Extracting prog: 34m32.559707471s
Minimizing prog: 5m0.421827735s
Simplifying prog options: 0s
Extracting C: 1m41.371644674s
Simplifying C: 8m46.595517789s


extracting reproducer from 12 programs
testing a last program of every proc
single: executing 2 programs separately with timeout 45s
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-bpf$BPF_RAW_TRACEPOINT_OPEN-openat$sndtimer-bpf$MAP_CREATE_CONST_STR-readv-io_uring_register$IORING_REGISTER_FILES-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$key-socket$nl_xfrm-io_setup-clock_gettime-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-io_submit-syz_open_dev$vcsn-syz_genetlink_get_family_id$tipc-sendmsg$nl_xfrm-socket$nl_netfilter-sendmsg$NFT_BATCH
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x3676, &(0x7f000000a9c0)={0x0, 0x3468, 0x0, 0x0, 0x10000000}, &(0x7f000000aa40), &(0x7f000000aa80))
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000280)={&(0x7f00000002c0)='kmem_cache_free\x00'}, 0x10)
r1 = openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
readv(r1, &(0x7f0000000200), 0x0)
io_uring_register$IORING_REGISTER_FILES(r0, 0x2, &(0x7f0000000180), 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
socket$key(0xf, 0x3, 0x2)
r2 = socket$nl_xfrm(0x10, 0x3, 0x6)
io_setup(0xd, 0x0)
clock_gettime(0x0, &(0x7f0000000400))
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8)
r3 = getpid()
sched_setaffinity(0x0, 0x0, 0x0)
sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff})
connect$unix(r4, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r5, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r4, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000006900000000000001000000940000000fad413e850000000700000095"], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r6}, 0x10)
io_submit(0x0, 0x0, 0x0)
r7 = syz_open_dev$vcsn(&(0x7f0000000080), 0x838400000000, 0x80401)
syz_genetlink_get_family_id$tipc(&(0x7f0000000040), r7)
sendmsg$nl_xfrm(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000500)=@newsa={0x150, 0x10, 0x413, 0x70bd29, 0x0, {{@in=@empty, @in6=@rand_addr=' \x01\x00', 0x0, 0x0, 0x4e24, 0x0, 0xa, 0x0, 0x20, 0x21}, {@in=@multicast1, 0x0, 0x32}, @in6=@loopback={0x100000000000000}, {0x0, 0x2, 0x0, 0x0, 0x8, 0x80000, 0x81}, {0x0, 0x5, 0x4, 0x4000006}, {0x0, 0xfffffff9, 0x80000}, 0x0, 0x0, 0x2, 0x4, 0x81, 0x68}, [@algo_aead={0x5d, 0x12, {{'rfc4106(gcm(aes))\x00'}, 0x88, 0x80, "25cac5216d3c8af0aa76902918bf448c5d"}}]}, 0x150}, 0x1, 0x0, 0x0, 0x612fc0b6c779297b}, 0x0)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r8, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000001840)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01080000000000000000010000000900010073797a300000000040000000030a01080000000000001e00010000000900030073797a320000000014000480080002400000000008000140000000030900010073797a300000000060000000060a010400000000000000000100000008000b40000000000900010073797a300000000038000480340001800c0001007061796c6f61640024000280080001400000000e080004400000000508000240000000020800034000"], 0xe8}, 0x1, 0x0, 0x0, 0x4004010}, 0x8090)

program did not crash
single: failed to extract reproducer
bisect: bisecting 12 programs with base timeout 45s
testing program (duration=48s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 7, 5, 3, 1, 29, 2, 7, 5, 6, 3, 1]
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$sock_int(r0, 0x1, 0x2b, &(0x7f0000000140), 0x4)
executing program 0:
r0 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000040)={'vcan0\x00'})
bind$can_j1939(r0, 0x0, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000400)={'vcan0\x00', <r2=>0x0})
bind$can_j1939(0xffffffffffffffff, &(0x7f0000000080)={0x1d, r2, 0x0, {0x0, 0x0, 0x4}, 0xfe}, 0x18)
sendmsg$nl_route_sched(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000007c0)=@newtfilter={0x24, 0x11, 0x111, 0x70bd27, 0x100000, {0x0, 0x0, 0x74, r2, {0x6, 0xfff2}, {0x5, 0xfff3}, {0xd, 0xffe0}}}, 0x24}, 0x1, 0xf0ffffffffffff, 0x0, 0x4010}, 0xc4)
executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000001c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'xchacha20\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000300)="c99b57381801238c09d0ff0f1d0dbd301e5a47b2f3caa73dcd2a6a370554", 0x1e)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$NL80211_CMD_SET_COALESCE(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000700)=ANY=[@ANYBLOB="40030000", @ANYRES16=0x0, @ANYBLOB="00012abd7000fedbdf25650000000c0099000100000036000000a8010380cc000080c500010029fcbc4582f8c6133a22024417909aa2e97e887a13d9e1f266c314ee6662477fae9f5e6fab4d1316b9cc24c3da833c143adf43a9c36fdb941d8e13eccbac0efc7f61ae3c08667eaa4b49e52dfe22da7ab45989cf3363c81052c6de85445c8c3bd94c3f88d8d47e1d36d0945c43be617982253e985c2f1861b672d612fedc9b9aa7070690acef0c913e7d495c814ecec1f4939c334a8e50f609f8402b8f9b983e0e685e9866b076b2c3bbd1a1092420d27d9387746e1e22433ba630d4b269468736000000d8000080d100010017b5b46dc5dd6d251baacd2d4c88196750185b5c2b225a818595d4f24a57f3ffda5734d40179d0efcbf154ab3c999fb26b4aeedc42168f4197e806f0edc2c085216204025560f6dcbf73ac459da171405c0bb056ce98e48f74e0df8befd8dd4b01f88d24cf5c8ad54bf4422867424bb660336422940bdb78186830662c15e5480f0bfbed3e7bf66a6adeb167e18a5f306543fb4ff05f979f05e2c880fa1fc31b34b070c273d77d18c4faf4b64efe193578b956d27e9a0da7046c9dfe218de2763e2d034aa592f3c6cc311ec1cd00000008000200000000000800020001000000680103800c0000800800030005000000fc000080f5000200d028a22a4c5335553605a9e1769d6ba2f18f9343683b9d43a9ff7dbef9f62d06c97ffccfab72cbb9c961013f8efb5229c2403b3167f79b8b540339b0eb574873e95467781f1d6d76b4e55f5e92e65b1491d5bfbd1f6ae863a0bededb6e6aeee837a127ae0b146eb4e7854f3f053fad43f40385336437ac83e9a529fa78f5467acb9bacbafc3ec95cfa74779f9a2d5545130a654a64a974d6c0dd42d209f052540ce63f20b0bd7135fa0afaf9ae6778b2afedd7777a1cac61757dd495f2dade1f1918bba97360e3d70a9b13b8412276db876f4807cd08ca3ef9523d93e7b97a5151c7db78933f1cf66309da124624f3a1030000215c00008056000200f633055af84e517bab7436de4aa2cec1f93104314fed79a9fd20488323cab279c40b5bf9c3aa3a4ebfaba41fad7456a7db1859a0fe3397766f0961e9f014164bb0cf01838fef5c0cce8b2771f0dbb6e49fd10000"], 0x340}, 0x1, 0x0, 0x0, 0xd0}, 0x4048010)
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'bridge0\x00', <r1=>0x0})
sendmsg$nl_route(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)=@newlink={0x60, 0x10, 0x401, 0x4, 0x0, {0x0, 0x0, 0x0, 0x0, 0x503}, [@IFLA_LINKINFO={0x38, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x28, 0x2, 0x0, 0x1, [@IFLA_VLAN_INGRESS_QOS={0x1c, 0x4, 0x0, 0x1, [@IFLA_VLAN_QOS_MAPPING={0xc, 0x1, {0x10000, 0x8}}, @IFLA_VLAN_QOS_MAPPING={0xc, 0x1, {0x200, 0x3}}]}, @IFLA_VLAN_ID={0x6, 0x1, 0x3}]}}}, @IFLA_LINK={0x8, 0x5, r1}]}, 0x60}, 0x1, 0x0, 0x0, 0x20004800}, 0x4000000)
executing program 0:
mremap(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x1000, 0x2, &(0x7f0000ffe000/0x1000)=nil)
executing program 0:
r0 = syz_io_uring_setup(0x3676, &(0x7f000000a9c0)={0x0, 0x3468, 0x0, 0x0, 0x10000000}, &(0x7f000000aa40), &(0x7f000000aa80))
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000280)={&(0x7f00000002c0)='kmem_cache_free\x00'}, 0x10)
r1 = openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
readv(r1, &(0x7f0000000200), 0x0)
io_uring_register$IORING_REGISTER_FILES(r0, 0x2, &(0x7f0000000180), 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
socket$key(0xf, 0x3, 0x2)
r2 = socket$nl_xfrm(0x10, 0x3, 0x6)
io_setup(0xd, 0x0)
clock_gettime(0x0, &(0x7f0000000400))
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8)
r3 = getpid()
sched_setaffinity(0x0, 0x0, 0x0)
sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff})
connect$unix(r4, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r5, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r4, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000006900000000000001000000940000000fad413e850000000700000095"], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r6}, 0x10)
io_submit(0x0, 0x0, 0x0)
r7 = syz_open_dev$vcsn(&(0x7f0000000080), 0x838400000000, 0x80401)
syz_genetlink_get_family_id$tipc(&(0x7f0000000040), r7)
sendmsg$nl_xfrm(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000500)=@newsa={0x150, 0x10, 0x413, 0x70bd29, 0x0, {{@in=@empty, @in6=@rand_addr=' \x01\x00', 0x0, 0x0, 0x4e24, 0x0, 0xa, 0x0, 0x20, 0x21}, {@in=@multicast1, 0x0, 0x32}, @in6=@loopback={0x100000000000000}, {0x0, 0x2, 0x0, 0x0, 0x8, 0x80000, 0x81}, {0x0, 0x5, 0x4, 0x4000006}, {0x0, 0xfffffff9, 0x80000}, 0x0, 0x0, 0x2, 0x4, 0x81, 0x68}, [@algo_aead={0x5d, 0x12, {{'rfc4106(gcm(aes))\x00'}, 0x88, 0x80, "25cac5216d3c8af0aa76902918bf448c5d"}}]}, 0x150}, 0x1, 0x0, 0x0, 0x612fc0b6c779297b}, 0x0)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r8, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000001840)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01080000000000000000010000000900010073797a300000000040000000030a01080000000000001e00010000000900030073797a320000000014000480080002400000000008000140000000030900010073797a300000000060000000060a010400000000000000000100000008000b40000000000900010073797a300000000038000480340001800c0001007061796c6f61640024000280080001400000000e080004400000000508000240000000020800034000"], 0xe8}, 0x1, 0x0, 0x0, 0x4004010}, 0x8090)
executing program 1:
r0 = socket$kcm(0x10, 0x2, 0x4)
sendmsg$kcm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)=[{&(0x7f0000000440)="9f000000120081ae08060cdc030ec0007f03e3f70000000000e2ffca1b1f0000000004c00e72f750375ed08a56331dbf9ed7811e381ad6e747033a0093b837dc6cc01e32efaec8c7a6ec08123d00020039000140010000009bbc7a46e3988285dcdf12f21308f868fece01955fed0009d78f0a947ee2b49e33538afa8af92347514f0b56a20ff27fff55e461247604821d35c86ee54bbab3eaf8956e2ca426", 0x9f}], 0x1}, 0x0)
executing program 1:
r0 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000040)={'vcan0\x00', <r1=>0x0})
bind$can_j1939(r0, &(0x7f0000000000)={0x1d, r1}, 0x18)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000000080)={0x1d, 0x0, 0x0, {0x0, 0x0, 0x4}, 0xfe}, 0x18)
sendmsg$nl_route_sched(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000007c0)=@newtfilter={0x24, 0x11, 0x111, 0x70bd27, 0x100000, {0x0, 0x0, 0x74, 0x0, {0x6, 0xfff2}, {0x5, 0xfff3}, {0xd, 0xffe0}}}, 0x24}, 0x1, 0xf0ffffffffffff, 0x0, 0x4010}, 0xc4)
executing program 1:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000001c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'xchacha20\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000300)="c99b57381801238c09d0ff0f1d0dbd301e5a47b2f3caa73dcd2a6a37055437", 0x1f)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$NL80211_CMD_SET_COALESCE(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000700)=ANY=[@ANYBLOB="40030000", @ANYRES16=0x0, @ANYBLOB="00012abd7000fedbdf25650000000c0099000100000036000000a8010380cc000080c500010029fcbc4582f8c6133a22024417909aa2e97e887a13d9e1f266c314ee6662477fae9f5e6fab4d1316b9cc24c3da833c143adf43a9c36fdb941d8e13eccbac0efc7f61ae3c08667eaa4b49e52dfe22da7ab45989cf3363c81052c6de85445c8c3bd94c3f88d8d47e1d36d0945c43be617982253e985c2f1861b672d612fedc9b9aa7070690acef0c913e7d495c814ecec1f4939c334a8e50f609f8402b8f9b983e0e685e9866b076b2c3bbd1a1092420d27d9387746e1e22433ba630d4b269468736000000d8000080d100010017b5b46dc5dd6d251baacd2d4c88196750185b5c2b225a818595d4f24a57f3ffda5734d40179d0efcbf154ab3c999fb26b4aeedc42168f4197e806f0edc2c085216204025560f6dcbf73ac459da171405c0bb056ce98e48f74e0df8befd8dd4b01f88d24cf5c8ad54bf4422867424bb660336422940bdb78186830662c15e5480f0bfbed3e7bf66a6adeb167e18a5f306543fb4ff05f979f05e2c880fa1fc31b34b070c273d77d18c4faf4b64efe193578b956d27e9a0da7046c9dfe218de2763e2d034aa592f3c6cc311ec1cd00000008000200000000000800020001000000680103800c0000800800030005000000fc000080f5000200d028a22a4c5335553605a9e1769d6ba2f18f9343683b9d43a9ff7dbef9f62d06c97ffccfab72cbb9c961013f8efb5229c2403b3167f79b8b540339b0eb574873e95467781f1d6d76b4e55f5e92e65b1491d5bfbd1f6ae863a0bededb6e6aeee837a127ae0b146eb4e7854f3f053fad43f40385336437ac83e9a529fa78f5467acb9bacbafc3ec95cfa74779f9a2d5545130a654a64a974d6c0dd42d209f052540ce63f20b0bd7135fa0afaf9ae6778b2afedd7777a1cac61757dd495f2dade1f1918bba97360e3d70a9b13b8412276db876f4807cd08ca3ef9523d93e7b97a5151c7db78933f1cf66309da124624f3a1030000215c00008056000200f633055af84e517bab7436de4aa2cec1f93104314fed79a9fd20488323cab279c40b5bf9c3aa3a4ebfaba41fad7456a7db1859a0fe3397766f0961e9f014164bb0cf01838fef5c0cce8b2771f0dbb6e49fd10000"], 0x340}, 0x1, 0x0, 0x0, 0xd0}, 0x4048010)
executing program 1:
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
sendmmsg(r0, &(0x7f0000002840)=[{{0x0, 0x0, 0x0}}], 0x1, 0x20044000)
sendmsg$inet(r0, 0x0, 0x20000084)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000740), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_FLUSH_ADDRS(r1, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000400)={0x14, r2, 0x1, 0x70bd2c, 0x25dfdbff}, 0x14}, 0x1, 0x0, 0x0, 0x2000c810}, 0x800)
executing program 1:
r0 = syz_open_dev$midi(0x0, 0x2, 0x20000)
setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, &(0x7f0000000180)={0x8001001e, 0xe, 0x8}, 0x10)
ioctl$SNDRV_RAWMIDI_IOCTL_INFO(r0, 0x810c5701, &(0x7f0000000180))
executing program 1:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 2 programs separately with timeout 5m0s
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_io_uring_setup-bpf$BPF_RAW_TRACEPOINT_OPEN-openat$sndtimer-bpf$MAP_CREATE_CONST_STR-readv-io_uring_register$IORING_REGISTER_FILES-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$key-socket$nl_xfrm-io_setup-clock_gettime-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-io_submit-syz_open_dev$vcsn-syz_genetlink_get_family_id$tipc-sendmsg$nl_xfrm-socket$nl_netfilter-sendmsg$NFT_BATCH
detailed listing:
executing program 0:
r0 = syz_io_uring_setup(0x3676, &(0x7f000000a9c0)={0x0, 0x3468, 0x0, 0x0, 0x10000000}, &(0x7f000000aa40), &(0x7f000000aa80))
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000280)={&(0x7f00000002c0)='kmem_cache_free\x00'}, 0x10)
r1 = openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
readv(r1, &(0x7f0000000200), 0x0)
io_uring_register$IORING_REGISTER_FILES(r0, 0x2, &(0x7f0000000180), 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
socket$key(0xf, 0x3, 0x2)
r2 = socket$nl_xfrm(0x10, 0x3, 0x6)
io_setup(0xd, 0x0)
clock_gettime(0x0, &(0x7f0000000400))
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8)
r3 = getpid()
sched_setaffinity(0x0, 0x0, 0x0)
sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff})
connect$unix(r4, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r5, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r4, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000006900000000000001000000940000000fad413e850000000700000095"], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r6}, 0x10)
io_submit(0x0, 0x0, 0x0)
r7 = syz_open_dev$vcsn(&(0x7f0000000080), 0x838400000000, 0x80401)
syz_genetlink_get_family_id$tipc(&(0x7f0000000040), r7)
sendmsg$nl_xfrm(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000500)=@newsa={0x150, 0x10, 0x413, 0x70bd29, 0x0, {{@in=@empty, @in6=@rand_addr=' \x01\x00', 0x0, 0x0, 0x4e24, 0x0, 0xa, 0x0, 0x20, 0x21}, {@in=@multicast1, 0x0, 0x32}, @in6=@loopback={0x100000000000000}, {0x0, 0x2, 0x0, 0x0, 0x8, 0x80000, 0x81}, {0x0, 0x5, 0x4, 0x4000006}, {0x0, 0xfffffff9, 0x80000}, 0x0, 0x0, 0x2, 0x4, 0x81, 0x68}, [@algo_aead={0x5d, 0x12, {{'rfc4106(gcm(aes))\x00'}, 0x88, 0x80, "25cac5216d3c8af0aa76902918bf448c5d"}}]}, 0x150}, 0x1, 0x0, 0x0, 0x612fc0b6c779297b}, 0x0)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r8, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000001840)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01080000000000000000010000000900010073797a300000000040000000030a01080000000000001e00010000000900030073797a320000000014000480080002400000000008000140000000030900010073797a300000000060000000060a010400000000000000000100000008000b40000000000900010073797a300000000038000480340001800c0001007061796c6f61640024000280080001400000000e080004400000000508000240000000020800034000"], 0xe8}, 0x1, 0x0, 0x0, 0x4004010}, 0x8090)

program did not crash
single: failed to extract reproducer
bisect: bisecting 12 programs with base timeout 5m0s
testing program (duration=5m3s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 7, 5, 3, 1, 29, 2, 7, 5, 6, 3, 1]
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$sock_int(r0, 0x1, 0x2b, &(0x7f0000000140), 0x4)
executing program 0:
r0 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000040)={'vcan0\x00'})
bind$can_j1939(r0, 0x0, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000400)={'vcan0\x00', <r2=>0x0})
bind$can_j1939(0xffffffffffffffff, &(0x7f0000000080)={0x1d, r2, 0x0, {0x0, 0x0, 0x4}, 0xfe}, 0x18)
sendmsg$nl_route_sched(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000007c0)=@newtfilter={0x24, 0x11, 0x111, 0x70bd27, 0x100000, {0x0, 0x0, 0x74, r2, {0x6, 0xfff2}, {0x5, 0xfff3}, {0xd, 0xffe0}}}, 0x24}, 0x1, 0xf0ffffffffffff, 0x0, 0x4010}, 0xc4)
executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000001c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'xchacha20\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000300)="c99b57381801238c09d0ff0f1d0dbd301e5a47b2f3caa73dcd2a6a370554", 0x1e)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$NL80211_CMD_SET_COALESCE(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000700)=ANY=[@ANYBLOB="40030000", @ANYRES16=0x0, @ANYBLOB="00012abd7000fedbdf25650000000c0099000100000036000000a8010380cc000080c500010029fcbc4582f8c6133a22024417909aa2e97e887a13d9e1f266c314ee6662477fae9f5e6fab4d1316b9cc24c3da833c143adf43a9c36fdb941d8e13eccbac0efc7f61ae3c08667eaa4b49e52dfe22da7ab45989cf3363c81052c6de85445c8c3bd94c3f88d8d47e1d36d0945c43be617982253e985c2f1861b672d612fedc9b9aa7070690acef0c913e7d495c814ecec1f4939c334a8e50f609f8402b8f9b983e0e685e9866b076b2c3bbd1a1092420d27d9387746e1e22433ba630d4b269468736000000d8000080d100010017b5b46dc5dd6d251baacd2d4c88196750185b5c2b225a818595d4f24a57f3ffda5734d40179d0efcbf154ab3c999fb26b4aeedc42168f4197e806f0edc2c085216204025560f6dcbf73ac459da171405c0bb056ce98e48f74e0df8befd8dd4b01f88d24cf5c8ad54bf4422867424bb660336422940bdb78186830662c15e5480f0bfbed3e7bf66a6adeb167e18a5f306543fb4ff05f979f05e2c880fa1fc31b34b070c273d77d18c4faf4b64efe193578b956d27e9a0da7046c9dfe218de2763e2d034aa592f3c6cc311ec1cd00000008000200000000000800020001000000680103800c0000800800030005000000fc000080f5000200d028a22a4c5335553605a9e1769d6ba2f18f9343683b9d43a9ff7dbef9f62d06c97ffccfab72cbb9c961013f8efb5229c2403b3167f79b8b540339b0eb574873e95467781f1d6d76b4e55f5e92e65b1491d5bfbd1f6ae863a0bededb6e6aeee837a127ae0b146eb4e7854f3f053fad43f40385336437ac83e9a529fa78f5467acb9bacbafc3ec95cfa74779f9a2d5545130a654a64a974d6c0dd42d209f052540ce63f20b0bd7135fa0afaf9ae6778b2afedd7777a1cac61757dd495f2dade1f1918bba97360e3d70a9b13b8412276db876f4807cd08ca3ef9523d93e7b97a5151c7db78933f1cf66309da124624f3a1030000215c00008056000200f633055af84e517bab7436de4aa2cec1f93104314fed79a9fd20488323cab279c40b5bf9c3aa3a4ebfaba41fad7456a7db1859a0fe3397766f0961e9f014164bb0cf01838fef5c0cce8b2771f0dbb6e49fd10000"], 0x340}, 0x1, 0x0, 0x0, 0xd0}, 0x4048010)
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'bridge0\x00', <r1=>0x0})
sendmsg$nl_route(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)=@newlink={0x60, 0x10, 0x401, 0x4, 0x0, {0x0, 0x0, 0x0, 0x0, 0x503}, [@IFLA_LINKINFO={0x38, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x28, 0x2, 0x0, 0x1, [@IFLA_VLAN_INGRESS_QOS={0x1c, 0x4, 0x0, 0x1, [@IFLA_VLAN_QOS_MAPPING={0xc, 0x1, {0x10000, 0x8}}, @IFLA_VLAN_QOS_MAPPING={0xc, 0x1, {0x200, 0x3}}]}, @IFLA_VLAN_ID={0x6, 0x1, 0x3}]}}}, @IFLA_LINK={0x8, 0x5, r1}]}, 0x60}, 0x1, 0x0, 0x0, 0x20004800}, 0x4000000)
executing program 0:
mremap(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x1000, 0x2, &(0x7f0000ffe000/0x1000)=nil)
executing program 0:
r0 = syz_io_uring_setup(0x3676, &(0x7f000000a9c0)={0x0, 0x3468, 0x0, 0x0, 0x10000000}, &(0x7f000000aa40), &(0x7f000000aa80))
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000280)={&(0x7f00000002c0)='kmem_cache_free\x00'}, 0x10)
r1 = openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
readv(r1, &(0x7f0000000200), 0x0)
io_uring_register$IORING_REGISTER_FILES(r0, 0x2, &(0x7f0000000180), 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
socket$key(0xf, 0x3, 0x2)
r2 = socket$nl_xfrm(0x10, 0x3, 0x6)
io_setup(0xd, 0x0)
clock_gettime(0x0, &(0x7f0000000400))
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8)
r3 = getpid()
sched_setaffinity(0x0, 0x0, 0x0)
sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff})
connect$unix(r4, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r5, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r4, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000006900000000000001000000940000000fad413e850000000700000095"], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r6}, 0x10)
io_submit(0x0, 0x0, 0x0)
r7 = syz_open_dev$vcsn(&(0x7f0000000080), 0x838400000000, 0x80401)
syz_genetlink_get_family_id$tipc(&(0x7f0000000040), r7)
sendmsg$nl_xfrm(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000500)=@newsa={0x150, 0x10, 0x413, 0x70bd29, 0x0, {{@in=@empty, @in6=@rand_addr=' \x01\x00', 0x0, 0x0, 0x4e24, 0x0, 0xa, 0x0, 0x20, 0x21}, {@in=@multicast1, 0x0, 0x32}, @in6=@loopback={0x100000000000000}, {0x0, 0x2, 0x0, 0x0, 0x8, 0x80000, 0x81}, {0x0, 0x5, 0x4, 0x4000006}, {0x0, 0xfffffff9, 0x80000}, 0x0, 0x0, 0x2, 0x4, 0x81, 0x68}, [@algo_aead={0x5d, 0x12, {{'rfc4106(gcm(aes))\x00'}, 0x88, 0x80, "25cac5216d3c8af0aa76902918bf448c5d"}}]}, 0x150}, 0x1, 0x0, 0x0, 0x612fc0b6c779297b}, 0x0)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r8, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000001840)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01080000000000000000010000000900010073797a300000000040000000030a01080000000000001e00010000000900030073797a320000000014000480080002400000000008000140000000030900010073797a300000000060000000060a010400000000000000000100000008000b40000000000900010073797a300000000038000480340001800c0001007061796c6f61640024000280080001400000000e080004400000000508000240000000020800034000"], 0xe8}, 0x1, 0x0, 0x0, 0x4004010}, 0x8090)
executing program 1:
r0 = socket$kcm(0x10, 0x2, 0x4)
sendmsg$kcm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)=[{&(0x7f0000000440)="9f000000120081ae08060cdc030ec0007f03e3f70000000000e2ffca1b1f0000000004c00e72f750375ed08a56331dbf9ed7811e381ad6e747033a0093b837dc6cc01e32efaec8c7a6ec08123d00020039000140010000009bbc7a46e3988285dcdf12f21308f868fece01955fed0009d78f0a947ee2b49e33538afa8af92347514f0b56a20ff27fff55e461247604821d35c86ee54bbab3eaf8956e2ca426", 0x9f}], 0x1}, 0x0)
executing program 1:
r0 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000040)={'vcan0\x00', <r1=>0x0})
bind$can_j1939(r0, &(0x7f0000000000)={0x1d, r1}, 0x18)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000000080)={0x1d, 0x0, 0x0, {0x0, 0x0, 0x4}, 0xfe}, 0x18)
sendmsg$nl_route_sched(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000007c0)=@newtfilter={0x24, 0x11, 0x111, 0x70bd27, 0x100000, {0x0, 0x0, 0x74, 0x0, {0x6, 0xfff2}, {0x5, 0xfff3}, {0xd, 0xffe0}}}, 0x24}, 0x1, 0xf0ffffffffffff, 0x0, 0x4010}, 0xc4)
executing program 1:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000001c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'xchacha20\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000300)="c99b57381801238c09d0ff0f1d0dbd301e5a47b2f3caa73dcd2a6a37055437", 0x1f)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$NL80211_CMD_SET_COALESCE(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000700)=ANY=[@ANYBLOB="40030000", @ANYRES16=0x0, @ANYBLOB="00012abd7000fedbdf25650000000c0099000100000036000000a8010380cc000080c500010029fcbc4582f8c6133a22024417909aa2e97e887a13d9e1f266c314ee6662477fae9f5e6fab4d1316b9cc24c3da833c143adf43a9c36fdb941d8e13eccbac0efc7f61ae3c08667eaa4b49e52dfe22da7ab45989cf3363c81052c6de85445c8c3bd94c3f88d8d47e1d36d0945c43be617982253e985c2f1861b672d612fedc9b9aa7070690acef0c913e7d495c814ecec1f4939c334a8e50f609f8402b8f9b983e0e685e9866b076b2c3bbd1a1092420d27d9387746e1e22433ba630d4b269468736000000d8000080d100010017b5b46dc5dd6d251baacd2d4c88196750185b5c2b225a818595d4f24a57f3ffda5734d40179d0efcbf154ab3c999fb26b4aeedc42168f4197e806f0edc2c085216204025560f6dcbf73ac459da171405c0bb056ce98e48f74e0df8befd8dd4b01f88d24cf5c8ad54bf4422867424bb660336422940bdb78186830662c15e5480f0bfbed3e7bf66a6adeb167e18a5f306543fb4ff05f979f05e2c880fa1fc31b34b070c273d77d18c4faf4b64efe193578b956d27e9a0da7046c9dfe218de2763e2d034aa592f3c6cc311ec1cd00000008000200000000000800020001000000680103800c0000800800030005000000fc000080f5000200d028a22a4c5335553605a9e1769d6ba2f18f9343683b9d43a9ff7dbef9f62d06c97ffccfab72cbb9c961013f8efb5229c2403b3167f79b8b540339b0eb574873e95467781f1d6d76b4e55f5e92e65b1491d5bfbd1f6ae863a0bededb6e6aeee837a127ae0b146eb4e7854f3f053fad43f40385336437ac83e9a529fa78f5467acb9bacbafc3ec95cfa74779f9a2d5545130a654a64a974d6c0dd42d209f052540ce63f20b0bd7135fa0afaf9ae6778b2afedd7777a1cac61757dd495f2dade1f1918bba97360e3d70a9b13b8412276db876f4807cd08ca3ef9523d93e7b97a5151c7db78933f1cf66309da124624f3a1030000215c00008056000200f633055af84e517bab7436de4aa2cec1f93104314fed79a9fd20488323cab279c40b5bf9c3aa3a4ebfaba41fad7456a7db1859a0fe3397766f0961e9f014164bb0cf01838fef5c0cce8b2771f0dbb6e49fd10000"], 0x340}, 0x1, 0x0, 0x0, 0xd0}, 0x4048010)
executing program 1:
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
sendmmsg(r0, &(0x7f0000002840)=[{{0x0, 0x0, 0x0}}], 0x1, 0x20044000)
sendmsg$inet(r0, 0x0, 0x20000084)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000740), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_FLUSH_ADDRS(r1, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000400)={0x14, r2, 0x1, 0x70bd2c, 0x25dfdbff}, 0x14}, 0x1, 0x0, 0x0, 0x2000c810}, 0x800)
executing program 1:
r0 = syz_open_dev$midi(0x0, 0x2, 0x20000)
setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, &(0x7f0000000180)={0x8001001e, 0xe, 0x8}, 0x10)
ioctl$SNDRV_RAWMIDI_IOCTL_INFO(r0, 0x810c5701, &(0x7f0000000180))
executing program 1:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program crashed: WARNING: refcount bug in hdm_disconnect
bisect: bisecting 12 programs
bisect: split chunks (needed=false): <12>
bisect: split chunk #0 of len 12 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=5m2s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 29, 2, 7, 5, 6, 3, 1]
detailed listing:
executing program 0:
mremap(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x1000, 0x2, &(0x7f0000ffe000/0x1000)=nil)
executing program 0:
r0 = syz_io_uring_setup(0x3676, &(0x7f000000a9c0)={0x0, 0x3468, 0x0, 0x0, 0x10000000}, &(0x7f000000aa40), &(0x7f000000aa80))
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000280)={&(0x7f00000002c0)='kmem_cache_free\x00'}, 0x10)
r1 = openat$sndtimer(0xffffffffffffff9c, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
readv(r1, &(0x7f0000000200), 0x0)
io_uring_register$IORING_REGISTER_FILES(r0, 0x2, &(0x7f0000000180), 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
socket$key(0xf, 0x3, 0x2)
r2 = socket$nl_xfrm(0x10, 0x3, 0x6)
io_setup(0xd, 0x0)
clock_gettime(0x0, &(0x7f0000000400))
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8)
r3 = getpid()
sched_setaffinity(0x0, 0x0, 0x0)
sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff})
connect$unix(r4, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r5, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r4, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000006900000000000001000000940000000fad413e850000000700000095"], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r6}, 0x10)
io_submit(0x0, 0x0, 0x0)
r7 = syz_open_dev$vcsn(&(0x7f0000000080), 0x838400000000, 0x80401)
syz_genetlink_get_family_id$tipc(&(0x7f0000000040), r7)
sendmsg$nl_xfrm(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000500)=@newsa={0x150, 0x10, 0x413, 0x70bd29, 0x0, {{@in=@empty, @in6=@rand_addr=' \x01\x00', 0x0, 0x0, 0x4e24, 0x0, 0xa, 0x0, 0x20, 0x21}, {@in=@multicast1, 0x0, 0x32}, @in6=@loopback={0x100000000000000}, {0x0, 0x2, 0x0, 0x0, 0x8, 0x80000, 0x81}, {0x0, 0x5, 0x4, 0x4000006}, {0x0, 0xfffffff9, 0x80000}, 0x0, 0x0, 0x2, 0x4, 0x81, 0x68}, [@algo_aead={0x5d, 0x12, {{'rfc4106(gcm(aes))\x00'}, 0x88, 0x80, "25cac5216d3c8af0aa76902918bf448c5d"}}]}, 0x150}, 0x1, 0x0, 0x0, 0x612fc0b6c779297b}, 0x0)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r8, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000001840)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01080000000000000000010000000900010073797a300000000040000000030a01080000000000001e00010000000900030073797a320000000014000480080002400000000008000140000000030900010073797a300000000060000000060a010400000000000000000100000008000b40000000000900010073797a300000000038000480340001800c0001007061796c6f61640024000280080001400000000e080004400000000508000240000000020800034000"], 0xe8}, 0x1, 0x0, 0x0, 0x4004010}, 0x8090)
executing program 1:
r0 = socket$kcm(0x10, 0x2, 0x4)
sendmsg$kcm(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)=[{&(0x7f0000000440)="9f000000120081ae08060cdc030ec0007f03e3f70000000000e2ffca1b1f0000000004c00e72f750375ed08a56331dbf9ed7811e381ad6e747033a0093b837dc6cc01e32efaec8c7a6ec08123d00020039000140010000009bbc7a46e3988285dcdf12f21308f868fece01955fed0009d78f0a947ee2b49e33538afa8af92347514f0b56a20ff27fff55e461247604821d35c86ee54bbab3eaf8956e2ca426", 0x9f}], 0x1}, 0x0)
executing program 1:
r0 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000040)={'vcan0\x00', <r1=>0x0})
bind$can_j1939(r0, &(0x7f0000000000)={0x1d, r1}, 0x18)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, 0x0)
bind$can_j1939(0xffffffffffffffff, &(0x7f0000000080)={0x1d, 0x0, 0x0, {0x0, 0x0, 0x4}, 0xfe}, 0x18)
sendmsg$nl_route_sched(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000007c0)=@newtfilter={0x24, 0x11, 0x111, 0x70bd27, 0x100000, {0x0, 0x0, 0x74, 0x0, {0x6, 0xfff2}, {0x5, 0xfff3}, {0xd, 0xffe0}}}, 0x24}, 0x1, 0xf0ffffffffffff, 0x0, 0x4010}, 0xc4)
executing program 1:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000001c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'xchacha20\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000300)="c99b57381801238c09d0ff0f1d0dbd301e5a47b2f3caa73dcd2a6a37055437", 0x1f)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$NL80211_CMD_SET_COALESCE(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000700)=ANY=[@ANYBLOB="40030000", @ANYRES16=0x0, @ANYBLOB="00012abd7000fedbdf25650000000c0099000100000036000000a8010380cc000080c500010029fcbc4582f8c6133a22024417909aa2e97e887a13d9e1f266c314ee6662477fae9f5e6fab4d1316b9cc24c3da833c143adf43a9c36fdb941d8e13eccbac0efc7f61ae3c08667eaa4b49e52dfe22da7ab45989cf3363c81052c6de85445c8c3bd94c3f88d8d47e1d36d0945c43be617982253e985c2f1861b672d612fedc9b9aa7070690acef0c913e7d495c814ecec1f4939c334a8e50f609f8402b8f9b983e0e685e9866b076b2c3bbd1a1092420d27d9387746e1e22433ba630d4b269468736000000d8000080d100010017b5b46dc5dd6d251baacd2d4c88196750185b5c2b225a818595d4f24a57f3ffda5734d40179d0efcbf154ab3c999fb26b4aeedc42168f4197e806f0edc2c085216204025560f6dcbf73ac459da171405c0bb056ce98e48f74e0df8befd8dd4b01f88d24cf5c8ad54bf4422867424bb660336422940bdb78186830662c15e5480f0bfbed3e7bf66a6adeb167e18a5f306543fb4ff05f979f05e2c880fa1fc31b34b070c273d77d18c4faf4b64efe193578b956d27e9a0da7046c9dfe218de2763e2d034aa592f3c6cc311ec1cd00000008000200000000000800020001000000680103800c0000800800030005000000fc000080f5000200d028a22a4c5335553605a9e1769d6ba2f18f9343683b9d43a9ff7dbef9f62d06c97ffccfab72cbb9c961013f8efb5229c2403b3167f79b8b540339b0eb574873e95467781f1d6d76b4e55f5e92e65b1491d5bfbd1f6ae863a0bededb6e6aeee837a127ae0b146eb4e7854f3f053fad43f40385336437ac83e9a529fa78f5467acb9bacbafc3ec95cfa74779f9a2d5545130a654a64a974d6c0dd42d209f052540ce63f20b0bd7135fa0afaf9ae6778b2afedd7777a1cac61757dd495f2dade1f1918bba97360e3d70a9b13b8412276db876f4807cd08ca3ef9523d93e7b97a5151c7db78933f1cf66309da124624f3a1030000215c00008056000200f633055af84e517bab7436de4aa2cec1f93104314fed79a9fd20488323cab279c40b5bf9c3aa3a4ebfaba41fad7456a7db1859a0fe3397766f0961e9f014164bb0cf01838fef5c0cce8b2771f0dbb6e49fd10000"], 0x340}, 0x1, 0x0, 0x0, 0xd0}, 0x4048010)
executing program 1:
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
sendmmsg(r0, &(0x7f0000002840)=[{{0x0, 0x0, 0x0}}], 0x1, 0x20044000)
sendmsg$inet(r0, 0x0, 0x20000084)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000740), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_FLUSH_ADDRS(r1, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000400)={0x14, r2, 0x1, 0x70bd2c, 0x25dfdbff}, 0x14}, 0x1, 0x0, 0x0, 0x2000c810}, 0x800)
executing program 1:
r0 = syz_open_dev$midi(0x0, 0x2, 0x20000)
setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, &(0x7f0000000180)={0x8001001e, 0xe, 0x8}, 0x10)
ioctl$SNDRV_RAWMIDI_IOCTL_INFO(r0, 0x810c5701, &(0x7f0000000180))
executing program 1:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program crashed: WARNING: refcount bug in hdm_disconnect
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/3
testing program (duration=5m1s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 6, 3, 1]
detailed listing:
executing program 1:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f00000001c0)={0x26, 'skcipher\x00', 0x0, 0x0, 'xchacha20\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000300)="c99b57381801238c09d0ff0f1d0dbd301e5a47b2f3caa73dcd2a6a37055437", 0x1f)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$NL80211_CMD_SET_COALESCE(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000700)=ANY=[@ANYBLOB="40030000", @ANYRES16=0x0, @ANYBLOB="00012abd7000fedbdf25650000000c0099000100000036000000a8010380cc000080c500010029fcbc4582f8c6133a22024417909aa2e97e887a13d9e1f266c314ee6662477fae9f5e6fab4d1316b9cc24c3da833c143adf43a9c36fdb941d8e13eccbac0efc7f61ae3c08667eaa4b49e52dfe22da7ab45989cf3363c81052c6de85445c8c3bd94c3f88d8d47e1d36d0945c43be617982253e985c2f1861b672d612fedc9b9aa7070690acef0c913e7d495c814ecec1f4939c334a8e50f609f8402b8f9b983e0e685e9866b076b2c3bbd1a1092420d27d9387746e1e22433ba630d4b269468736000000d8000080d100010017b5b46dc5dd6d251baacd2d4c88196750185b5c2b225a818595d4f24a57f3ffda5734d40179d0efcbf154ab3c999fb26b4aeedc42168f4197e806f0edc2c085216204025560f6dcbf73ac459da171405c0bb056ce98e48f74e0df8befd8dd4b01f88d24cf5c8ad54bf4422867424bb660336422940bdb78186830662c15e5480f0bfbed3e7bf66a6adeb167e18a5f306543fb4ff05f979f05e2c880fa1fc31b34b070c273d77d18c4faf4b64efe193578b956d27e9a0da7046c9dfe218de2763e2d034aa592f3c6cc311ec1cd00000008000200000000000800020001000000680103800c0000800800030005000000fc000080f5000200d028a22a4c5335553605a9e1769d6ba2f18f9343683b9d43a9ff7dbef9f62d06c97ffccfab72cbb9c961013f8efb5229c2403b3167f79b8b540339b0eb574873e95467781f1d6d76b4e55f5e92e65b1491d5bfbd1f6ae863a0bededb6e6aeee837a127ae0b146eb4e7854f3f053fad43f40385336437ac83e9a529fa78f5467acb9bacbafc3ec95cfa74779f9a2d5545130a654a64a974d6c0dd42d209f052540ce63f20b0bd7135fa0afaf9ae6778b2afedd7777a1cac61757dd495f2dade1f1918bba97360e3d70a9b13b8412276db876f4807cd08ca3ef9523d93e7b97a5151c7db78933f1cf66309da124624f3a1030000215c00008056000200f633055af84e517bab7436de4aa2cec1f93104314fed79a9fd20488323cab279c40b5bf9c3aa3a4ebfaba41fad7456a7db1859a0fe3397766f0961e9f014164bb0cf01838fef5c0cce8b2771f0dbb6e49fd10000"], 0x340}, 0x1, 0x0, 0x0, 0xd0}, 0x4048010)
executing program 1:
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
sendmmsg(r0, &(0x7f0000002840)=[{{0x0, 0x0, 0x0}}], 0x1, 0x20044000)
sendmsg$inet(r0, 0x0, 0x20000084)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000740), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_FLUSH_ADDRS(r1, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000400)={0x14, r2, 0x1, 0x70bd2c, 0x25dfdbff}, 0x14}, 0x1, 0x0, 0x0, 0x2000c810}, 0x800)
executing program 1:
r0 = syz_open_dev$midi(0x0, 0x2, 0x20000)
setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, &(0x7f0000000180)={0x8001001e, 0xe, 0x8}, 0x10)
ioctl$SNDRV_RAWMIDI_IOCTL_INFO(r0, 0x810c5701, &(0x7f0000000180))
executing program 1:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program crashed: WARNING: refcount bug in hdm_disconnect
bisect: the chunk can be dropped
bisect: testing without sub-chunk 3/3
bisect: split chunks (needed=true): <4>
bisect: split chunk #0 of len 4 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 1]
detailed listing:
executing program 1:
r0 = syz_open_dev$midi(0x0, 0x2, 0x20000)
setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, &(0x7f0000000180)={0x8001001e, 0xe, 0x8}, 0x10)
ioctl$SNDRV_RAWMIDI_IOCTL_INFO(r0, 0x810c5701, &(0x7f0000000180))
executing program 1:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program crashed: WARNING: refcount bug in hdm_disconnect
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <2>
bisect: split chunk #0 of len 2 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 1:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program crashed: WARNING: refcount bug in hdm_disconnect
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <1>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 1 programs left: 

executing program 1:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)


bisect: trying to concatenate
bisect: concatenate 1 entries
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x5b, 0xcb, 0xd, 0x8, 0x424, 0xcf19, 0xb78b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x20, 0x0, [{{0x9, 0x4, 0x6f, 0x0, 0x0, 0x1e, 0xb9, 0x9f}}]}}]}}, 0x0)

program crashed: WARNING: refcount bug in hdm_disconnect
bisect: concatenation succeeded
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=4m12.499496562s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=4m12.499496562s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING: refcount bug in hdm_disconnect
simplifying C reproducer
testing compiled C program (duration=4m12.499496562s, {Threaded:false Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING: refcount bug in hdm_disconnect
testing compiled C program (duration=4m12.499496562s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING: refcount bug in hdm_disconnect
testing compiled C program (duration=4m12.499496562s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING: refcount bug in hdm_disconnect
testing compiled C program (duration=4m12.499496562s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING: refcount bug in hdm_disconnect
testing compiled C program (duration=4m12.499496562s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING: refcount bug in hdm_disconnect
testing compiled C program (duration=4m12.499496562s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING: refcount bug in hdm_disconnect
reproducing took 50m0.948730719s
repro crashed as (corrupted=false):
usb 1-1: USB disconnect, device number 2
------------[ cut here ]------------
WARNING: CPU: 0 PID: 97 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28
refcount_t: underflow; use-after-free.
Modules linked in:
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 97 Comm: kworker/0:2 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
Workqueue: usb_hub_wq hub_event
Call trace: 
[<80201a00>] (dump_backtrace) from [<80201afc>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
 r7:00000000 r6:8282083c r5:00000000 r4:82259bd0
[<80201ae4>] (show_stack) from [<8021fd94>] (__dump_stack lib/dump_stack.c:94 [inline])
[<80201ae4>] (show_stack) from [<8021fd94>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
[<8021fd40>] (dump_stack_lvl) from [<8021fdd4>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
 r5:00000000 r4:82a6dd18
[<8021fdbc>] (dump_stack) from [<80202614>] (panic+0x120/0x374 kernel/panic.c:382)
[<802024f4>] (panic) from [<802585b8>] (check_panic_on_warn kernel/panic.c:273 [inline])
[<802024f4>] (panic) from [<802585b8>] (get_taint+0x0/0x1c kernel/panic.c:268)
 r3:8280c684 r2:00000001 r1:822406fc r0:822480ac
 r7:808c00f4
[<80258544>] (check_panic_on_warn) from [<8025871c>] (__warn+0x80/0x188 kernel/panic.c:777)
[<8025869c>] (__warn) from [<80258a0c>] (warn_slowpath_fmt+0x1e8/0x1f4 kernel/panic.c:812)
 r8:00000009 r7:822b1be4 r6:df9b5bfc r5:833a1800 r4:00000000
[<80258828>] (warn_slowpath_fmt) from [<808c00f4>] (refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28)
 r10:00000001 r9:829ca3e8 r8:844d4c88 r7:844d6474 r6:8419ffb4 r5:844d6400
 r4:84571800
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (__refcount_sub_and_test include/linux/refcount.h:400 [inline])
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (__refcount_dec_and_test include/linux/refcount.h:432 [inline])
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (refcount_dec_and_test include/linux/refcount.h:450 [inline])
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (kref_put include/linux/kref.h:64 [inline])
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (kobject_put+0x158/0x1f4 lib/kobject.c:737)
[<819fcd30>] (kobject_put) from [<80b307e8>] (put_device+0x18/0x1c drivers/base/core.c:3800)
 r7:844d6474 r6:8419ffb4 r5:844d6400 r4:8419f800
[<80b307d0>] (put_device) from [<81418e74>] (hdm_disconnect+0x90/0x9c drivers/most/most_usb.c:1129)
[<81418de4>] (hdm_disconnect) from [<80e8cd04>] (usb_unbind_interface+0x84/0x2b4 drivers/usb/core/driver.c:458)
 r7:844d6474 r6:844d6430 r5:00000000 r4:844d4c00
[<80e8cc80>] (usb_unbind_interface) from [<80b38870>] (device_remove drivers/base/dd.c:569 [inline])
[<80e8cc80>] (usb_unbind_interface) from [<80b38870>] (device_remove+0x64/0x6c drivers/base/dd.c:561)
 r10:00000001 r9:844d4c88 r8:00000044 r7:844d6474 r6:829ca3e8 r5:00000000
 r4:844d6430
[<80b3880c>] (device_remove) from [<80b39d60>] (__device_release_driver drivers/base/dd.c:1272 [inline])
[<80b3880c>] (device_remove) from [<80b39d60>] (device_release_driver_internal+0x18c/0x200 drivers/base/dd.c:1295)
 r5:00000000 r4:844d6430
[<80b39bd4>] (device_release_driver_internal) from [<80b39dec>] (device_release_driver+0x18/0x1c drivers/base/dd.c:1318)
 r9:844d4c88 r8:832d5d40 r7:832d5d38 r6:832d5d0c r5:844d6430 r4:832d5d30
[<80b39dd4>] (device_release_driver) from [<80b37ec4>] (bus_remove_device+0xcc/0x120 drivers/base/bus.c:579)
[<80b37df8>] (bus_remove_device) from [<80b32220>] (device_del+0x148/0x38c drivers/base/core.c:3881)
 r9:844d4c88 r8:833a1800 r7:04208060 r6:00000000 r5:844d6430 r4:844d6474
[<80b320d8>] (device_del) from [<80e8a754>] (usb_disable_device+0xd4/0x1e8 drivers/usb/core/message.c:1418)
 r10:00000001 r9:00000000 r8:00000000 r7:844d6400 r6:844d4c00 r5:84791288
 r4:60000013
[<80e8a680>] (usb_disable_device) from [<80e7f4d0>] (usb_disconnect+0xec/0x29c drivers/usb/core/hub.c:2316)
 r9:84571c00 r8:844d4ccc r7:83b56400 r6:844d4c88 r5:844d4c00 r4:60000013
[<80e7f3e4>] (usb_disconnect) from [<80e82190>] (hub_port_connect drivers/usb/core/hub.c:5375 [inline])
[<80e7f3e4>] (usb_disconnect) from [<80e82190>] (hub_port_connect_change drivers/usb/core/hub.c:5675 [inline])
[<80e7f3e4>] (usb_disconnect) from [<80e82190>] (port_event drivers/usb/core/hub.c:5835 [inline])
[<80e7f3e4>] (usb_disconnect) from [<80e82190>] (hub_event+0xe78/0x194c drivers/usb/core/hub.c:5917)
 r10:00000001 r9:00000100 r8:83caed00 r7:844d4c00 r6:83b55c00 r5:83b56610
 r4:00000001
[<80e81318>] (hub_event) from [<8027e2e8>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3238)
 r10:832d5f70 r9:8380e205 r8:833a1800 r7:dddced40 r6:8380e200 r5:83caed00
 r4:83338e80
[<8027e134>] (process_one_work) from [<8027ef30>] (process_scheduled_works kernel/workqueue.c:3321 [inline])
[<8027e134>] (process_one_work) from [<8027ef30>] (worker_thread+0x1fc/0x3d8 kernel/workqueue.c:3402)
 r10:61c88647 r9:833a1800 r8:83338eac r7:82804d40 r6:dddced40 r5:dddced60
 r4:83338e80
[<8027ed34>] (worker_thread) from [<80285f5c>] (kthread+0x12c/0x280 kernel/kthread.c:464)
 r10:00000000 r9:83338e80 r8:8027ed34 r7:df841e60 r6:83338f00 r5:833a1800
 r4:00000001
[<80285e30>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137)
Exception stack(0xdf9b5fb0 to 0xdf9b5ff8)
5fa0:                                     00000000 00000000 00000000 00000000
5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:80285e30
 r4:83335080
Rebooting in 86400 seconds..

final repro crashed as (corrupted=false):
usb 1-1: USB disconnect, device number 2
------------[ cut here ]------------
WARNING: CPU: 0 PID: 97 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28
refcount_t: underflow; use-after-free.
Modules linked in:
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 97 Comm: kworker/0:2 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
Workqueue: usb_hub_wq hub_event
Call trace: 
[<80201a00>] (dump_backtrace) from [<80201afc>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
 r7:00000000 r6:8282083c r5:00000000 r4:82259bd0
[<80201ae4>] (show_stack) from [<8021fd94>] (__dump_stack lib/dump_stack.c:94 [inline])
[<80201ae4>] (show_stack) from [<8021fd94>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
[<8021fd40>] (dump_stack_lvl) from [<8021fdd4>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
 r5:00000000 r4:82a6dd18
[<8021fdbc>] (dump_stack) from [<80202614>] (panic+0x120/0x374 kernel/panic.c:382)
[<802024f4>] (panic) from [<802585b8>] (check_panic_on_warn kernel/panic.c:273 [inline])
[<802024f4>] (panic) from [<802585b8>] (get_taint+0x0/0x1c kernel/panic.c:268)
 r3:8280c684 r2:00000001 r1:822406fc r0:822480ac
 r7:808c00f4
[<80258544>] (check_panic_on_warn) from [<8025871c>] (__warn+0x80/0x188 kernel/panic.c:777)
[<8025869c>] (__warn) from [<80258a0c>] (warn_slowpath_fmt+0x1e8/0x1f4 kernel/panic.c:812)
 r8:00000009 r7:822b1be4 r6:df9b5bfc r5:833a1800 r4:00000000
[<80258828>] (warn_slowpath_fmt) from [<808c00f4>] (refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28)
 r10:00000001 r9:829ca3e8 r8:844d4c88 r7:844d6474 r6:8419ffb4 r5:844d6400
 r4:84571800
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (__refcount_sub_and_test include/linux/refcount.h:400 [inline])
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (__refcount_dec_and_test include/linux/refcount.h:432 [inline])
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (refcount_dec_and_test include/linux/refcount.h:450 [inline])
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (kref_put include/linux/kref.h:64 [inline])
[<808bffb8>] (refcount_warn_saturate) from [<819fce88>] (kobject_put+0x158/0x1f4 lib/kobject.c:737)
[<819fcd30>] (kobject_put) from [<80b307e8>] (put_device+0x18/0x1c drivers/base/core.c:3800)
 r7:844d6474 r6:8419ffb4 r5:844d6400 r4:8419f800
[<80b307d0>] (put_device) from [<81418e74>] (hdm_disconnect+0x90/0x9c drivers/most/most_usb.c:1129)
[<81418de4>] (hdm_disconnect) from [<80e8cd04>] (usb_unbind_interface+0x84/0x2b4 drivers/usb/core/driver.c:458)
 r7:844d6474 r6:844d6430 r5:00000000 r4:844d4c00
[<80e8cc80>] (usb_unbind_interface) from [<80b38870>] (device_remove drivers/base/dd.c:569 [inline])
[<80e8cc80>] (usb_unbind_interface) from [<80b38870>] (device_remove+0x64/0x6c drivers/base/dd.c:561)
 r10:00000001 r9:844d4c88 r8:00000044 r7:844d6474 r6:829ca3e8 r5:00000000
 r4:844d6430
[<80b3880c>] (device_remove) from [<80b39d60>] (__device_release_driver drivers/base/dd.c:1272 [inline])
[<80b3880c>] (device_remove) from [<80b39d60>] (device_release_driver_internal+0x18c/0x200 drivers/base/dd.c:1295)
 r5:00000000 r4:844d6430
[<80b39bd4>] (device_release_driver_internal) from [<80b39dec>] (device_release_driver+0x18/0x1c drivers/base/dd.c:1318)
 r9:844d4c88 r8:832d5d40 r7:832d5d38 r6:832d5d0c r5:844d6430 r4:832d5d30
[<80b39dd4>] (device_release_driver) from [<80b37ec4>] (bus_remove_device+0xcc/0x120 drivers/base/bus.c:579)
[<80b37df8>] (bus_remove_device) from [<80b32220>] (device_del+0x148/0x38c drivers/base/core.c:3881)
 r9:844d4c88 r8:833a1800 r7:04208060 r6:00000000 r5:844d6430 r4:844d6474
[<80b320d8>] (device_del) from [<80e8a754>] (usb_disable_device+0xd4/0x1e8 drivers/usb/core/message.c:1418)
 r10:00000001 r9:00000000 r8:00000000 r7:844d6400 r6:844d4c00 r5:84791288
 r4:60000013
[<80e8a680>] (usb_disable_device) from [<80e7f4d0>] (usb_disconnect+0xec/0x29c drivers/usb/core/hub.c:2316)
 r9:84571c00 r8:844d4ccc r7:83b56400 r6:844d4c88 r5:844d4c00 r4:60000013
[<80e7f3e4>] (usb_disconnect) from [<80e82190>] (hub_port_connect drivers/usb/core/hub.c:5375 [inline])
[<80e7f3e4>] (usb_disconnect) from [<80e82190>] (hub_port_connect_change drivers/usb/core/hub.c:5675 [inline])
[<80e7f3e4>] (usb_disconnect) from [<80e82190>] (port_event drivers/usb/core/hub.c:5835 [inline])
[<80e7f3e4>] (usb_disconnect) from [<80e82190>] (hub_event+0xe78/0x194c drivers/usb/core/hub.c:5917)
 r10:00000001 r9:00000100 r8:83caed00 r7:844d4c00 r6:83b55c00 r5:83b56610
 r4:00000001
[<80e81318>] (hub_event) from [<8027e2e8>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3238)
 r10:832d5f70 r9:8380e205 r8:833a1800 r7:dddced40 r6:8380e200 r5:83caed00
 r4:83338e80
[<8027e134>] (process_one_work) from [<8027ef30>] (process_scheduled_works kernel/workqueue.c:3321 [inline])
[<8027e134>] (process_one_work) from [<8027ef30>] (worker_thread+0x1fc/0x3d8 kernel/workqueue.c:3402)
 r10:61c88647 r9:833a1800 r8:83338eac r7:82804d40 r6:dddced40 r5:dddced60
 r4:83338e80
[<8027ed34>] (worker_thread) from [<80285f5c>] (kthread+0x12c/0x280 kernel/kthread.c:464)
 r10:00000000 r9:83338e80 r8:8027ed34 r7:df841e60 r6:83338f00 r5:833a1800
 r4:00000001
[<80285e30>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137)
Exception stack(0xdf9b5fb0 to 0xdf9b5ff8)
5fa0:                                     00000000 00000000 00000000 00000000
5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:80285e30
 r4:83335080
Rebooting in 86400 seconds..