x64/0xb0 kernel/entry/common.c:218
 do_syscall_64+0x64/0xf0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f3e89b902f7
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd6099f708 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3e89b902f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd6099f7c0
RBP: 00007ffd6099f7c0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd609a0850
R13: 00007f3e89c11d7d R14: 00000000000060dc R15: 00007ffd609a0890
 </TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic/atomic-instrumented.h:453 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x24/0x70 fs/inode.c:452
Write of size 4 at addr 0000000000000168 by task syz-executor/374

CPU: 1 UID: 0 PID: 374 Comm: syz-executor Tainted: G        W          syzkaller #0 0b5ffdee5fcd2f7749818d1ff954e9c21353764e
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 __dump_stack+0x21/0x30 lib/dump_stack.c:94
 dump_stack_lvl+0x10c/0x190 lib/dump_stack.c:120
 print_report+0x3d/0x70 mm/kasan/report.c:484
 kasan_report+0x163/0x1a0 mm/kasan/report.c:594
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x299/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x18/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_inc_return include/linux/atomic/atomic-instrumented.h:453 [inline]
 ihold+0x24/0x70 fs/inode.c:452
 d_delete_notify include/linux/fsnotify.h:357 [inline]
 vfs_rmdir+0x26a/0x560 fs/namei.c:4353
 incfs_kill_sb+0x109/0x230 fs/incfs/vfs.c:1968
 deactivate_locked_super+0xd5/0x2a0 fs/super.c:476
 deactivate_super+0xb8/0xe0 fs/super.c:509
 cleanup_mnt+0x3f1/0x480 fs/namespace.c:1370
 __cleanup_mnt+0x1d/0x40 fs/namespace.c:1377
 task_work_run+0x1e0/0x250 kernel/task_work.c:240
 resume_user_mode_work+0x36/0x50 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x64/0xb0 kernel/entry/common.c:218
 do_syscall_64+0x64/0xf0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f3e89b902f7
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd6099f708 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3e89b902f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd6099f7c0
RBP: 00007ffd6099f7c0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd609a0850
R13: 00007f3e89c11d7d R14: 00000000000060dc R15: 00007ffd609a0890
 </TASK>
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000168
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 80000001164e8067 P4D 80000001164e8067 PUD 0 
Oops: Oops: 0002 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 374 Comm: syz-executor Tainted: G    B   W          syzkaller #0 0b5ffdee5fcd2f7749818d1ff954e9c21353764e
Tainted: [B]=BAD_PAGE, [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_add_return include/linux/atomic/atomic-arch-fallback.h:564 [inline]
RIP: 0010:raw_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:1020 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:454 [inline]
RIP: 0010:ihold+0x2a/0x70 fs/inode.c:452
Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 1d db 97 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 8c 4b ee ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 2d
RSP: 0018:ffffc9000128fca0 EFLAGS: 00010246
RAX: ffff888113068000 RBX: 0000000000000000 RCX: ffff888113068000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000128fcb0 R08: ffffffff88972947 R09: 1ffffffff112e528
R10: dffffc0000000000 R11: fffffbfff112e529 R12: ffff88811628c07c
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  00005555697af500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000168 CR3: 0000000114336000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 d_delete_notify include/linux/fsnotify.h:357 [inline]
 vfs_rmdir+0x26a/0x560 fs/namei.c:4353
 incfs_kill_sb+0x109/0x230 fs/incfs/vfs.c:1968
 deactivate_locked_super+0xd5/0x2a0 fs/super.c:476
 deactivate_super+0xb8/0xe0 fs/super.c:509
 cleanup_mnt+0x3f1/0x480 fs/namespace.c:1370
 __cleanup_mnt+0x1d/0x40 fs/namespace.c:1377
 task_work_run+0x1e0/0x250 kernel/task_work.c:240
 resume_user_mode_work+0x36/0x50 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x64/0xb0 kernel/entry/common.c:218
 do_syscall_64+0x64/0xf0 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f3e89b902f7
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd6099f708 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3e89b902f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd6099f7c0
RBP: 00007ffd6099f7c0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd609a0850
R13: 00007f3e89c11d7d R14: 00000000000060dc R15: 00007ffd609a0890
 </TASK>
Modules linked in:
CR2: 0000000000000168
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_add_return include/linux/atomic/atomic-arch-fallback.h:564 [inline]
RIP: 0010:raw_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:1020 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:454 [inline]
RIP: 0010:ihold+0x2a/0x70 fs/inode.c:452
Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 1d db 97 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 8c 4b ee ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 2d
RSP: 0018:ffffc9000128fca0 EFLAGS: 00010246
RAX: ffff888113068000 RBX: 0000000000000000 RCX: ffff888113068000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000128fcb0 R08: ffffffff88972947 R09: 1ffffffff112e528
R10: dffffc0000000000 R11: fffffbfff112e529 R12: ffff88811628c07c
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  00005555697af500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000168 CR3: 0000000114336000 CR4: 00000000003526b0
----------------
Code disassembly (best guess):
   0:	f3 0f 1e fa          	endbr64
   4:	55                   	push   %rbp
   5:	48 89 e5             	mov    %rsp,%rbp
   8:	41 56                	push   %r14
   a:	53                   	push   %rbx
   b:	48 89 fb             	mov    %rdi,%rbx
   e:	e8 1d db 97 ff       	call   0xff97db30
  13:	48 8d bb 68 01 00 00 	lea    0x168(%rbx),%rdi
  1a:	be 04 00 00 00       	mov    $0x4,%esi
  1f:	e8 8c 4b ee ff       	call   0xffee4bb0
  24:	41 be 01 00 00 00    	mov    $0x1,%r14d
* 2a:	f0 44 0f c1 b3 68 01 	lock xadd %r14d,0x168(%rbx) <-- trapping instruction
  31:	00 00
  33:	41 ff c6             	inc    %r14d
  36:	bf 02 00 00 00       	mov    $0x2,%edi
  3b:	44 89 f6             	mov    %r14d,%esi
  3e:	e8                   	.byte 0xe8
  3f:	2d                   	.byte 0x2d