Extracting prog: 11m44.3650516s
Minimizing prog: 1h47m9.648212495s
Simplifying prog options: 0s
Extracting C: 1m0.800327887s
Simplifying C: 12m12.269958807s


12 programs, 3 VMs, timeouts [45s 5m0s 16m0s]
extracting reproducer from 12 programs
single: executing 2 programs separately with timeout 45s
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io$hid-syz_open_dev$hiddev-ioctl$HIDIOCGUSAGE-ioctl$HIDIOCGUSAGE
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000001280)={0x18, 0x3, &(0x7f0000000940)=ANY=[], &(0x7f00000005c0)='GPL\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000007c0)={&(0x7f0000000780)='contention_end\x00', r0}, 0x10)
r1 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000440)=ANY=[@ANYBLOB="12013f00000000407f04ffff000000000001090224000100000000090400001503000000092140000001220f00090581", @ANYRES16], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, &(0x7f00000001c0)={0x24, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x22, 0xf, {[@global=@item_4={0x3, 0x1, 0x0, "9b4d3948"}, @main=@item_012={0x1, 0x0, 0x0, "9f"}, @local=@item_4={0x3, 0x2, 0x0, "6d011fe4"}, @main=@item_012={0x2, 0x0, 0x0, "1a79"}]}}, 0x0}, 0x0)
r2 = syz_open_dev$hiddev(&(0x7f0000000d40), 0x0, 0x0)
ioctl$HIDIOCGUSAGE(r2, 0xc018480b, 0x0)
ioctl$HIDIOCGUSAGE(r2, 0x4018480c, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-bpf$BPF_MAP_CONST_STR_FREEZE-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
single: failed to extract reproducer
bisect: bisecting 12 programs with base timeout 45s
testing program (duration=48s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 2, 1, 8, 20, 2, 18, 5, 5, 7, 9, 8]
detailed listing:
executing program 0:
r0 = socket(0xa, 0x1, 0x0)
close(r0)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r1, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x1c, &(0x7f00000020c0)=[@in6={0xa, 0x0, 0x0, @remote, 0x34}]}, &(0x7f0000002100)=0x10)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x24, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @empty}}}, &(0x7f0000003c00)=0x90)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x15)
executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000240)=ANY=[@ANYBLOB="140000001000d40000000000000000000000000a20000000000a03000000000000000000010000000900010073797a3000000000bc000000160a01000000000000000000010000000900010073797a30000000000900020073797a30000000009000038008000240000000007c00038014000100626f6e64300000000000000000000000140001006970766c616e31000000000000000000140001006970766c616e300000000000000000001400010073697430000000000000fbffffffffffffff0100776c616e300000000000000000000000140001006772653000000000000000000000040008000140000000005c000000180a01010000000000000000010000000900020073797a30000000000900010073797a3000000000300003802c000380140001"], 0x4b0}}, 0x0)
executing program 0:
bpf$MAP_CREATE(0x100000000000000, &(0x7f0000000140)=@base={0xa, 0x16, 0xb42, 0x7f, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x1fff}, 0x48)
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0xb, &(0x7f0000000380)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020000000000000000000007b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000600000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r0 = gettid()
r1 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000040), 0x0)
read(r1, &(0x7f0000000200)=""/209, 0xd1)
ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r1, 0x4040534e, &(0x7f0000000080)={0x335})
ioctl$SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT(r1, 0xc0105303, &(0x7f0000000d40)={0x0, 0x0, 'client1\x00', 0x0, "2cd367818b4014ff", "859e92f118c4484604734b1d43209426c1bd711b936fc2c4d28f902e94f8e647"})
tkill(r0, 0x7)
executing program 1:
socket$inet_udp(0x2, 0x2, 0x0)
bind$inet(0xffffffffffffffff, &(0x7f0000000000)={0x2, 0x8, @multicast1}, 0x10)
r0 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_ADD_MEMBERSHIP(r0, 0x10e, 0x1, 0x0, 0x0)
bpf$BPF_BTF_LOAD(0x12, 0x0, 0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000a80)='./file0/file0\x00', 0x0, 0x0)
ioctl$FIBMAP(r1, 0x401870c8, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$TIPC_CMD_RESET_LINK_STATS(r2, &(0x7f0000000180)={0x0, 0xfffffffffffffcfc, &(0x7f0000000140)={&(0x7f0000000080)={0x30, r3, 0x1, 0x0, 0x0, {{}, {}, {0x14, 0x14, 'broadcast-link\x00'}}}, 0x30}}, 0x0)
sendmsg$TIPC_CMD_SHOW_STATS(r1, &(0x7f0000000200)={&(0x7f0000000100), 0xc, &(0x7f00000001c0)={&(0x7f0000000180)={0x1c}, 0x1c}, 0x1, 0x0, 0x0, 0x40020}, 0x10)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x3c, 0x0, 0x0)
setsockopt$SO_TIMESTAMPING(0xffffffffffffffff, 0x1, 0x25, &(0x7f0000000040)=0x213a, 0x4)
r4 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r5 = dup(0xffffffffffffffff)
readv(r5, &(0x7f0000000c40)=[{0x0}], 0x1)
syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000140)='./file1\x00', 0x0, &(0x7f0000000500), 0x10, 0x4d9, &(0x7f0000000680)="$eJzs3d9rHFsdAPDvTLL9mZpUfagF22IradHuJo1tgw+1gtingrW+15hsQsgmG7KbtglFUnxXEFHBJ598EfwDBOmfIEJB36WKItrqgw/33r3s7mxvm7ub5NLtTm/y+cB0zpmzu9/vadiZOTOHnQAOrHMRcTMihiLiUkSMZtvTbLnVbL/Tft2L549mm0sSjcbdfyeRZNs6n5Vk6+MRsRURRyLiu7cifpB8PG5tY3NpplIpr2X1Un15tVTb2Ly8uDyzUF4or0xNTV6bvj59dXqiL/0ci4gb3/r7z3/ym2/f+MNXH/z13j8v/rCZ1kjW/mo/+qnd9ULr/6JjOCLW3kawHAxl60KP9h8PDTAZAAB21TzH/2xEfKl1/j8aQ62zUwAAAGA/aXxjJN5LIhoAAADAvpW25sAmaTGbCzASaVostufwfj6OpZVqrf6V+er6ylx7ruxYFNL5xUp5IpsrPBaFpFmfzObYdupXttWnIuJkRPxs9GirXpytVubyvvgBAAAAB8TxbeP//422xv+H884LAAAA6LOxvBMAAAAA3jrjfwAAANj/jP8BAABgX/vO7dvNpdF5/vXc/Y31per9y3Pl2lJxeX22OFtdWy0uVKsLrd/sW97t8yrV6urXYmX9YalertVLtY3Ne8vV9ZX6vcXXHoENAAAADNDJs0/+kkTE1tePtpamQ3knBQxEslPjoey5oM+y+t8GkxMwGEN5JwDkZjjvBIDcFPJOAMjdjtcBInpP3vlj/3MBAADejvEv9L7/79oA7G9p3gkAAAPn/j8cXIXXZwBezS8TIC+f2aX9ze//NxqfKCEAAKDvRlpLkhaze4EjkabFYsSJ1mMBCsn8YqU8kY0P/jxaONysT7bemew6ZxgAAAAAAAAAAAAAAAAAAAAAAAAAaGs0kmgAAAAA+1pE+o+k9Wv+EeOjF0a2Xx84lPx/tLWOiAe/uvuLhzP1+tpkc/t/Xm6v/zLbfiWPKxgAAABAZqtT6IzTO+N4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOinF88fzXaWQcb91zcjYqxr/LNHWqsjUYiIY/9NYviV9yURMdSH+FuPI+JUt/hJM60Yi3YW3eIfzTF+GhHH+xAfDrInzf3PzW7fvzTOtdbdv3/D2fKmeu//0ujs/4Z67H9O7DHG6ae/K/WM/zji9HD3/U8nftIj/vk9xv/+9zY3e7U1fh0x3vX4k7wWq1RfXi3VNjYvLy7PLJQXyitTU5PXpq9PX52eKM0vVsrZv11j/PSLv/9gp/4f6xF/bJf+X9hj/99/+vD559rFQrf4F893P/6e6hE/zY59X87KzfbxTnmrXX7Vmd/+6cxO/Z/r0f+Xf/8uB9pmzIt77P+lOz96tseXAgADUNvYXJqpVMprn8ZCGu9EGgp9KRx+N9JQaBfy3jMBAAD99tFJf96ZAAAAAAAAAAAAAAAAAAAAwME1iJ8T2x5zK5+uAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADs6MMAAAD//1ur2gA=")
openat$uinput(0xffffffffffffff9c, 0x0, 0x802, 0x0)
r6 = dup(r4)
ioctl$TIOCL_SETSEL(r6, 0x541c, &(0x7f0000001900)={0x2, {0xc, 0xa00, 0x0, 0x101, 0x100}})
executing program 1:
r0 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000740)={0x3, 0x4, 0x4, 0xa, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000000880)={0x12, 0x8, &(0x7f0000000000)=@framed={{0x18, 0x6}, [@tail_call={{0x18, 0x2, 0x1, 0x0, r0}, {}, {0x85, 0x0, 0x0, 0x54}}]}, &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x1f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
executing program 0:
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x3, &(0x7f0000000740)=@framed, &(0x7f0000000280)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000240)={&(0x7f0000000200)='sched_switch\x00', r0}, 0x10)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r1 = getpid()
sched_setscheduler(r1, 0x1, &(0x7f0000000100)=0x5)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000001480)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$AUTOFS_DEV_IOCTL_TIMEOUT(0xffffffffffffffff, 0xc018937a, &(0x7f0000000340)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x1}}, './file0\x00'})
r4 = openat$ttyprintk(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$TCSETA(r4, 0x8924, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, "4feda26323b172e0"})
r5 = add_key$user(&(0x7f0000000200), &(0x7f0000000000)={'syz', 0x2}, &(0x7f0000000240)="f20ea8accdb7d9e23df464008c0c9a271971d60c250373ece89c53ebfabe609d7b67f57ec82a421772b8d53ceea667", 0x2f, 0xfffffffffffffffe)
r6 = add_key$user(&(0x7f00000003c0), &(0x7f0000000440), &(0x7f00000000c0), 0xc9, 0xfffffffffffffffd)
keyctl$dh_compute(0x17, &(0x7f0000000140)={r5, r6, r5}, &(0x7f00000000c0)=""/83, 0xfffffffffffffe4f, 0x0)
executing program 1:
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x1, 0x6, 0x8, 0xb}, 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000040)='kmem_cache_free\x00', r1}, 0x10)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000100)=ANY=[@ANYBLOB="a800000000010104000000000000000002000000240001801400018008000100e000000108000200ac1e01010c00028005000100000009002400028014000180080001000000010908000200ac1e00010c000280050001"], 0xa8}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(0xffffffffffffffff, 0x8933, &(0x7f0000000200)={'batadv_slave_0\x00'})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000080)={'bridge_slave_1\x00', <r2=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000001c0)=ANY=[@ANYBLOB="440000001000090400"/20, @ANYRES32=r2, @ANYBLOB="000000000000000024001280110001006272696467655f736c617665000000000c00058005002b"], 0x44}}, 0x0)
executing program 1:
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r0, &(0x7f00000004c0)={0x2, 0x0, @broadcast}, 0x10)
setsockopt$inet_tcp_buf(r0, 0x6, 0xd, &(0x7f0000000000)='5', 0x1)
setsockopt$inet_int(r0, 0x0, 0x18, 0x0, 0x0)
getsockopt$inet_mptcp_buf(r0, 0x11c, 0x0, 0x0, 0x0)
setsockopt$SO_TIMESTAMPING(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0)
sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x0)
executing program 1:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000001280)={0x18, 0x3, &(0x7f0000000940)=ANY=[], &(0x7f00000005c0)='GPL\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000007c0)={&(0x7f0000000780)='contention_end\x00', r0}, 0x10)
r1 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000440)=ANY=[@ANYBLOB="12013f00000000407f04ffff000000000001090224000100000000090400001503000000092140000001220f00090581", @ANYRES16], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, &(0x7f00000001c0)={0x24, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x22, 0xf, {[@global=@item_4={0x3, 0x1, 0x0, "9b4d3948"}, @main=@item_012={0x1, 0x0, 0x0, "9f"}, @local=@item_4={0x3, 0x2, 0x0, "6d011fe4"}, @main=@item_012={0x2, 0x0, 0x0, "1a79"}]}}, 0x0}, 0x0)
r2 = syz_open_dev$hiddev(&(0x7f0000000d40), 0x0, 0x0)
ioctl$HIDIOCGUSAGE(r2, 0xc018480b, 0x0)
ioctl$HIDIOCGUSAGE(r2, 0x4018480c, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 2 programs separately with timeout 5m0s
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io$hid-syz_open_dev$hiddev-ioctl$HIDIOCGUSAGE-ioctl$HIDIOCGUSAGE
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000001280)={0x18, 0x3, &(0x7f0000000940)=ANY=[], &(0x7f00000005c0)='GPL\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000007c0)={&(0x7f0000000780)='contention_end\x00', r0}, 0x10)
r1 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000440)=ANY=[@ANYBLOB="12013f00000000407f04ffff000000000001090224000100000000090400001503000000092140000001220f00090581", @ANYRES16], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, &(0x7f00000001c0)={0x24, 0x0, 0x0, &(0x7f0000000040)={0x0, 0x22, 0xf, {[@global=@item_4={0x3, 0x1, 0x0, "9b4d3948"}, @main=@item_012={0x1, 0x0, 0x0, "9f"}, @local=@item_4={0x3, 0x2, 0x0, "6d011fe4"}, @main=@item_012={0x2, 0x0, 0x0, "1a79"}]}}, 0x0}, 0x0)
r2 = syz_open_dev$hiddev(&(0x7f0000000d40), 0x0, 0x0)
ioctl$HIDIOCGUSAGE(r2, 0xc018480b, 0x0)
ioctl$HIDIOCGUSAGE(r2, 0x4018480c, 0x0)

program did not crash
testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-bpf$BPF_MAP_CONST_STR_FREEZE-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program crashed: BUG: unable to handle kernel paging request in corrupted
single: successfully extracted reproducer
found reproducer with 9 syscalls
minimizing guilty program
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-bpf$BPF_MAP_CONST_STR_FREEZE
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, 0x0, 0x0)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program crashed: BUG: unable to handle kernel paging request in ipv6_chk_mcast_addr
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
io_uring_setup(0x3eae, &(0x7f0000000080))
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
io_uring_register$IORING_REGISTER_BUFFERS(0xffffffffffffffff, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f00000000c0))
r0 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r0, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(0xffffffffffffffff, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, 0x0)
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, 0x0)
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, 0x0, 0x0)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{0x0}], 0x1)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, 0x0)
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000080)={&(0x7f0000c15000/0x1000)=nil, &(0x7f0000508000/0x4000)=nil, 0x1000})
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
testing program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = userfaultfd(0x1)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
r1 = io_uring_setup(0x3eae, &(0x7f0000000080))
io_uring_register$IORING_REGISTER_BUFFERS(r1, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001700)=""/4095, 0x440000}], 0x100000000000011a)
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
ioctl$UFFDIO_COPY(r0, 0xc028aa05, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)

program did not crash
extracting C reproducer
testing compiled C program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
program crashed: kernel panic: corrupted stack end in sys_futex
simplifying C reproducer
testing compiled C program (duration=7m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
program did not crash
testing compiled C program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
program crashed: Internal error in __switch_to
testing compiled C program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
program crashed: BUG: unable to handle kernel paging request in sched_balance_update_blocked_averages
testing compiled C program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
program crashed: kernel panic: corrupted stack end in userfaultfd_ioctl
testing compiled C program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
program crashed: BUG: unable to handle kernel paging request in corrupted
testing compiled C program (duration=7m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-userfaultfd-ioctl$UFFDIO_API-io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-ioctl$UFFDIO_REGISTER-ioctl$UFFDIO_COPY-madvise
program crashed: BUG: unable to handle kernel NULL pointer dereference in vma_interval_tree_remove
reproducing took 2h12m7.083581108s
repro crashed as (corrupted=false):
get_swap_device: Bad swap file entry 800000000000000
get_swap_device: Bad swap file entry 800000000000000
get_swap_device: Bad swap file entry 800000000000000
get_swap_device: Bad swap file entry 800000000000000
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 52-bit VAs, pgdp=0000000043684300
[0000000000000098] pgd=0800000046407003, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3190 Comm: syz-executor408 Not tainted 6.10.0-rc1-syzkaller-00021-ge0cce98fe279 #0
Hardware name: linux,dummy-virt (DT)
pstate: a1400009 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : vma_interval_tree_augment_compute_max mm/interval_tree.c:23 [inline]
pc : vma_interval_tree_augment_propagate mm/interval_tree.c:23 [inline]
pc : __rb_erase_augmented include/linux/rbtree_augmented.h:321 [inline]
pc : rb_erase_augmented include/linux/rbtree_augmented.h:329 [inline]
pc : rb_erase_augmented_cached include/linux/rbtree_augmented.h:340 [inline]
pc : vma_interval_tree_remove+0x15c/0x304 mm/interval_tree.c:23
lr : __remove_shared_vm_struct mm/mmap.c:114 [inline]
lr : unlink_file_vma+0x50/0xa0 mm/mmap.c:129
sp : ffff800088cf3990
x29: ffff800088cf3990 x28: f9f00000041c7840 x27: 0000000000000000
x26: 0000000000000000 x25: ffff800088cf3ae8 x24: 0000ffff93a1a000
x23: 0000000000000001 x22: ffffffffffffffff x21: fdf00000059fdaa8
x20: f9f00000041c7878 x19: f9f00000041c7840 x18: ffff800088cf3aa8
x17: 0000000000000000 x16: 1efe000000711c61 x15: ffff8000800a9250
x14: ffff8000800a896c x13: ffff80008196f72c x12: 0010000000000000
x11: 00000000000000f5 x10: 0000aaaae6c73000 x9 : 0000000000000004
x8 : 0000000000000098 x7 : 0000000000000000 x6 : 0000ffff93a7a080
x5 : 0000000000000080 x4 : 000000000000007f x3 : fcf0000004311480
x2 : 0000000000000116 x1 : fdf00000059fda60 x0 : 0000000000000000
Call trace:
 vma_interval_tree_augment_compute_max mm/interval_tree.c:23 [inline]
 vma_interval_tree_augment_propagate mm/interval_tree.c:23 [inline]
 __rb_erase_augmented include/linux/rbtree_augmented.h:321 [inline]
 rb_erase_augmented include/linux/rbtree_augmented.h:329 [inline]
 rb_erase_augmented_cached include/linux/rbtree_augmented.h:340 [inline]
 vma_interval_tree_remove+0x15c/0x304 mm/interval_tree.c:23
 __remove_shared_vm_struct mm/mmap.c:114 [inline]
 unlink_file_vma+0x50/0xa0 mm/mmap.c:129
 free_pgtables+0x194/0x220 mm/memory.c:405
 exit_mmap+0x134/0x288 mm/mmap.c:3352
 __mmput+0x3c/0x170 kernel/fork.c:1346
 mmput+0x50/0x5c kernel/fork.c:1368
 exit_mm kernel/exit.c:565 [inline]
 do_exit+0x270/0x98c kernel/exit.c:861
 do_group_exit+0x34/0x90 kernel/exit.c:1023
 copy_siginfo_to_user+0x0/0xec kernel/signal.c:2909
 do_signal+0xf0/0x1450 arch/arm64/kernel/signal.c:1308
 do_notify_resume+0xd8/0x164 arch/arm64/kernel/entry-common.c:148
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
Code: d1000484 cb060042 8b423082 b4000085 (f9400ca4) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	d1000484 	sub	x4, x4, #0x1
   4:	cb060042 	sub	x2, x2, x6
   8:	8b423082 	add	x2, x4, x2, lsr #12
   c:	b4000085 	cbz	x5, 0x1c
* 10:	f9400ca4 	ldr	x4, [x5, #24] <-- trapping instruction

final repro crashed as (corrupted=false):
get_swap_device: Bad swap file entry 800000000000000
get_swap_device: Bad swap file entry 800000000000000
get_swap_device: Bad swap file entry 800000000000000
get_swap_device: Bad swap file entry 800000000000000
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 52-bit VAs, pgdp=0000000043684300
[0000000000000098] pgd=0800000046407003, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3190 Comm: syz-executor408 Not tainted 6.10.0-rc1-syzkaller-00021-ge0cce98fe279 #0
Hardware name: linux,dummy-virt (DT)
pstate: a1400009 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : vma_interval_tree_augment_compute_max mm/interval_tree.c:23 [inline]
pc : vma_interval_tree_augment_propagate mm/interval_tree.c:23 [inline]
pc : __rb_erase_augmented include/linux/rbtree_augmented.h:321 [inline]
pc : rb_erase_augmented include/linux/rbtree_augmented.h:329 [inline]
pc : rb_erase_augmented_cached include/linux/rbtree_augmented.h:340 [inline]
pc : vma_interval_tree_remove+0x15c/0x304 mm/interval_tree.c:23
lr : __remove_shared_vm_struct mm/mmap.c:114 [inline]
lr : unlink_file_vma+0x50/0xa0 mm/mmap.c:129
sp : ffff800088cf3990
x29: ffff800088cf3990 x28: f9f00000041c7840 x27: 0000000000000000
x26: 0000000000000000 x25: ffff800088cf3ae8 x24: 0000ffff93a1a000
x23: 0000000000000001 x22: ffffffffffffffff x21: fdf00000059fdaa8
x20: f9f00000041c7878 x19: f9f00000041c7840 x18: ffff800088cf3aa8
x17: 0000000000000000 x16: 1efe000000711c61 x15: ffff8000800a9250
x14: ffff8000800a896c x13: ffff80008196f72c x12: 0010000000000000
x11: 00000000000000f5 x10: 0000aaaae6c73000 x9 : 0000000000000004
x8 : 0000000000000098 x7 : 0000000000000000 x6 : 0000ffff93a7a080
x5 : 0000000000000080 x4 : 000000000000007f x3 : fcf0000004311480
x2 : 0000000000000116 x1 : fdf00000059fda60 x0 : 0000000000000000
Call trace:
 vma_interval_tree_augment_compute_max mm/interval_tree.c:23 [inline]
 vma_interval_tree_augment_propagate mm/interval_tree.c:23 [inline]
 __rb_erase_augmented include/linux/rbtree_augmented.h:321 [inline]
 rb_erase_augmented include/linux/rbtree_augmented.h:329 [inline]
 rb_erase_augmented_cached include/linux/rbtree_augmented.h:340 [inline]
 vma_interval_tree_remove+0x15c/0x304 mm/interval_tree.c:23
 __remove_shared_vm_struct mm/mmap.c:114 [inline]
 unlink_file_vma+0x50/0xa0 mm/mmap.c:129
 free_pgtables+0x194/0x220 mm/memory.c:405
 exit_mmap+0x134/0x288 mm/mmap.c:3352
 __mmput+0x3c/0x170 kernel/fork.c:1346
 mmput+0x50/0x5c kernel/fork.c:1368
 exit_mm kernel/exit.c:565 [inline]
 do_exit+0x270/0x98c kernel/exit.c:861
 do_group_exit+0x34/0x90 kernel/exit.c:1023
 copy_siginfo_to_user+0x0/0xec kernel/signal.c:2909
 do_signal+0xf0/0x1450 arch/arm64/kernel/signal.c:1308
 do_notify_resume+0xd8/0x164 arch/arm64/kernel/entry-common.c:148
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
Code: d1000484 cb060042 8b423082 b4000085 (f9400ca4) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	d1000484 	sub	x4, x4, #0x1
   4:	cb060042 	sub	x2, x2, x6
   8:	8b423082 	add	x2, x4, x2, lsr #12
   c:	b4000085 	cbz	x5, 0x1c
* 10:	f9400ca4 	ldr	x4, [x5, #24] <-- trapping instruction