Extracting prog: 29m10.737682865s Minimizing prog: 42m46.581591743s Simplifying prog options: 0s Extracting C: 57.884394684s Simplifying C: 14m47.790701965s extracting reproducer from 31 programs testing a last program of every proc single: executing 6 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$vim2m-ioctl$vim2m_VIDIOC_REQBUFS-ioctl$vim2m_VIDIOC_QBUF-socket$kcm-socket$kcm-openat-mount$9p_fd-read$usbfs-sendmsg$NFQNL_MSG_VERDICT_BATCH-syz_open_dev$usbmon-ioctl$MON_IOCG_STATS-ioctl$IOMMU_IOAS_ALLOC-ioctl$IOMMU_TEST_OP_CREATE_ACCESS-openat$iommufd-ioctl$IOMMU_IOAS_ALLOC-ioctl$IOMMU_VFIO_IOAS$SET-accept4 detailed listing: executing program 0: r0 = syz_open_dev$vim2m(&(0x7f0000000140), 0x200000001000, 0x2) ioctl$vim2m_VIDIOC_REQBUFS(r0, 0xc0145608, &(0x7f00000000c0)={0x1, 0x2, 0x1}) ioctl$vim2m_VIDIOC_QBUF(r0, 0xc058560f, &(0x7f00000002c0)=@multiplanar_mmap={0x0, 0x2, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "fafc00"}, 0x0, 0x1, {0x0}}) socket$kcm(0x2, 0x1, 0x84) socket$kcm(0x10, 0x2, 0x0) r1 = openat(0xffffffffffffff9c, 0x0, 0x42, 0x0) mount$9p_fd(0x0, 0x0, 0x0, 0x1020010, 0x0) read$usbfs(0xffffffffffffffff, 0x0, 0x0) sendmsg$NFQNL_MSG_VERDICT_BATCH(r1, 0x0, 0x4) r2 = syz_open_dev$usbmon(&(0x7f0000000080), 0x0, 0x0) ioctl$MON_IOCG_STATS(r2, 0xc0109207, &(0x7f00000002c0)) ioctl$IOMMU_IOAS_ALLOC(0xffffffffffffffff, 0x3b81, 0x0) ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r1, 0x3ba0, 0x0) r3 = openat$iommufd(0xffffffffffffff9c, 0x0, 0x68200, 0x0) ioctl$IOMMU_IOAS_ALLOC(r3, 0x3b81, 0x0) ioctl$IOMMU_VFIO_IOAS$SET(r3, 0x3b88, 0x0) accept4(r1, 0x0, 0x0, 0x80800) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$sock_SIOCGIFINDEX-openat$vhost_vsock-ioctl$VHOST_SET_OWNER-ioctl$VHOST_SET_VRING_ADDR-timer_create-ioctl$VHOST_SET_MEM_TABLE-ioctl$VHOST_SET_VRING_ADDR-ioctl$VHOST_VSOCK_SET_RUNNING-ioctl$VHOST_VSOCK_SET_GUEST_CID-ioctl$VHOST_SET_MEM_TABLE-socket$vsock_stream-connect$vsock_stream-ioctl$VHOST_SET_VRING_ADDR-ioctl$VHOST_VSOCK_SET_RUNNING detailed listing: executing program 0: ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000140)={'syz_tun\x00'}) r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000002c0), 0x2, 0x0) ioctl$VHOST_SET_OWNER(r0, 0xaf01, 0x0) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000300)={0x1, 0x0, 0x0, &(0x7f0000000480)=""/74, 0x0}) timer_create(0x3, &(0x7f0000000080)={0x0, 0x40, 0x4, @thr={0x0, 0x0}}, 0x0) ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000400)) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x0, 0x0, 0x0, &(0x7f0000000340)=""/185, &(0x7f0000000140)=""/92}) ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f00000000c0)=0x1) ioctl$VHOST_VSOCK_SET_GUEST_CID(r0, 0x4008af60, &(0x7f0000000040)={@my=0x1}) ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000100)={0x1, 0x0, [{0x0, 0x6e, &(0x7f0000001540)=""/110}]}) r1 = socket$vsock_stream(0x28, 0x1, 0x0) connect$vsock_stream(r1, &(0x7f0000000200)={0x28, 0x0, 0xffffffff, @my=0x1}, 0x10) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000080)=""/57, 0x0, &(0x7f0000000500)=""/4092}) ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_icmp_raw-openat$kvm-getpid-syz_pidfd_open-pidfd_getfd-openat$tun-socket$kcm-mkdirat-mount$fuse-mount-chdir-open-mkdirat-mkdirat-socketpair$unix-ioctl$AUTOFS_IOC_PROTOSUBVER detailed listing: executing program 0: socket$inet_icmp_raw(0x2, 0x3, 0x1) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x901800, 0x0) r1 = getpid() r2 = syz_pidfd_open(r1, 0x0) pidfd_getfd(r2, r0, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f00000000c0), 0x48241, 0x0) socket$kcm(0x2, 0xa, 0x2) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mount$fuse(0x0, 0x0, 0x0, 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=0x0]) mount(0x0, &(0x7f00000001c0)='./file1\x00', &(0x7f0000000040)='autofs\x00', 0x0, &(0x7f0000000400)) chdir(&(0x7f0000000140)='./file1\x00') r3 = open(&(0x7f00000002c0)='.\x00', 0x80000, 0x12d) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file1/file0\x00', 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000180)) ioctl$AUTOFS_IOC_PROTOSUBVER(r3, 0x40049366, &(0x7f0000000180)) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-openat$binderfs-prctl$PR_SCHED_CORE-getpid-syz_init_net_socket$bt_sco-syz_open_dev$sndmidi-pselect6-mq_timedreceive detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) getpid() syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) syz_open_dev$sndmidi(&(0x7f0000000100), 0x2, 0x141102) pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0xd0, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xa, 0x80000006, 0x400}, 0x0, 0x0) mq_timedreceive(r0, &(0x7f0000001140)=""/4127, 0x101f, 0x0, 0x0) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$packet-setsockopt$packet_int-socket$netlink-write detailed listing: executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0xe, &(0x7f0000000000)=0x4800, 0x4) r1 = socket$netlink(0x10, 0x3, 0x4) write(r1, &(0x7f0000005c00)="2700000014000707030e0000120f0a0011000100f5fe004681000000078a151f75080039000500", 0x27) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$packet-setsockopt$packet_int-socket$netlink-write detailed listing: executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0xe, &(0x7f0000000000)=0x4800, 0x4) r1 = socket$netlink(0x10, 0x3, 0x4) write(r1, &(0x7f0000005c00)="2700000014000707030e0000120f0a0011000100f5fe004681000000078a151f75080039000500", 0x27) program did not crash single: failed to extract reproducer bisect: bisecting 31 programs with base timeout 30s testing program (duration=37s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [4, 4, 4, 4, 4, 4, 4, 12, 12, 13, 13, 13, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 14, 14, 17] detailed listing: executing program 3: rt_sigprocmask(0x0, &(0x7f0000000000)={[0xfffffffffffffffd]}, 0x0, 0x8) r0 = gettid() tkill(r0, 0x12) io_pgetevents(0x0, 0x7, 0x0, 0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000380)={[0x3]}, 0x8}) executing program 3: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl802154(&(0x7f0000000c40), r0) ioctl$sock_SIOCGIFINDEX_802154(r0, 0x8933, &(0x7f0000000cc0)={'wpan1\x00', 0x0}) sendmsg$NL802154_CMD_NEW_SEC_KEY(r0, &(0x7f0000000ec0)={0x0, 0x0, &(0x7f0000000e80)={&(0x7f0000000d00)={0x28, r1, 0x1, 0x70bd29, 0x25dfdbff, {}, [@NL802154_ATTR_SEC_KEY={0xc, 0x30, 0x0, 0x1, [@NL802154_KEY_ATTR_USAGE_FRAMES={0x5, 0x2, 0xf6}]}, @NL802154_ATTR_IFINDEX={0x8, 0x3, r2}]}, 0x28}, 0x1, 0x0, 0x0, 0xc1}, 0x0) executing program 3: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000240), r0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000280)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_PROBE_MESH_LINK(r0, &(0x7f0000000cc0)={0x0, 0x0, &(0x7f0000000c80)={&(0x7f0000000540)=ANY=[@ANYBLOB='H\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="2b022cbd7000fcdbdf259200000008000300", @ANYRES32=r2, @ANYBLOB="2000330018b0030008021100000108021100000102e8823c12741308080049c00a000600"], 0x48}, 0x1, 0x0, 0x0, 0x11}, 0x24000800) executing program 3: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="140000001000010000000000000000000a00000a20000000000a01080000000000000000050000090900010073797a310000000054000000030a03000000000000000000050000030900010073797a31000000000900030073797a3200000000280004"], 0x9c}, 0x1, 0x0, 0x0, 0x24000144}, 0x20000050) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) sendmsg$IPCTNL_MSG_EXP_GET(r0, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4c0c5}, 0x0) executing program 3: r0 = inotify_init1(0x80000) inotify_add_watch(r0, &(0x7f0000000240)='.\x00', 0x60000726) r1 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x0, 0x51) ioctl$FS_IOC_FSSETXATTR(r1, 0x401c5820, &(0x7f0000000080)={0x8}) executing program 3: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0xe, &(0x7f0000000000)=0x4800, 0x4) r1 = socket$netlink(0x10, 0x3, 0x4) write(r1, &(0x7f0000005c00)="2700000014000707030e0000120f0a0011000100f5fe004681000000078a151f75080039000500", 0x27) executing program 32: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0xe, &(0x7f0000000000)=0x4800, 0x4) r1 = socket$netlink(0x10, 0x3, 0x4) write(r1, &(0x7f0000005c00)="2700000014000707030e0000120f0a0011000100f5fe004681000000078a151f75080039000500", 0x27) executing program 4: r0 = openat$kvm(0x0, &(0x7f0000000100), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = syz_kvm_setup_syzos_vm$x86(r1, &(0x7f0000c00000/0x400000)=nil) r3 = syz_kvm_add_vcpu$x86(r2, &(0x7f0000000140)={0x0, &(0x7f0000000180)=[@enable_nested={0x12c, 0x18}, @nested_create_vm={0x12d, 0x18}, @nested_load_syzos={0x136, 0x74, {0x0, 0x10, [@code={0xa, 0x1b, {"49bf563412efbeadde00"}}, @uexit={0x0, 0x18, 0x1}, @code={0xa, 0x21, {"4c89f848ba0001040000000000488902"}}]}}, @nested_vmlaunch={0x12f, 0x18}, @code={0xa, 0x1b, {"49bf0000000000000000"}}, @nested_vmresume={0x130, 0x18}], 0xef}) r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, 0xae04) r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x11, r3, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) syz_kvm_assert_syzos_uexit$x86(r3, r5, 0x100000000000001) ioctl$KVM_RUN(r3, 0xae80, 0x0) syz_kvm_assert_syzos_uexit$x86(r3, r5, 0x1deadbeef123456) ioctl$KVM_RUN(r3, 0xae80, 0x0) syz_kvm_assert_syzos_uexit$x86(r3, r5, 0xffffffffffffffff) executing program 4: r0 = socket$inet6_icmp(0xa, 0x2, 0x3a) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f00000002c0)=0x2848, 0x4) socket$packet(0x11, 0x2, 0x300) r1 = socket$inet_tcp(0x2, 0x1, 0x0) close_range(r1, r1, 0x0) r2 = socket$inet6(0xa, 0x400000000001, 0x0) bind$inet6(r2, &(0x7f0000fa0fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) sendto$inet6(r2, 0x0, 0x0, 0x24000088, &(0x7f00000001c0)={0xa, 0x4e20, 0x8, @loopback, 0xfffffffe}, 0x1c) sendto$inet6(r2, &(0x7f0000000000)="8d", 0x1, 0x0, 0x0, 0x0) setsockopt$sock_int(r2, 0x1, 0x21, &(0x7f0000000180)=0x2, 0x4) sendto$inet(r1, &(0x7f0000000000), 0xffffffffffffff94, 0x0, 0x0, 0x0) recvfrom$inet(r1, 0x0, 0x0, 0x720, 0x0, 0x0) executing program 4: socket(0x10, 0x803, 0x0) socket$packet(0x11, 0x3, 0x300) r0 = socket$vsock_stream(0x28, 0x1, 0x0) bind$vsock_stream(r0, &(0x7f0000000440), 0x10) listen(r0, 0x0) r1 = socket$vsock_stream(0x28, 0x1, 0x0) accept4$vsock_stream(r0, &(0x7f0000000040)={0x28, 0x0, 0x0, @my=0x1}, 0x10, 0x0) connect$vsock_stream(r1, &(0x7f0000000000)={0x28, 0x0, 0x0, @local}, 0x10) mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x11e) r2 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) openat$cgroup_subtree(r2, &(0x7f0000000200), 0x2, 0x0) openat$cgroup_subtree(r2, &(0x7f0000000080), 0x2, 0x0) pselect6(0x40, &(0x7f00000001c0)={0x0, 0x200, 0x3, 0xfffffffffffffffe}, 0x0, &(0x7f00000002c0)={0x3ff, 0x0, 0x8, 0x400000f, 0x4, 0x0, 0x7fffffff}, 0x0, 0x0) executing program 4: r0 = open(&(0x7f0000000280)='.\x00', 0x0, 0x0) mprotect(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1) fcntl$lock(r0, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0x9}) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0xec776000) r1 = open(&(0x7f0000000280)='.\x00', 0x0, 0x0) timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2, @thr={0x0, 0x0}}, &(0x7f0000000300)=0x0) fcntl$lock(0xffffffffffffffff, 0x24, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5}) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) timer_settime(r2, 0x1, &(0x7f0000000040)={{}, {0x0, 0x989680}}, 0x0) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0x18a42000) fremovexattr(r1, &(0x7f0000000000)=@known='system.posix_acl_default\x00') close(r0) splice(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0xfffd, 0x0) executing program 4: r0 = syz_usb_connect(0x5, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000b510f210950b2a7773820102030109022400010000000009042200028953950009050a02ff0300fa000905820250"], 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000380)={0x1c, &(0x7f0000000240)=ANY=[@ANYBLOB="200507"], 0x0, 0x0}) syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000580)={0x1c, &(0x7f0000000100)=ANY=[@ANYBLOB="400d03"], 0x0, 0x0}) syz_usb_control_io$uac2(r0, 0x0, &(0x7f0000000840)={0x44, &(0x7f0000000280)=ANY=[@ANYBLOB="6012d7000000ef"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0) syz_usb_control_io$uac3(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$lan78xx(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000440)={0x1c, &(0x7f0000000340)={0x60, 0x3, 0x3, "b42ce4"}, 0x0, 0x0}) executing program 2: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = socket$tipc(0x1e, 0x5, 0x0) ioctl$int_in(r1, 0x5421, &(0x7f0000000280)=0x521f) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x83, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x4) ioctl$KVM_SET_SREGS(r4, 0x4138ae84, &(0x7f0000000100)={{0x0, 0xdddd1004, 0xc, 0x0, 0x8, 0x8, 0x0, 0x2, 0x0, 0x6, 0x5}, {0x25000, 0x0, 0x3, 0x8, 0x0, 0x0, 0x0, 0x0, 0x3, 0x7, 0x0, 0xff}, {0x3000, 0x5002, 0x10, 0x0, 0x7, 0x4, 0x0, 0x0, 0x2, 0x2, 0x0, 0xfc}, {0x100000, 0x3000, 0xe, 0x2b, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x4, 0x4}, {0xeeee8000, 0x3000, 0x9, 0x0, 0xff, 0x4, 0x0, 0xe, 0x0, 0x3c}, {0x8080000, 0x10000, 0x10, 0x8, 0x0, 0x0, 0x2, 0x0, 0x0, 0x1, 0x80}, {0x8080000, 0x0, 0xa, 0x6, 0x5, 0x0, 0x3}, {0x80a0000, 0xdddd0000, 0x0, 0x0, 0x0, 0x1, 0x0, 0xa, 0x26}, {0x70000}, {0xb000}, 0xfdfcffdb, 0x0, 0x41000, 0x28, 0xb, 0xf801, 0x0, [0x0, 0x1000000000000, 0x1]}) ioctl$KVM_TRANSLATE(r4, 0xc018ae85, &(0x7f00000000c0)={0x58000, 0x0, 0x2, 0xfe, 0xe}) accept4(r1, 0x0, 0x0, 0x400000000000000) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) r5 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, 0x0}, 0x0) ptrace(0x10, r5) ptrace$setregs(0xd, r5, 0x0, &(0x7f00000003c0)="18607651149d7b10b4024fbbdc08899b8f589df2dbb5d7a8d1b36cfab675cb3976ee8100e2878c9cfa178cac130eb046eda93df39ed4b41924dc225ad4028dd63defb87d698be5c749450b350a789dcfc6b2d6a696b5026d1e52f19274566d1da0f353dd65e330ebf71c5e823f2753c5fd76724828ef31b353e71805205c3dceb44cc4c7b3664e29fb") ptrace$getregset(0x4205, r5, 0x200, &(0x7f0000000080)={&(0x7f00000000c0)=""/112, 0x70}) executing program 0: r0 = syz_usb_connect(0x2, 0x24, &(0x7f0000000180)=ANY=[@ANYBLOB="120100001d9167204f17316a3f26010203010902120001000000000904"], 0x0) syz_usb_control_io$rtl8150(r0, 0x0, 0x0) syz_usb_control_io$uac2(r0, 0x0, 0x0) syz_usb_control_io$rtl8150(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$lan78xx(r0, 0x0, 0x0) syz_usb_control_io$lan78xx(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$lan78xx(r0, 0x0, 0x0) executing program 1: r0 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000000140)='/sys/kernel/debug/binder/state\x00', 0x0, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000100)={0x73622a85, 0xa}) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000540), 0xffffffffffffffff) syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000300)={'wlan0\x00'}) sendmsg$NL80211_CMD_JOIN_MESH(r3, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[@ANYBLOB='L\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="01000000000000000000440000000800", @ANYBLOB], 0x4c}}, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)) socket$nl_netfilter(0x10, 0x3, 0xc) r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) syz_usb_connect$uac3(0x3, 0x9c, &(0x7f0000000100)=ANY=[@ANYBLOB="12010003000000403512100040000102030109028a000301046008080b0001012430010904000000010130000a2401f5260005000000132403050004030306070000000400010004000924050602"], &(0x7f0000000300)={0x0, 0x0, 0x0, 0x0, 0x1, [{0x0, 0x0}]}) dup3(r4, r1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, 0x0) lseek(r0, 0x851, 0x0) executing program 4: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) getpid() syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) syz_open_dev$sndmidi(&(0x7f0000000100), 0x2, 0x141102) pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0xd0, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xa, 0x80000006, 0x400}, 0x0, 0x0) mq_timedreceive(r0, &(0x7f0000001140)=""/4127, 0x101f, 0x0, 0x0) executing program 2: userfaultfd(0x801) creat(&(0x7f0000000040)='./bus\x00', 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x2800, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) socket$packet(0x11, 0x3, 0x300) socket$packet(0x11, 0x2, 0x300) r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='freezer.self_freezing\x00', 0x275a, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000000c0)=[@textreal={0x8, &(0x7f0000000000)="8ee8c9b8ee088ed8660f3801b2d6352ed9ff660f3882040f01cf0fc72d2626652e0f01ca0fc7386635002000000f22e0", 0xffffffffffffff8b}], 0x1, 0x50, 0x0, 0x0) write$binfmt_script(r2, &(0x7f0000000000), 0x208e24b) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0xa0011, r2, 0x0) preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x1, 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x64, 0x0, 0x0) pipe(&(0x7f0000000240)) ioctl$KVM_RUN(r3, 0xae80, 0x0) executing program 0: timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2, @thr={0x0, 0x0}}, &(0x7f0000000340)=0x0) fcntl$lock(0xffffffffffffffff, 0x5, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5}) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) timer_settime(r0, 0x1, &(0x7f0000000040)={{}, {0x0, 0x989680}}, 0x0) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0xec776000) r1 = socket(0x40000000015, 0x5, 0x0) connect$inet(r1, &(0x7f0000000040)={0x2, 0x4e20, @loopback}, 0x10) setsockopt$SO_RDS_TRANSPORT(r1, 0x114, 0x8, &(0x7f00000008c0)=0x2, 0x4) setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f00006dbffc), 0x4) bind$inet(r1, &(0x7f0000000340)={0x2, 0x4e20, @loopback}, 0x57) sendmsg$xdp(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000480)=[{&(0x7f0000000200)="0000000000aa303e97380e90231bdbdaf6a4bd866226b7cdb7c26858c4e4fd703be2f51ed6ddc4a47116ec2db75c7042a22491af0ffea4174a9de3350c0a498396b28c7d1784d04aa38922721cb7816094cb82950fd012efd26d", 0x5a}, {&(0x7f0000000900)="0f198d5aa5caa1c55b84b414797cbdd4e8c576a921a070fc828060506683fd1106a961ac55b5b8ea3342ca7de5559ca2c14e05e42aed8ba14b2c78cb540f71a817d80fbf1945a046ebda494a8048a106a4d49d7f214735ada53397db3b203885ce39ee48d69465935eade21ce36e61826c52c82f038341d9bab5687c740ed3c18897094e7e1391eb84a4052e03c0c7c39ae86d454938f65e284620b99481c33d9f5e5b7a6c0d7548723f55b213c76be37f40c850c38e265758ebd8238257a146d6eced16fd658a784c928fea7a841db1a7fd6520442dae5fc0d3a3d3a5f16fcf6fe4f062ecdad7d0f3c6cd339339533c0ef28ad1e2729907094c3de93c1b1b00ad6df89507000000fb7565d3a8e9eaea020ed173c2179fb03e0944460989240a689c7fe795d310be4e7a6b778a903280dbf426b39c3603c49049980767e31edb997f59785184cbd7b9070400000073c745f71db0906cb51780f908fa61634af8ac85d9f04f3dff0a948e81cd3229a59aaeb00995358155343e3239588a0383e4df109d5ca24276d0d83a27d0e9bf681c1bbea12a6f3c20ad50f63430333bb327eb6ae32fe8809065bce26d2dc2fbb2b48d404637d61fd86852e0e1b6ccc6f75b1107aaa5f60ef45f94e953b3f213c3cb4ca4c716565078c666f84e1a99bb4cb5c7190648132f6ff1f6cb79b93f20752753c938da6241607a742361d995188b23cb4b8269e98e822585695962620673433748e476f7cc3e37db88639c525ff3a502c82c283b00aecfe7734ab369e1ed7c75e27a5a333641817baa3ea37844e20e6266c5095abf9d47ca5f8ad93f1a4d8795daec222ada00d65cf91425fae7939ceaa8d94ec1ab5082e1d251c27b3132119b350e81771f3733be232ffb90c03a818bf458aac3314007c3e35d5e4bed6b897608b01e7e26a54433e5f5c74a2ee3c2fc50067be05a677f122b7dba7010830b879a41b579d44158fb89ea05761d2d369853bea84dfb8081ed7b891dcb3bb3361534fdc5252e4964aed936ad2838e7af14fc65c7c1c6d44c6256f2462ae83cfd6a6b2651da607fe79d345e5080098e9e6e7482cc5c267e00d8d09dcde70b60fe6220fe9530547201664db91cf1885ecc2f106b66cd99131523c99f6102ddd7403791b3a7ac59b256cc4c938fe01740ae4f19b5204ca305b1666b0c2a7e5015d6d530995843adfbac3954306d4cd82257d4d2c3283d45dbae43548fed9879328f114f7c8238ac955391b24614d91be1701ae07c170a9c299fcf3d0ac4cea07e88fbf66b697883af17a06ac3f9954eb2fbd20f101802cd023fc48c5d464c16059cc9dce8558c5322ac7612db0e2725427628c2c41a21f0d2f3962e32f710bf9e216ff1694e8d88c8a81328744b36d9ef9f08c0ea3ccd4f8729e2f00a048162834a95", 0x3f1}, {&(0x7f00000003c0)="128b9306006d4810e5ac5040ad9201847839fc378469d5765b9cc241840896c1498194a7197b45d74a8532b82037b02c9e6045c361eb", 0x36}], 0x3}, 0x0) r2 = socket$alg(0x26, 0x5, 0x0) bind$alg(r2, 0x0, 0x0) read$alg(0xffffffffffffffff, 0x0, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f00000021c0)='./file0\x00', 0x3a) sendmsg$key(r1, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000000)={0x0}}, 0x0) executing program 1: r0 = landlock_create_ruleset(&(0x7f0000000040)={0x0, 0x3}, 0x10, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r0, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x22) r1 = landlock_create_ruleset(&(0x7f0000000040)={0x2, 0x3, 0x3}, 0x18, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r1, 0x9) landlock_restrict_self(r1, 0x0) landlock_restrict_self(r1, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000180)='./file1\x00', 0x1c0) r2 = landlock_create_ruleset(&(0x7f0000000200)={0x7070, 0x2, 0x1}, 0x18, 0x0) landlock_restrict_self(r2, 0x0) mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1/file2\x00', 0x81c0, 0x0) renameat2(0xffffffffffffff9c, &(0x7f0000000480)='./file1/file2\x00', 0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x2) executing program 2: syz_open_dev$sg(&(0x7f00000001c0), 0x508d48d4, 0x40902) r0 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0xfd, 0x2, 0x7fff7ffc}]}) r1 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_STAT_GET(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000540)=ANY=[@ANYBLOB="480000001114010025bd7000fddbdf250800010000000000080044000100000008004a0000000000"], 0x48}, 0x1, 0x0, 0x0, 0x4000}, 0x4000) r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x4000000082a82, 0x0) r3 = dup(r2) r4 = syz_open_dev$sndctrl(&(0x7f0000000000), 0x0, 0x400) ioctl$SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE(r4, 0x40045532, &(0x7f0000000080)) r5 = openat$audio(0xffffffffffffff9c, &(0x7f0000000140), 0x40000000040201, 0x0) r6 = syz_open_dev$sndpcmp(&(0x7f0000000200), 0x0, 0xa2c65) writev(r5, &(0x7f00000026c0), 0x0) ioctl$SNDRV_PCM_IOCTL_XRUN(r6, 0x4148, 0x0) write$uinput_user_dev(r3, &(0x7f0000000080)={'syz0\x00', {0xa, 0xc60, 0x0, 0xfff}, 0x12, [0x8000, 0x4, 0x7423, 0x0, 0x6, 0x6, 0xfc, 0x1, 0x8fa, 0x0, 0x6, 0x7, 0x5, 0xfffffbfc, 0x646, 0x80000001, 0x2, 0x1, 0xb85, 0x8000, 0x1000, 0x4, 0x0, 0x2, 0xb2e, 0x4, 0x67, 0x0, 0xc, 0xa, 0xb, 0x8, 0xfff, 0x7ff, 0x31b7, 0x7, 0x1, 0x8000, 0x93, 0x0, 0x5, 0x1, 0x1800000, 0x4, 0x6, 0x8, 0x8, 0xb, 0x0, 0x2, 0x9, 0x5, 0x1000, 0x4, 0x4, 0xfffffff8, 0xf508, 0xd84, 0xf31, 0x2, 0x0, 0x6, 0xb0c, 0x4], [0x2, 0x40, 0x4, 0x8, 0x8, 0x81, 0x3, 0x1, 0xa, 0x9, 0xc3, 0x8, 0x79, 0x3, 0x1020, 0x2, 0xb6b, 0x1, 0x8, 0x5, 0x7f, 0x1, 0x8, 0x0, 0x6, 0x1, 0x7, 0x3, 0x5, 0x7, 0x4e6, 0x95e, 0x295, 0x4, 0x4, 0x5, 0x1167, 0x6, 0x3, 0x3, 0x0, 0xfffffff8, 0xfffffeff, 0xe7ed, 0x44, 0xc565, 0x5, 0x80, 0x3, 0xffffffff, 0x0, 0x7, 0x715, 0x5, 0x6a26, 0x90000000, 0x401, 0x2, 0x8, 0x87b2, 0xffffff9e, 0x0, 0x0, 0x4], [0x1, 0x400, 0x8001, 0x4, 0x2, 0x7, 0xffff, 0x9, 0x9, 0xce83, 0x2, 0x4, 0x1, 0x7c026184, 0x1, 0x3, 0x6, 0x2, 0xc9e7, 0x80000000, 0x100, 0x1, 0x7, 0xfffffffa, 0x5, 0x5, 0x56, 0x1969, 0x3ff, 0x5, 0x580, 0xfffffffe, 0x6a8, 0x7fffffff, 0x9, 0x0, 0x8, 0xb, 0x6, 0x7, 0x7fff, 0x3, 0x6, 0x10, 0x1000, 0x9, 0x8, 0x1000, 0x17, 0x2, 0x64b, 0xed, 0x1, 0x2, 0x7, 0xa8c, 0x3, 0x9, 0x1, 0xd3f, 0x5, 0x9dc, 0x1, 0x6], [0x0, 0xa902, 0x8000, 0x8, 0x2, 0x4, 0x1, 0xf, 0xdd, 0x0, 0x7, 0x10000, 0x101, 0x6c9, 0x9, 0x0, 0x8, 0x1, 0x7, 0x1, 0xef03, 0x8, 0x5302137a, 0x4, 0xcc, 0x2, 0xa31, 0xc3, 0x7, 0xbd30, 0x5, 0x3, 0x5, 0x0, 0x9, 0xfc, 0x2, 0x6, 0x9, 0x3e, 0x2, 0x8, 0x2, 0x81, 0x4, 0xffffffff, 0x4, 0xf, 0x7, 0x6, 0x8, 0x101, 0x9, 0x8, 0x7, 0xfffffffb, 0xa, 0x1, 0x104, 0x2, 0x8, 0x7, 0x8, 0x46b]}, 0x45c) fallocate(r3, 0x10, 0x0, 0x72000) syz_open_dev$sg(&(0x7f0000000300), 0x0, 0x8100) close_range(r0, 0xffffffffffffffff, 0x200000000000000) executing program 0: r0 = landlock_create_ruleset(&(0x7f0000000080)={0x10}, 0x10, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r0, 0x0) landlock_restrict_self(r0, 0x0) r1 = landlock_create_ruleset(&(0x7f00000000c0)={0x8152}, 0x18, 0x0) landlock_restrict_self(r1, 0x0) landlock_restrict_self(r0, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x32) r2 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x6c6882, 0x13d) landlock_restrict_self(r1, 0xa) r3 = landlock_create_ruleset(&(0x7f00000001c0)={0x1005, 0x1}, 0x18, 0x0) landlock_restrict_self(r3, 0x0) renameat2(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup\x00', r2, &(0x7f0000000000)='./file0\x00', 0x4) executing program 1: socket$inet_icmp_raw(0x2, 0x3, 0x1) syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) openat$sysfs(0xffffffffffffff9c, &(0x7f00000017c0)='/sys/power/wakeup_count', 0x602, 0x1d2) socket$packet(0x11, 0x2, 0x300) socket(0x10, 0x803, 0x0) syz_open_procfs$namespace(0x0, &(0x7f0000000000)='ns/pid_for_children\x00') socket$nl_route(0x10, 0x3, 0x0) socket(0x1, 0x803, 0x0) socket$unix(0x1, 0x1, 0x0) socket$inet6(0xa, 0x2, 0x0) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x8, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0xfd, 0x0, 0x7ffffcb9}]}) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000480), r0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000080)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_FRAME(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000180)=ANY=[@ANYBLOB='<\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="010000000000000000003b00000008000300", @ANYRES32=r2, @ANYBLOB="1f003300d00000000802110000010802110000005050505050500000", @ANYRES8=r0], 0x3c}, 0x1, 0x0, 0x0, 0x24004881}, 0x10) executing program 0: mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0xec776000) mkdir(&(0x7f0000001a80)='./file0\x00', 0x1cb) mount$bpf(0x200000000000, &(0x7f0000000000)='./file0/../file0\x00', 0x0, 0x989046, 0x0) mount$bpf(0x0, 0x0, 0x0, 0x100000, 0x0) mount$bpf(0x200000000000, &(0x7f0000000200)='.\x00', 0x0, 0x8b7840, 0x0) mount$bpf(0x200000000000, 0x0, 0x0, 0x989046, 0x0) r0 = socket$inet(0x2, 0x4000000000000001, 0x0) bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e23, @multicast1}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000740)='westwood', 0x8) sendmmsg$inet(r0, &(0x7f00000024c0)=[{{0x0, 0x0, &(0x7f0000000700)=[{&(0x7f0000000180)="cb", 0x1}], 0x1}}, {{0x0, 0x0, &(0x7f0000000e40)=[{&(0x7f0000000840)="a5", 0x1}], 0x1}}], 0x2, 0x2090) ioctl$DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD_SYNC_FILE(0xffffffffffffffff, 0xc01864c1, 0x0) r1 = socket$kcm(0x10, 0x2, 0x4) r2 = socket$kcm(0x2, 0x200000000000001, 0x0) sendmsg$inet(r2, 0x0, 0x3000c085) sendmsg$kcm(r1, &(0x7f0000000380)={0x0, 0xc0, &(0x7f0000000000)=[{&(0x7f0000000140)="89000000120081ae08060cdc030100007f03e3f7000000006ee2ffca1b1f0000000004c00e72f750375ed08a56331dbf9ed7815e381ad6e747033a009bb837dc6cc01e32efaec8c7e4ec0012100001400d0c0c00bdad446b9bbc7a46e3988285dcdf12f21308f868fece01955fed0009d78f0a947ee2b49e33538afa8af92347514f0b567c660dbbff", 0x89}], 0x1}, 0x40084) executing program 2: getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0xb, 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x20000000000011) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r0, 0x4020ae46, 0x0) openat$snapshot(0xffffffffffffff9c, 0x0, 0x200403, 0x0) ioctl$VIDIOC_S_EXT_CTRLS(0xffffffffffffffff, 0xc0205648, 0x0) sendmsg$TIPC_NL_MON_GET(0xffffffffffffffff, 0x0, 0x0) socket$inet_mptcp(0x2, 0x1, 0x106) r1 = syz_usb_connect(0x5, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000b510f210950b2a7773820102030109022400010000000009042200028953950009050a02ff0300fa000905820250"], 0x0) syz_usb_control_io$rtl8150(r1, 0x0, 0x0) syz_usb_control_io$printer(r1, 0x0, &(0x7f00000009c0)={0x34, &(0x7f0000000600)={0x0, 0xf, 0x6, "ae2964eb4fe2"}, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$cdc_ecm(r1, 0x0, &(0x7f0000000380)={0x1c, &(0x7f0000000240)={0x20, 0x5, 0x2, "d310"}, 0x0, 0x0}) syz_usb_control_io$printer(r1, 0x0, &(0x7f00000003c0)={0x34, &(0x7f0000000840)=ANY=[@ANYBLOB="001506"], 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$uac2(r1, 0x0, 0x0) syz_usb_control_io$uac1(r1, 0x0, 0x0) mknodat$loop(0xffffffffffffffff, 0x0, 0x4, 0x0) executing program 1: r0 = syz_usb_connect(0x2, 0x24, &(0x7f00000007c0)=ANY=[@ANYBLOB="12010000ed3ec908cd0cb300ea2d010203010902120001000000000904"], 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000000)={0x1c, &(0x7f0000000240)=ANY=[], 0x0, 0x0}) syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0) syz_usb_control_io$sierra_net(r0, 0x0, &(0x7f0000002040)={0x1c, &(0x7f0000000280)={0x40, 0x8}, 0x0, 0x0}) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, &(0x7f00000003c0)={0x34, &(0x7f00000001c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0}) executing program 0: r0 = syz_usb_connect(0x0, 0x36, &(0x7f0000000240)=ANY=[@ANYBLOB="12010000772904202404019957c2010203010902240001000010000904430002317d5500090502020002020000090582020002"], 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$rtl8150(r0, 0x0, 0x0) syz_usb_control_io$uac2(r0, 0x0, 0x0) syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000900)={0x34, &(0x7f0000000740)={0x20, 0x17, 0x4, "a4b3c570"}, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$lan78xx(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$uac2(r0, 0x0, &(0x7f0000000780)={0x44, &(0x7f0000000800)=ANY=[@ANYBLOB="000704"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$uac3(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000001c00)={0x84, &(0x7f00000017c0)={0x20, 0x1, 0x4, "15c26642"}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$sierra_net(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000a40)={0x84, &(0x7f0000000480)={0x40, 0x12, 0x4, "dfe7e1ad"}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$printer(r0, 0x0, 0x0) syz_usb_control_io$uac2(r0, 0x0, &(0x7f0000000b00)={0x44, &(0x7f0000000640)={0x40, 0xd, 0x5, "fb226b2cc7"}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000380)={0x34, &(0x7f00000001c0)={0x0, 0x9, 0x7, "2dc6deee7868fb"}, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000340)={0xc0, 0xa2, 0x2f, "73979417108ddfb67cc1cc7afc15cb3790b9c52e26be5c1272bf775f7fc1fa1b9de494495094d20e344f024ab714b7"}}) syz_usb_control_io$uac3(r0, 0x0, 0x0) executing program 2: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$sock_int(r0, 0x1, 0x3c, &(0x7f00000000c0)=0x1, 0x4) setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000080)=0x1f6, 0x4) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x6) r2 = getpgrp(0x0) sched_setaffinity(r2, 0x8, &(0x7f0000000040)=0x5) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) r3 = syz_clone(0x8000, 0x0, 0xfffffffffffffe7e, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r3, 0x1, 0x0) r4 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0) read$msr(r4, &(0x7f0000019680)=""/102392, 0x18ff8) sendmmsg$inet(r0, &(0x7f0000003240)=[{{&(0x7f0000000100)={0x2, 0x4e24, @empty}, 0x10, &(0x7f00000016c0)=[{&(0x7f0000000000)="97", 0xfdef}], 0x1}}], 0x1, 0x4000800) executing program 0: socket$inet_icmp_raw(0x2, 0x3, 0x1) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x901800, 0x0) r1 = getpid() r2 = syz_pidfd_open(r1, 0x0) pidfd_getfd(r2, r0, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f00000000c0), 0x48241, 0x0) socket$kcm(0x2, 0xa, 0x2) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mount$fuse(0x0, 0x0, 0x0, 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=0x0]) mount(0x0, &(0x7f00000001c0)='./file1\x00', &(0x7f0000000040)='autofs\x00', 0x0, &(0x7f0000000400)) chdir(&(0x7f0000000140)='./file1\x00') r3 = open(&(0x7f00000002c0)='.\x00', 0x80000, 0x12d) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file1/file0\x00', 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000180)) ioctl$AUTOFS_IOC_PROTOSUBVER(r3, 0x40049366, &(0x7f0000000180)) executing program 1: openat$dsp(0xffffffffffffff9c, &(0x7f00000003c0), 0x101a02, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0xa9525000) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c) listen(r1, 0x0) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10) r3 = accept(r1, 0x0, 0x0) ioctl$vim2m_VIDIOC_S_CTRL(0xffffffffffffffff, 0xc008561c, 0x0) ppoll(0x0, 0x0, 0x0, 0x0, 0x0) sendmsg$TEAM_CMD_OPTIONS_SET(r3, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000002c0)=ANY=[], 0xfffffdef}, 0x1, 0x0, 0x0, 0x800}, 0x10) recvfrom$inet(r2, &(0x7f00000000c0)=""/17, 0x11, 0x1, 0x0, 0x0) executing program 2: ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000140)={'syz_tun\x00'}) r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000002c0), 0x2, 0x0) ioctl$VHOST_SET_OWNER(r0, 0xaf01, 0x0) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000300)={0x1, 0x0, 0x0, &(0x7f0000000480)=""/74, 0x0}) timer_create(0x3, &(0x7f0000000080)={0x0, 0x40, 0x4, @thr={0x0, 0x0}}, 0x0) ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000400)) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x0, 0x0, 0x0, &(0x7f0000000340)=""/185, &(0x7f0000000140)=""/92}) ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f00000000c0)=0x1) ioctl$VHOST_VSOCK_SET_GUEST_CID(r0, 0x4008af60, &(0x7f0000000040)={@my=0x1}) ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000100)={0x1, 0x0, [{0x0, 0x6e, &(0x7f0000001540)=""/110}]}) r1 = socket$vsock_stream(0x28, 0x1, 0x0) connect$vsock_stream(r1, &(0x7f0000000200)={0x28, 0x0, 0xffffffff, @my=0x1}, 0x10) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000080)=""/57, 0x0, &(0x7f0000000500)=""/4092}) ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1) executing program 1: r0 = syz_open_dev$vim2m(&(0x7f0000000140), 0x200000001000, 0x2) ioctl$vim2m_VIDIOC_REQBUFS(r0, 0xc0145608, &(0x7f00000000c0)={0x1, 0x2, 0x1}) ioctl$vim2m_VIDIOC_QBUF(r0, 0xc058560f, &(0x7f00000002c0)=@multiplanar_mmap={0x0, 0x2, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "fafc00"}, 0x0, 0x1, {0x0}}) socket$kcm(0x2, 0x1, 0x84) socket$kcm(0x10, 0x2, 0x0) r1 = openat(0xffffffffffffff9c, 0x0, 0x42, 0x0) mount$9p_fd(0x0, 0x0, 0x0, 0x1020010, 0x0) read$usbfs(0xffffffffffffffff, 0x0, 0x0) sendmsg$NFQNL_MSG_VERDICT_BATCH(r1, 0x0, 0x4) r2 = syz_open_dev$usbmon(&(0x7f0000000080), 0x0, 0x0) ioctl$MON_IOCG_STATS(r2, 0xc0109207, &(0x7f00000002c0)) ioctl$IOMMU_IOAS_ALLOC(0xffffffffffffffff, 0x3b81, 0x0) ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r1, 0x3ba0, 0x0) r3 = openat$iommufd(0xffffffffffffff9c, 0x0, 0x68200, 0x0) ioctl$IOMMU_IOAS_ALLOC(r3, 0x3b81, 0x0) ioctl$IOMMU_VFIO_IOAS$SET(r3, 0x3b88, 0x0) accept4(r1, 0x0, 0x0, 0x80800) program did not crash replaying the whole log did not cause a kernel crash single: executing 6 programs separately with timeout 1m40s testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$vim2m-ioctl$vim2m_VIDIOC_REQBUFS-ioctl$vim2m_VIDIOC_QBUF-socket$kcm-socket$kcm-openat-mount$9p_fd-read$usbfs-sendmsg$NFQNL_MSG_VERDICT_BATCH-syz_open_dev$usbmon-ioctl$MON_IOCG_STATS-ioctl$IOMMU_IOAS_ALLOC-ioctl$IOMMU_TEST_OP_CREATE_ACCESS-openat$iommufd-ioctl$IOMMU_IOAS_ALLOC-ioctl$IOMMU_VFIO_IOAS$SET-accept4 detailed listing: executing program 0: r0 = syz_open_dev$vim2m(&(0x7f0000000140), 0x200000001000, 0x2) ioctl$vim2m_VIDIOC_REQBUFS(r0, 0xc0145608, &(0x7f00000000c0)={0x1, 0x2, 0x1}) ioctl$vim2m_VIDIOC_QBUF(r0, 0xc058560f, &(0x7f00000002c0)=@multiplanar_mmap={0x0, 0x2, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "fafc00"}, 0x0, 0x1, {0x0}}) socket$kcm(0x2, 0x1, 0x84) socket$kcm(0x10, 0x2, 0x0) r1 = openat(0xffffffffffffff9c, 0x0, 0x42, 0x0) mount$9p_fd(0x0, 0x0, 0x0, 0x1020010, 0x0) read$usbfs(0xffffffffffffffff, 0x0, 0x0) sendmsg$NFQNL_MSG_VERDICT_BATCH(r1, 0x0, 0x4) r2 = syz_open_dev$usbmon(&(0x7f0000000080), 0x0, 0x0) ioctl$MON_IOCG_STATS(r2, 0xc0109207, &(0x7f00000002c0)) ioctl$IOMMU_IOAS_ALLOC(0xffffffffffffffff, 0x3b81, 0x0) ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r1, 0x3ba0, 0x0) r3 = openat$iommufd(0xffffffffffffff9c, 0x0, 0x68200, 0x0) ioctl$IOMMU_IOAS_ALLOC(r3, 0x3b81, 0x0) ioctl$IOMMU_VFIO_IOAS$SET(r3, 0x3b88, 0x0) accept4(r1, 0x0, 0x0, 0x80800) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$sock_SIOCGIFINDEX-openat$vhost_vsock-ioctl$VHOST_SET_OWNER-ioctl$VHOST_SET_VRING_ADDR-timer_create-ioctl$VHOST_SET_MEM_TABLE-ioctl$VHOST_SET_VRING_ADDR-ioctl$VHOST_VSOCK_SET_RUNNING-ioctl$VHOST_VSOCK_SET_GUEST_CID-ioctl$VHOST_SET_MEM_TABLE-socket$vsock_stream-connect$vsock_stream-ioctl$VHOST_SET_VRING_ADDR-ioctl$VHOST_VSOCK_SET_RUNNING detailed listing: executing program 0: ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000140)={'syz_tun\x00'}) r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000002c0), 0x2, 0x0) ioctl$VHOST_SET_OWNER(r0, 0xaf01, 0x0) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000300)={0x1, 0x0, 0x0, &(0x7f0000000480)=""/74, 0x0}) timer_create(0x3, &(0x7f0000000080)={0x0, 0x40, 0x4, @thr={0x0, 0x0}}, 0x0) ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000400)) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x0, 0x0, 0x0, &(0x7f0000000340)=""/185, &(0x7f0000000140)=""/92}) ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f00000000c0)=0x1) ioctl$VHOST_VSOCK_SET_GUEST_CID(r0, 0x4008af60, &(0x7f0000000040)={@my=0x1}) ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000100)={0x1, 0x0, [{0x0, 0x6e, &(0x7f0000001540)=""/110}]}) r1 = socket$vsock_stream(0x28, 0x1, 0x0) connect$vsock_stream(r1, &(0x7f0000000200)={0x28, 0x0, 0xffffffff, @my=0x1}, 0x10) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000080)=""/57, 0x0, &(0x7f0000000500)=""/4092}) ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_icmp_raw-openat$kvm-getpid-syz_pidfd_open-pidfd_getfd-openat$tun-socket$kcm-mkdirat-mount$fuse-mount-chdir-open-mkdirat-mkdirat-socketpair$unix-ioctl$AUTOFS_IOC_PROTOSUBVER detailed listing: executing program 0: socket$inet_icmp_raw(0x2, 0x3, 0x1) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x901800, 0x0) r1 = getpid() r2 = syz_pidfd_open(r1, 0x0) pidfd_getfd(r2, r0, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f00000000c0), 0x48241, 0x0) socket$kcm(0x2, 0xa, 0x2) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mount$fuse(0x0, 0x0, 0x0, 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=0x0]) mount(0x0, &(0x7f00000001c0)='./file1\x00', &(0x7f0000000040)='autofs\x00', 0x0, &(0x7f0000000400)) chdir(&(0x7f0000000140)='./file1\x00') r3 = open(&(0x7f00000002c0)='.\x00', 0x80000, 0x12d) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file1/file0\x00', 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000180)) ioctl$AUTOFS_IOC_PROTOSUBVER(r3, 0x40049366, &(0x7f0000000180)) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-openat$binderfs-prctl$PR_SCHED_CORE-getpid-syz_init_net_socket$bt_sco-syz_open_dev$sndmidi-pselect6-mq_timedreceive detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) getpid() syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) syz_open_dev$sndmidi(&(0x7f0000000100), 0x2, 0x141102) pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0xd0, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xa, 0x80000006, 0x400}, 0x0, 0x0) mq_timedreceive(r0, &(0x7f0000001140)=""/4127, 0x101f, 0x0, 0x0) program crashed: WARNING in hrtick_start_fair single: successfully extracted reproducer found reproducer with 16 syscalls minimizing guilty program testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-openat$binderfs-prctl$PR_SCHED_CORE-getpid-syz_init_net_socket$bt_sco-syz_open_dev$sndmidi-pselect6 detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) getpid() syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) syz_open_dev$sndmidi(&(0x7f0000000100), 0x2, 0x141102) pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0xd0, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xa, 0x80000006, 0x400}, 0x0, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-openat$binderfs-prctl$PR_SCHED_CORE-getpid-syz_init_net_socket$bt_sco-syz_open_dev$sndmidi detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) getpid() syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) syz_open_dev$sndmidi(&(0x7f0000000100), 0x2, 0x141102) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-openat$binderfs-prctl$PR_SCHED_CORE-getpid-syz_init_net_socket$bt_sco detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) getpid() syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-openat$binderfs-prctl$PR_SCHED_CORE-getpid detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) getpid() program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-openat$binderfs-prctl$PR_SCHED_CORE detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-openat$binderfs detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-syz_open_dev$video-prctl$PR_SCHED_CORE detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-fsopen-prctl$PR_SCHED_CORE detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) fsopen(&(0x7f0000000080)='ocfs2\x00', 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-socket$nl_route-prctl$PR_SCHED_CORE detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) socket$nl_route(0x10, 0x3, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in update_se testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-read$FUSE-prctl$PR_SCHED_CORE detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000002180)={0x2020}, 0x2020) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-mq_timedsend-prctl$PR_SCHED_CORE detailed listing: executing program 0: r0 = mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r1) sendmsg$IEEE802154_LLSEC_ADD_DEV(r1, 0x0, 0xc000) mq_timedsend(r0, 0x0, 0x0, 0x4, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-sendmsg$IEEE802154_LLSEC_ADD_DEV-prctl$PR_SCHED_CORE detailed listing: executing program 0: mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r0) sendmsg$IEEE802154_LLSEC_ADD_DEV(r0, 0x0, 0xc000) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-prctl$PR_SCHED_CORE detailed listing: executing program 0: mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ieee802154(&(0x7f0000000100), r0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-syz_init_net_socket$nl_generic-prctl$PR_SCHED_CORE detailed listing: executing program 0: mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mq_open-prctl$PR_SCHED_CORE detailed listing: executing program 0: mq_open(&(0x7f0000000180)='\xc2\xddv:\xa9\x875\x81\x9ay\xc2\xa9\fE\x7f\x82\xdcV', 0x6e93ebbbcc0884f2, 0x0, &(0x7f0000000040)={0x0, 0x6, 0x101}) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in update_load_avg testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE detailed listing: executing program 0: prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair extracting C reproducer testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE program crashed: WARNING in hrtick_start_fair simplifying C reproducer testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE program crashed: WARNING in hrtick_start_fair testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE program crashed: WARNING in hrtick_start_fair testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE program crashed: WARNING in hrtick_start_fair testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE program crashed: WARNING in hrtick_start_fair testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE program crashed: WARNING in hrtick_start_fair testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE program crashed: WARNING in hrtick_start_fair testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE program crashed: WARNING in hrtick_start_fair testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE detailed listing: executing program 0: prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE detailed listing: executing program 0: prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prctl$PR_SCHED_CORE detailed listing: executing program 0: prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) program crashed: WARNING in hrtick_start_fair validation run: crashed=true reproducing took 1h34m37.14246091s repro crashed as (corrupted=false): ------------[ cut here ]------------ task_rq(p) != rq WARNING: kernel/sched/fair.c:7656 at hrtick_start_fair+0x196/0x1f0 kernel/sched/fair.c:7656, CPU#1: dhcpcd/6243 Modules linked in: CPU: 1 UID: 0 PID: 6243 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:hrtick_start_fair+0x196/0x1f0 kernel/sched/fair.c:7656 Code: 42 80 3c 20 00 74 08 4c 89 ff e8 85 e3 97 00 4d 39 37 0f 85 0c ff ff ff 48 89 df 5b 41 5c 41 5d 41 5e 41 5f e9 4b 65 fa ff 90 <0f> 0b 90 e9 d1 fe ff ff 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 82 RSP: 0018:ffffc90003f6ed40 EFLAGS: 00010006 RAX: ffff8880b863ba40 RBX: ffff8880b873ba40 RCX: ffffffff8197c7de RDX: 0000000000000000 RSI: ffff8880344c1f00 RDI: ffff8880b873ba40 RBP: dffffc0000000000 R08: ffffffff8fcf0b0f R09: 1ffffffff1f9e161 R10: dffffc0000000000 R11: fffffbfff1f9e162 R12: dffffc0000000000 R13: 1ffff110170e78d6 R14: ffff8880344c1f00 R15: ffffffff8dc217d0 FS: 00007f7a29030780(0000) GS:ffff888125b76000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7a28fa8e9c CR3: 0000000037bf2000 CR4: 00000000003526f0 Call Trace: set_next_task_fair+0xa68/0xce0 kernel/sched/fair.c:15058 put_prev_set_next_task kernel/sched/sched.h:2770 [inline] pick_next_task kernel/sched/core.c:6443 [inline] __schedule+0x3e03/0x5550 kernel/sched/core.c:7144 preempt_schedule_irq+0x4d/0xa0 kernel/sched/core.c:7553 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:539 [inline] irqentry_exit+0x14f/0x8c0 kernel/entry/common.c:167 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:100 [inline] RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:238 [inline] RIP: 0010:unwind_next_frame+0x534/0x2550 arch/x86/kernel/unwind_orc.c:510 Code: 0f b6 04 08 84 c0 75 27 49 63 07 4c 01 f8 49 8d 4f 04 4c 39 e0 48 0f 46 e9 49 8d 47 fc 48 0f 47 d8 4d 0f 46 ef 48 39 dd 76 a2 7b fd ff ff 44 89 f9 80 e1 07 80 c1 03 38 c1 7c cc 4c 89 ff 48 RSP: 0018:ffffc90003f6f0f8 EFLAGS: 00000202 RAX: ffffffff8fef6e20 RBX: ffffffff8fef6e24 RCX: ffffffff8fef6e28 RDX: ffffffff8fef6e24 RSI: ffffffff906b1454 RDI: ffffffff8bcc4520 RBP: ffffffff8fef6e28 R08: 0000000000000007 R09: ffffffff8e3cb2a0 R10: ffffc90003f6f218 R11: ffffffff81b09bb0 R12: ffffffff8221311c R13: ffffffff8fef6e24 R14: ffffc90003f6f1c8 R15: ffffffff8fef6e24 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2700 [inline] slab_free mm/slub.c:6308 [inline] kmem_cache_free+0x187/0x6c0 mm/slub.c:6435 anon_vma_chain_free mm/rmap.c:147 [inline] unlink_anon_vmas+0x69d/0x730 mm/rmap.c:539 free_pgtables+0x836/0xb70 mm/memory.c:414 unmap_region+0x29d/0x330 mm/vma.c:490 vms_clear_ptes mm/vma.c:1303 [inline] vms_complete_munmap_vmas+0x493/0xc60 mm/vma.c:1345 do_vmi_align_munmap+0x3bd/0x4d0 mm/vma.c:1604 do_vmi_munmap+0x252/0x2d0 mm/vma.c:1652 __vm_munmap+0x22c/0x3d0 mm/vma.c:3288 __do_sys_munmap mm/mmap.c:1079 [inline] __se_sys_munmap mm/mmap.c:1076 [inline] __x64_sys_munmap+0x60/0x70 mm/mmap.c:1076 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7a2923f2e7 Code: 00 00 00 b8 0a 00 00 00 0f 05 48 3d 01 f0 ff ff 73 01 c3 48 8d 0d c9 3f 01 00 f7 d8 89 01 48 83 c8 ff c3 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8d 0d a9 3f 01 00 f7 d8 89 01 48 83 RSP: 002b:00007ffef90f5b48 EFLAGS: 00000202 ORIG_RAX: 000000000000000b RAX: ffffffffffffffda RBX: 0000557b95371960 RCX: 00007f7a2923f2e7 RDX: 0000000000000001 RSI: 0000000000029910 RDI: 00007f7a29001000 RBP: 00007ffef90f5c50 R08: 00000000000004f0 R09: 0000000000000002 R10: 00007ffef90f5a80 R11: 0000000000000202 R12: 00007ffef90f5b88 R13: 00007f7a29252000 R14: 0000557b95371960 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 0f b6 04 08 movzbl (%rax,%rcx,1),%eax 4: 84 c0 test %al,%al 6: 75 27 jne 0x2f 8: 49 63 07 movslq (%r15),%rax b: 4c 01 f8 add %r15,%rax e: 49 8d 4f 04 lea 0x4(%r15),%rcx 12: 4c 39 e0 cmp %r12,%rax 15: 48 0f 46 e9 cmovbe %rcx,%rbp 19: 49 8d 47 fc lea -0x4(%r15),%rax 1d: 48 0f 47 d8 cmova %rax,%rbx 21: 4d 0f 46 ef cmovbe %r15,%r13 25: 48 39 dd cmp %rbx,%rbp 28: 76 a2 jbe 0xffffffcc * 2a: e9 7b fd ff ff jmp 0xfffffdaa <-- trapping instruction 2f: 44 89 f9 mov %r15d,%ecx 32: 80 e1 07 and $0x7,%cl 35: 80 c1 03 add $0x3,%cl 38: 38 c1 cmp %al,%cl 3a: 7c cc jl 0x8 3c: 4c 89 ff mov %r15,%rdi 3f: 48 rex.W final repro crashed as (corrupted=false): ------------[ cut here ]------------ task_rq(p) != rq WARNING: kernel/sched/fair.c:7656 at hrtick_start_fair+0x196/0x1f0 kernel/sched/fair.c:7656, CPU#1: dhcpcd/6243 Modules linked in: CPU: 1 UID: 0 PID: 6243 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:hrtick_start_fair+0x196/0x1f0 kernel/sched/fair.c:7656 Code: 42 80 3c 20 00 74 08 4c 89 ff e8 85 e3 97 00 4d 39 37 0f 85 0c ff ff ff 48 89 df 5b 41 5c 41 5d 41 5e 41 5f e9 4b 65 fa ff 90 <0f> 0b 90 e9 d1 fe ff ff 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 82 RSP: 0018:ffffc90003f6ed40 EFLAGS: 00010006 RAX: ffff8880b863ba40 RBX: ffff8880b873ba40 RCX: ffffffff8197c7de RDX: 0000000000000000 RSI: ffff8880344c1f00 RDI: ffff8880b873ba40 RBP: dffffc0000000000 R08: ffffffff8fcf0b0f R09: 1ffffffff1f9e161 R10: dffffc0000000000 R11: fffffbfff1f9e162 R12: dffffc0000000000 R13: 1ffff110170e78d6 R14: ffff8880344c1f00 R15: ffffffff8dc217d0 FS: 00007f7a29030780(0000) GS:ffff888125b76000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7a28fa8e9c CR3: 0000000037bf2000 CR4: 00000000003526f0 Call Trace: set_next_task_fair+0xa68/0xce0 kernel/sched/fair.c:15058 put_prev_set_next_task kernel/sched/sched.h:2770 [inline] pick_next_task kernel/sched/core.c:6443 [inline] __schedule+0x3e03/0x5550 kernel/sched/core.c:7144 preempt_schedule_irq+0x4d/0xa0 kernel/sched/core.c:7553 irqentry_exit_to_kernel_mode include/linux/irq-entry-common.h:539 [inline] irqentry_exit+0x14f/0x8c0 kernel/entry/common.c:167 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:100 [inline] RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:238 [inline] RIP: 0010:unwind_next_frame+0x534/0x2550 arch/x86/kernel/unwind_orc.c:510 Code: 0f b6 04 08 84 c0 75 27 49 63 07 4c 01 f8 49 8d 4f 04 4c 39 e0 48 0f 46 e9 49 8d 47 fc 48 0f 47 d8 4d 0f 46 ef 48 39 dd 76 a2 7b fd ff ff 44 89 f9 80 e1 07 80 c1 03 38 c1 7c cc 4c 89 ff 48 RSP: 0018:ffffc90003f6f0f8 EFLAGS: 00000202 RAX: ffffffff8fef6e20 RBX: ffffffff8fef6e24 RCX: ffffffff8fef6e28 RDX: ffffffff8fef6e24 RSI: ffffffff906b1454 RDI: ffffffff8bcc4520 RBP: ffffffff8fef6e28 R08: 0000000000000007 R09: ffffffff8e3cb2a0 R10: ffffc90003f6f218 R11: ffffffff81b09bb0 R12: ffffffff8221311c R13: ffffffff8fef6e24 R14: ffffc90003f6f1c8 R15: ffffffff8fef6e24 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2700 [inline] slab_free mm/slub.c:6308 [inline] kmem_cache_free+0x187/0x6c0 mm/slub.c:6435 anon_vma_chain_free mm/rmap.c:147 [inline] unlink_anon_vmas+0x69d/0x730 mm/rmap.c:539 free_pgtables+0x836/0xb70 mm/memory.c:414 unmap_region+0x29d/0x330 mm/vma.c:490 vms_clear_ptes mm/vma.c:1303 [inline] vms_complete_munmap_vmas+0x493/0xc60 mm/vma.c:1345 do_vmi_align_munmap+0x3bd/0x4d0 mm/vma.c:1604 do_vmi_munmap+0x252/0x2d0 mm/vma.c:1652 __vm_munmap+0x22c/0x3d0 mm/vma.c:3288 __do_sys_munmap mm/mmap.c:1079 [inline] __se_sys_munmap mm/mmap.c:1076 [inline] __x64_sys_munmap+0x60/0x70 mm/mmap.c:1076 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7a2923f2e7 Code: 00 00 00 b8 0a 00 00 00 0f 05 48 3d 01 f0 ff ff 73 01 c3 48 8d 0d c9 3f 01 00 f7 d8 89 01 48 83 c8 ff c3 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8d 0d a9 3f 01 00 f7 d8 89 01 48 83 RSP: 002b:00007ffef90f5b48 EFLAGS: 00000202 ORIG_RAX: 000000000000000b RAX: ffffffffffffffda RBX: 0000557b95371960 RCX: 00007f7a2923f2e7 RDX: 0000000000000001 RSI: 0000000000029910 RDI: 00007f7a29001000 RBP: 00007ffef90f5c50 R08: 00000000000004f0 R09: 0000000000000002 R10: 00007ffef90f5a80 R11: 0000000000000202 R12: 00007ffef90f5b88 R13: 00007f7a29252000 R14: 0000557b95371960 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 0f b6 04 08 movzbl (%rax,%rcx,1),%eax 4: 84 c0 test %al,%al 6: 75 27 jne 0x2f 8: 49 63 07 movslq (%r15),%rax b: 4c 01 f8 add %r15,%rax e: 49 8d 4f 04 lea 0x4(%r15),%rcx 12: 4c 39 e0 cmp %r12,%rax 15: 48 0f 46 e9 cmovbe %rcx,%rbp 19: 49 8d 47 fc lea -0x4(%r15),%rax 1d: 48 0f 47 d8 cmova %rax,%rbx 21: 4d 0f 46 ef cmovbe %r15,%r13 25: 48 39 dd cmp %rbx,%rbp 28: 76 a2 jbe 0xffffffcc * 2a: e9 7b fd ff ff jmp 0xfffffdaa <-- trapping instruction 2f: 44 89 f9 mov %r15d,%ecx 32: 80 e1 07 and $0x7,%cl 35: 80 c1 03 add $0x3,%cl 38: 38 c1 cmp %al,%cl 3a: 7c cc jl 0x8 3c: 4c 89 ff mov %r15,%rdi 3f: 48 rex.W