Extracting prog: 21m37.416745291s
Minimizing prog: 24m52.119956265s
Simplifying prog options: 0s
Extracting C: 30.834615247s
Simplifying C: 8m20.581609729s


30 programs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 30 programs
single: executing 5 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$evdev-ioctl$EVIOCGMTSLOTS
detailed listing:
executing program 0:
r0 = syz_open_dev$evdev(&(0x7f0000000000), 0x0, 0x0)
ioctl$EVIOCGMTSLOTS(r0, 0x8040450a, &(0x7f0000000600)=""/140)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet-socket$packet-ioctl$sock_SIOCGIFINDEX-sendmsg$inet
detailed listing:
executing program 0:
r0 = socket$inet(0x2, 0x2, 0x1)
r1 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000040)={'bridge_slave_0\x00', <r2=>0x0})
sendmsg$inet(r0, &(0x7f0000000380)={&(0x7f0000000300)={0x2, 0x0, @broadcast}, 0x10, &(0x7f00000000c0)=[{&(0x7f0000000400)='\b\x00', 0x2}, {&(0x7f0000000180)="96bc1480bb58", 0x6}], 0x2, &(0x7f0000000240)=[@ip_pktinfo={{0x1c, 0x0, 0x8, {r2, @rand_addr, @remote}}}], 0x20}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ENABLE_STATS-getpid-process_vm_readv-socket$alg-bind$alg-accept$alg-sendmmsg$alg
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000000000000000000004b64ffec850000006d000000670000000500000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000180)='tlb_flush\x00', r0}, 0x10)
bpf$ENABLE_STATS(0x20, 0x0, 0x0)
r1 = getpid()
process_vm_readv(r1, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
r2 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r2, &(0x7f0000000340)={0x26, 'hash\x00', 0x0, 0x0, 'wp512-generic\x00'}, 0x58)
r3 = accept$alg(r2, 0x0, 0x0)
sendmmsg$alg(r3, &(0x7f0000000b80)=[{0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000000100)='v', 0xf4240}], 0x1}], 0x1, 0x8004)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-sched_setscheduler-openat$binderfs-ioctl$BINDER_WRITE_READ-openat$sysfs-write$P9_RUNLINKAT-ioctl$BINDER_WRITE_READ-socket$tipc-syz_open_dev$media-syz_emit_vhci-ioctl$MEDIA_IOC_ENUM_LINKS-syz_open_dev$media-ioctl$MEDIA_IOC_G_TOPOLOGY-syz_open_dev$media-ioctl$MEDIA_IOC_ENUM_LINKS-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_init_net_socket$bt_l2cap-ioctl$FS_IOC_GETFSLABEL
detailed listing:
executing program 0:
getpid()
sched_setscheduler(0x0, 0x0, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x4)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0x400c620e, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/profiling', 0x22042, 0x0)
write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x2d}, 0x7)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0)
socket$tipc(0x1e, 0x0, 0x0)
r4 = syz_open_dev$media(&(0x7f0000000080), 0x3f, 0x0)
syz_emit_vhci(0x0, 0x17)
ioctl$MEDIA_IOC_ENUM_LINKS(0xffffffffffffffff, 0xc0287c02, 0x0)
r5 = syz_open_dev$media(&(0x7f00000001c0), 0x4, 0x0)
ioctl$MEDIA_IOC_G_TOPOLOGY(r5, 0xc0487c04, 0x0)
syz_open_dev$media(&(0x7f0000000000), 0x0, 0x0)
ioctl$MEDIA_IOC_ENUM_LINKS(r4, 0xc0287c02, &(0x7f0000000180)={0x80000000, 0x0, &(0x7f0000000400)})
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000014c0)={0x11, 0x3, &(0x7f0000000100)=ANY=[@ANYBLOB="18000000000000000000000000ed000095"], &(0x7f00000000c0)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000000)='contention_begin\x00', r6}, 0x10)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
ioctl$FS_IOC_GETFSLABEL(r7, 0x800452d2, &(0x7f0000000100))

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 15s
testing program (duration=22s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 3, 29, 3, 2, 27, 9, 3, 14, 4, 20, 7, 4, 8, 2, 4, 3, 27, 27, 22, 4, 25, 2, 7, 14, 9, 4, 5, 4, 2]
detailed listing:
executing program 0:
bpf$BPF_BTF_GET_FD_BY_ID(0x13, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='cgroup.controllers\x00', 0x275a, 0x0)
socketpair(0x0, 0x0, 0x0, &(0x7f0000000000))
r3 = socket$inet_dccp(0x2, 0x6, 0x0)
getsockopt$inet_mreqsrc(r3, 0x0, 0x53, &(0x7f0000000000)={@dev, @local, @broadcast}, &(0x7f00000000c0)=0x28)
executing program 1:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r0, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r0, &(0x7f0000000340)="050000000100", 0x6)
executing program 1:
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r0 = openat$sw_sync_info(0xffffffffffffff9c, &(0x7f0000000140), 0x80002, 0x0)
write$sndseq(0xffffffffffffffff, &(0x7f0000000540)=[{0x6, 0x1, 0x83, 0xff, @tick=0x1000, {0x61, 0x81}, {0x1f, 0x40}, @queue={0x0, {0x10003, 0x1000}}}, {0x6, 0x8, 0x8, 0x97, @time={0x0, 0x80000001}, {0x0, 0x81}, {}, @addr}], 0x38)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0xffffffffffffffca, &(0x7f0000000040)=0x10001)
r1 = syz_open_dev$sndpcmc(&(0x7f0000000200), 0x7, 0x0)
readv(r1, &(0x7f0000000640)=[{&(0x7f0000000340)=""/184, 0xb8}, {0x0}], 0x2)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r2, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f000000c380)='./file0\x00', 0x40, 0x0)
openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0)
r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='task\x00')
fchdir(r3)
mount(0x0, &(0x7f0000000080)='.\x00', &(0x7f0000000000)='proc\x00', 0x0, 0x0)
r4 = inotify_init1(0x0)
fcntl$setown(r4, 0x8, 0xffffffffffffffff)
fcntl$getownex(r4, 0x10, &(0x7f0000000140)={0x0, <r5=>0x0})
r6 = syz_open_procfs(r5, &(0x7f0000000600)='fd/4\x00')
ioctl$FS_IOC_GET_ENCRYPTION_KEY_STATUS(r6, 0x4004662b, &(0x7f0000000180)={@id={0x2, 0x0, @auto="ffee8e7268b4fecd2fce2d54fbd909e4"}})
sendmsg$alg(r0, 0x0, 0x20000000)
r7 = socket$nl_route(0x10, 0x3, 0x0)
r8 = socket(0x11, 0x80a, 0x0)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000300)={'bond0\x00'})
sendmsg$nl_route(r7, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
add_key$keyring(&(0x7f00000001c0), &(0x7f00000000c0)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffe)
r9 = memfd_create(&(0x7f0000000300)='\x00\xc2\xea\x99\xbb\x1c\xdfjw\x97\x05\xa3\xa2\'\xdd\xe4q\xbf\t\x8c\xe0\x19`\x8e\x00\x00\x00\x00\x00\x00\x00\x00\x00\b \xff\x13\x96\xe3?\xdfH\x8c\xe4V\xe2\xfe\v8\x04\xa5\xb9\xc4:\xf3\xf6y_w\xd8\xcf\x90k\x05\x00\xf9\x1e\xe8m\xec\x12\xa015\xc2\xb3u|K\x111\xd4\f8\xeb\x18\xad\xbb!1\x85\x96P\x1b\xa1\x9a\x81\xf8\xb1\xecB)\xe5\xaa7\xfe\xdd,_D\xe5|\xb1j^\xaec}\x1a\xb4\x17\xafP\x85I\xd5\xa0I\xb0\xaf\xb5\x8b\\\x05\xd7g\xcbV\x8e\xd0\xac\x87I7\xbd\xc6\x9bI\x92\xb2\x87.\xb3\x1fs\xe7%\xdd+\r\xb4\x117\xa7ei~\xb8\x16\xd1P\xf2\x84\x89K\x16\xd0F|\xa3\x89\xc9~9\x00'/204, 0x0)
write(r9, &(0x7f0000019400), 0x0)
mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x1, 0x11, r9, 0x0)
socket$can_raw(0x1d, 0x3, 0x1)
executing program 0:
setresuid(0x0, 0xee01, 0xee01)
r0 = socket$netlink(0x10, 0x3, 0x9)
bind$netlink(r0, &(0x7f0000000040)={0x10, 0x0, 0x0, 0x80022040}, 0xc)
executing program 0:
r0 = socket$igmp(0x2, 0x3, 0x2)
setsockopt$IP_VS_SO_SET_STOPDAEMON(r0, 0x0, 0x48c, 0x0, 0x0)
executing program 0:
syz_open_dev$media(&(0x7f0000000000), 0x3, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x4)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r3, 0x400c620e, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
r4 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/profiling', 0x22042, 0x0)
write$P9_RUNLINKAT(r4, &(0x7f0000000040)={0x2d}, 0x7)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0)
socket$tipc(0x1e, 0x0, 0x0)
r5 = syz_open_dev$media(&(0x7f0000000080), 0x3f, 0x0)
syz_emit_vhci(0x0, 0x17)
ioctl$MEDIA_IOC_ENUM_LINKS(0xffffffffffffffff, 0xc0287c02, 0x0)
r6 = syz_open_dev$media(&(0x7f00000001c0), 0x4, 0x0)
ioctl$MEDIA_IOC_G_TOPOLOGY(r6, 0xc0487c04, 0x0)
syz_open_dev$media(&(0x7f0000000000), 0x0, 0x0)
ioctl$MEDIA_IOC_ENUM_LINKS(r5, 0xc0287c02, &(0x7f0000000180)={0x80000000, 0x0, &(0x7f0000000400)})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000000)='contention_begin\x00'}, 0x10)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
ioctl$FS_IOC_GETFSLABEL(r7, 0x800452d2, &(0x7f0000000100))
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
socket(0x0, 0x0, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000340), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_4ADDR={0x5}]}, 0x24}}, 0x0)
executing program 0:
r0 = socket(0x10, 0x2, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0xc, &(0x7f00000001c0)={0x8}, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000011c0)={&(0x7f0000001200)=ANY=[@ANYBLOB="dc0000001e00010a00000000000000000002"], 0xdc}}, 0x0)
executing program 4:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x3, &(0x7f0000000180)=@framed, &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000080)='sched_switch\x00', r3}, 0x10)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f000000c2c0)={0x0, 0x0, 0x0}, 0x0)
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r4, 0x29, 0x40, &(0x7f0000000680)=@raw={'raw\x00', 0x3c1, 0x3, 0x2b8, 0xf0, 0x6c, 0x200, 0x0, 0x0, 0x1e8, 0x2e8, 0x2e8, 0x1e8, 0x2e8, 0x3, 0x0, {[{{@uncond, 0x0, 0xa8, 0xf0}, @common=@unspec=@LED={0x48, 'LED\x00', 0x0, {'syz1\x00'}}}, {{@ipv6={@local, @local, [], [], 'ip6_vti0\x00', 'veth0\x00'}, 0x0, 0xd0, 0xf8, 0x0, {}, [@common=@unspec=@connlabel={{0x28}}]}, @common=@inet=@SET1={0x28}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x318)
executing program 1:
r0 = socket$tipc(0x1e, 0x5, 0x0)
setsockopt$TIPC_GROUP_JOIN(r0, 0x10f, 0x87, &(0x7f0000000100)={0x43, 0x0, 0x0, 0x3}, 0x10)
sendmsg$tipc(r0, &(0x7f00000005c0)={&(0x7f0000000000), 0x10, 0x0}, 0x0)
sendmsg$IPSET_CMD_CREATE(0xffffffffffffffff, 0x0, 0x0)
executing program 1:
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r0 = syz_io_uring_setup(0x0, &(0x7f0000000080), &(0x7f0000000000)=<r1=>0x0, &(0x7f00000001c0))
syz_io_uring_submit(r1, 0x0, &(0x7f0000000380)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd_index=0x3})
io_uring_enter(r0, 0x2def, 0x0, 0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff})
recvmmsg(r2, &(0x7f0000000400)=[{{0x0, 0xf5ffffff, 0x0, 0x0, 0x0, 0x4000000}}], 0xf00, 0x0, 0x0)
setsockopt$sock_int(r2, 0x1, 0x2e, &(0x7f0000000000)=0x400000d2, 0x4)
shutdown(r2, 0x0)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x7, &(0x7f0000000240), 0x4)
r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
preadv(r3, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
syz_init_net_socket$ax25(0x3, 0x2, 0x0)
openat$dir(0xffffffffffffff9c, 0x0, 0x0, 0x100)
remap_file_pages(&(0x7f00002ec000/0x200000)=nil, 0x200000, 0x0, 0x0, 0x0)
memfd_create(0x0, 0x0)
mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x10, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x3)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0xffffff2d, &(0x7f0000000080)=[{&(0x7f0000000040)="c00e02002d000b03d25a806f8c6394f90424fc602f1a04000a740100053582c137153e370248018000f01700d1bd", 0x33fe0}], 0x1}, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
executing program 2:
r0 = syz_usb_connect$printer(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000030020f003176c400000000001090224725100000000090400001207010300090501020000000000090582020002"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect(0x0, 0x4a, &(0x7f0000000140)=ANY=[], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_ep_write$ath9k_ep1(r1, 0x82, 0x88, &(0x7f00000005c0)=ANY=[])
syz_open_dev$char_usb(0xc, 0xb4, 0x0)
syz_usb_disconnect(r1)
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)
executing program 3:
r0 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r0, 0x29, 0x2a, &(0x7f0000000080)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x0, 0x0, @remote}}}, 0x108)
setsockopt$inet6_group_source_req(r0, 0x29, 0x2b, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x0, 0x0, @ipv4={'\x00', '\xff\xff', @local}}}}, 0x108)
close(0xffffffffffffffff)
r1 = socket$inet6(0xa, 0x80001, 0x0)
setsockopt$inet6_group_source_req(r1, 0x29, 0x2e, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x0, 0x0, @private2}}}, 0x108)
r2 = syz_open_procfs(0x0, &(0x7f00000003c0)='net/mcfilter6\x00')
preadv(r2, &(0x7f00000000c0)=[{&(0x7f0000000580)=""/128, 0x80}], 0x1, 0xb6, 0x0)
executing program 4:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@bloom_filter={0x1e, 0x0, 0x1, 0x7, 0x0, 0x1}, 0x48)
bpf$MAP_LOOKUP_ELEM(0x2, &(0x7f0000001740)={r0, 0x0, &(0x7f0000001700)=""/53}, 0x20)
executing program 3:
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020702500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000000000000b703000000000000850000000400000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000200)='consume_skb\x00', r0}, 0x10)
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller0\x00', 0x84aebfbd6349b7f2})
executing program 4:
sendmsg$IPCTNL_MSG_CT_GET(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000380)={0x68, 0x0, 0x1, 0x0, 0x0, 0x0, {}, [@CTA_TUPLE_ORIG={0x24, 0x2, 0x0, 0x1, [@CTA_TUPLE_IP={0x14, 0x1, 0x0, 0x1, @ipv4={{0x8, 0x1, @broadcast}, {0x8, 0x2, @broadcast}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}]}, @CTA_TUPLE_ORIG={0x24, 0x1, 0x0, 0x1, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}, @CTA_TUPLE_IP={0x14, 0x1, 0x0, 0x1, @ipv4={{0x8, 0x1, @multicast1}, {0x8, 0x2, @dev}}}]}, @CTA_TIMEOUT={0x8}, @CTA_NAT_SRC={0x4}]}, 0x68}}, 0x0)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
syz_usb_connect(0x0, 0x3f, &(0x7f00000003c0)=ANY=[@ANYBLOB="12010000413b88400819151300000000000109022d0000ffe400000904"], 0x0)
executing program 1:
syz_open_dev$media(&(0x7f0000000000), 0x3, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x4)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r3, 0x400c620e, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
r4 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/profiling', 0x22042, 0x0)
write$P9_RUNLINKAT(r4, &(0x7f0000000040)={0x2d}, 0x7)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0)
socket$tipc(0x1e, 0x0, 0x0)
r5 = syz_open_dev$media(&(0x7f0000000080), 0x3f, 0x0)
syz_emit_vhci(0x0, 0x17)
ioctl$MEDIA_IOC_ENUM_LINKS(0xffffffffffffffff, 0xc0287c02, 0x0)
r6 = syz_open_dev$media(&(0x7f00000001c0), 0x4, 0x0)
ioctl$MEDIA_IOC_G_TOPOLOGY(r6, 0xc0487c04, 0x0)
syz_open_dev$media(&(0x7f0000000000), 0x0, 0x0)
ioctl$MEDIA_IOC_ENUM_LINKS(r5, 0xc0287c02, &(0x7f0000000180)={0x80000000, 0x0, &(0x7f0000000400)})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000000)='contention_begin\x00'}, 0x10)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
ioctl$FS_IOC_GETFSLABEL(r7, 0x800452d2, &(0x7f0000000100))
executing program 3:
socket$packet(0x11, 0x3, 0x300)
getrandom(&(0x7f0000002a40)=""/245, 0xf5, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$BATADV_CMD_GET_MCAST_FLAGS(0xffffffffffffffff, 0x0, 0x0)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000040), r0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
r1 = openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0)
openat$cgroup_freezer_state(r1, 0x0, 0x2, 0x0)
write$cgroup_pid(0xffffffffffffffff, 0x0, 0x0)
write$cgroup_pid(0xffffffffffffffff, 0x0, 0x0)
write$cgroup_freezer_state(0xffffffffffffffff, 0x0, 0x0)
r2 = openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup/syz1\x00', 0x1ff)
r3 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
write$cgroup_type(0xffffffffffffffff, &(0x7f0000000280), 0x9)
r4 = openat$cgroup_procs(r3, &(0x7f00000002c0)='cgroup.threads\x00', 0x2, 0x0)
write$cgroup_pid(r4, &(0x7f0000000c40), 0x12)
r5 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
r6 = openat$cgroup_ro(r5, &(0x7f0000000100)='cgroup.freeze\x00', 0x275a, 0x0)
write$cgroup_int(r6, &(0x7f0000000200)=0x1, 0x12)
openat$cgroup_procs(r2, &(0x7f0000000040)='cgroup.procs\x00', 0x2, 0x0)
write$cgroup_pid(r6, &(0x7f0000000180), 0x12)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x26e1, 0x0)
sendmsg$MPTCP_PM_CMD_ANNOUNCE(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x4884)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000680)=ANY=[@ANYBLOB="20000000100000000000bd3c8f1f000000000000", @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], 0x20}}, 0x0)
r7 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$RFKILL_IOCTL_NOINPUT(r7, 0x541b)
executing program 3:
socket$inet_tcp(0x2, 0x1, 0x0)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000740)=ANY=[@ANYBLOB="180000000040b21626fe48e10000b4060000000000000095000000000000004766dbb7c392fae7982fcaed5ddd9f54e31bcadf3104f4e6e85d5379595351947a1ff4dd17b4af251017d72133b9ecc97ce082f363576ed79e06f0736bb772a0e02d4b5652c6e88c0551060000009c48b74b507a08ef7c562251ba734430c5d5e032a66e38ed083c60430135e3c242f3c58317aa470ad0b561c1136dac06bd25ab96cf82c741bfbc305f2351701d30"], &(0x7f0000000000)='syzkaller\x00'}, 0x90)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x6)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r0 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r0, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
r2 = socket$inet(0x2, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_MAX_BURST(r2, 0x84, 0x14, &(0x7f0000000000)=@assoc_value, &(0x7f0000000040)=0x8)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f0000000400)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x414d6714bf78e135}, 0x9c)
close(0xffffffffffffffff)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000001c0)='sched_process_wait\x00'}, 0x10)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x4, 0xe, &(0x7f00000012c0)=ANY=[@ANYBLOB="b702000000000000bfa300000000000007030000ffffffff7a0af0fff8ffff5979a4f0ff00000000b7060000ffffffff2d6405000000000065040400014741001404000001007d60b7030000000000006a0a00fe40000900850000001f000000b70000000004000095000000000000006623848adf1dc9a764ab51a064e0ff0c9b27a26293fddf0180000071ff31f1622271d5518193e09483c5a020c334f8c76334d8ce8303b01ddaa52e8756ad60a07d6f27c125e16d02409819180179714ed0a6e1f0f755d8583da60f27c162dbba0706002ac9170f50f2568836077b7f711a18ebf608d87b885297b6a79819782748b376358c33c9f53bfd989b1ca58949a54d5827df14feecea46408a05d572077f1252fbb72c3d099c501bc4ded6fca17a3447222c95edb47b77aafa63b9dd5fa5c53e9c37251709f1ff7f0000f07bf7f53ce129a9ecd3b4dd15100f2b450f98526a0d8cac7c97fc2f64015306a1bd7e43fe1ca8345710fb6379b4c53cf55eefb4c0974486a8d25a363adbd83b49e13fbd1777b27020bd9b8cff3f48c9411670c34f23ab8caf7851b290feb3045a1b622f20c4383a0280f040de7667f8b1d08428353b1c358ebe73af41e5b5b924275cb1749289b44e9728e7a73f148ac8206afe120c1437490d99000000110000fdffffffffffffffaf580278e1342aabd1b623f6c4f128858e4eb6b42f2173184c2b99b645f6ec0e14e5d7c95a0008000000f30f6c0000000000ff0000b8f5001a1d2a34dc0973ec302bc23211d3e3b6e6dad65a51e5497a3419cece48c38126247b27113ad4c7915c8f82c333a7b350802f0311807010d1ed50c18411aa6900daccc02f4ba4b078f07e41f781eee222c7d071d5a94d82ca9a0846c1af59cee16639b4970f8f0a82c6a712fd5722d637d406160ffaffffffb4e0bde6749aa52c408b74251914c5ff01000000000000b69ebcd8eee623e51dbb1f1b548c91a6825c0686fdc16be1cbb72c217fda18bd746253ca66093daf35923300b600000013887ad6d2d440fedce51a3aa57b00ac376e0a4649a8a84e1d293a6b109c5e59b366bca5cc3d936c53d4a48c05099e6fc36d5aa23bff8cce0600fcff00000300a568a8532623d12b40b50ac26f2e8255470a04bfbe7acb581b90991d965a01d1f84cb6b973558e1e3f8118c77ccf0b3c6eb6443870004da10c75723b65f83769ad1f0e4ef6b9ef1cec23264fd8fdac6264af1cb467020bdc12b797b6c156c439105829d2ae1c45f7cfa40df68fd36a03353a55e68ec7c01bd5a2028a8fc107007f3deb1f200abe1f753754678dae8b4e3ba3d086d4b95dfc5817e3dafae2d38b522f942cc750399d90296171fdb1e05882f8a4b8fbd219ccac3a895828b4f22b6527ce31ceb02b7b2b44925129677b7b3d2f8e7792c7827862eae80134552f0b076b168394f8417f25cc82ae04007193cbe69de8bf35e4bebd15412426b2e20ab1f05fc44ae9ae094c1b81d3ef947692b44d2afb09c7498d357836f03e8a7c392e535694a3ead2de11e6b1781e2a018c0ada7bc7f0eb2d678f23c07ac341fda2e563ee95085742f5fee9f95f4741b226e428d20b00bc140000e4b2f5efd0a0b1ceba000830ba8634b5aa26bdbe91614e92fae3c7349531df9bf4c01ebf5d8eb7d53e5f30647661623fbdb3f60033fc32f68ea86a2df1e76fe27dfdff1cf9194849c4cc0da9533e5983693e526a7dc0d8728f3b573ca4427bdb44df9341e9b8050e896598a156c935c800436a312e7ae3c011e46851ac599f0427729ab9c55ae0ab4c0000000000000000000000000000c87bcc2ac5aed9247b51d92e0993af4beaf1f3f47dcdfab9165f98155d93e383d6b85158b54675c1585037508c1e9461a1c3d1a6e2402045cae150a7016f1a90716eebbdf6afc4414d900be0bdf19f4a273f44f4357380b4387f1c8b104f0e406b2f04e5ed88631be6411f9927fe9f83412b7c5a676ceec8b454ebf6481c98e86b6933a02daea0b4ec0be5b3d916bd70208b4588626c277648475002e2c62681bd07331422a6e47bbd40857d52c4894944fae5c500000000000000ff00000000de784314b8fd419216b48d0f353c11ae185749fa9ac7dfa16bc5c23a23f74b17a7f1b2d799480f33faa3537a910d6ca02f48b0e69beb1119f106ea59195dbc72e17a5dc8c3d131d82f067e29dc39665dff39fb6347b374aaaf6e65efde3fc6202bf29ccfcb08caf18d668a462493aa82e76affba9c9af31d1c23237aa6eccfadfaf794bb1004c07b21ac6ed77718098b2f722bd05fea3561b86b2838a8de5b4f91d6aba95dc9f4464a024be4d0d8d04f5023e7e19e503624d39a43c7b310de519b4073f300022fee47803989b7e916254e0fb9e1c8b07d8a4b8b692a75a32e6ed2caeaa7c258c47fe6143cd9e90b801eff78cd4e402374e0e4ca07b7f17254e3d2f0a2a1bac6fde8a15e3ef3588065524d41966fb3915e804c53201efee751ec294584d23d9008bdf046f55c030ab941a0b87234a30900000000000068133c76770d5e7dabcc48d47685404cc540535ed70df75c24660d85f9c9a245185c7da217d1c3743db85db67b9b8a8f00af02367429f6f0b53c169c4356751bf68745dbde055e1722ae256ae53ae637a1431855d16dfa91d82a021a4b2dbb50bf6d59fdd0c9bc84cd7d544de2523b6ce8aaeb94bfba75079f7455204ccca02bd389d8409b2effe9b88e301ac4fe28752386a0678a3f54b2bdf56f927ddd6b0ac98b2b505f668597455ada51ba95ab852b49373a11ff31dcd82474b51498f65e0601bcdd23acb4c01bcd2f3e1ad378d14c07d923087d3518369710b70ffb0b523dc4f00f275c381fe1c091e478b04d5e4a9f75b4072acb005a83c25625ab7a351a68977177e27a1bf112114eb10250c2b9dca234f8967f0439696a2345e747b5f1d8c4bec86d8e8f2eb121ea0159615e7d475d45837921c2c0c3f9e683ac8000214a657c9f0a000000000000009e0b1a8c8f55f30e7c25275ed49b71828b375be03ef903cc8244b1269376d01b674cff9cb82eef0fe55c8b751053004ca6cef28d9a52c3771e9c73d03fdf74f48306560fb6cd86658afa895efa47f3a43e686df5b727ba4ec99620270334fce56c9f86b8a2c8aaede5a48a29b75734fbe1f59e43dc5a39b083848b0ebb14d845df7606e4d58f1a03f2dd337c3a10f3b15d388e43059aa88b42d26d4ccda6d60f996ed444d7f40e0cdbf69e11252a6c0e2d882d93b4f22dc95a191b1e6ff59d7880b4ce587f7ef05c46088268805cf089c4b3cd60cd3fc0c6d81fb2f961abcb0133f3f7a594b8475d6853b2e4fafc52a6851e8cfe1aebe3a4539634a511c1b67a9d9029c15074e286cad639144995718124b3a4be7b229410a6cc2b140b749389859de410553d38ab780389fdc6fbef05db4f4298bccb01c31a8db24f8eb7f1e45e7e1dcb717e3bf20c860632436dd1ffc03945499b0f7a3da6b257ba1723dff47ab2dfebc946c3e8e0f834ef18dae64ca56c9de1ccf2b6622d11100fea9c8af6690000a3c9620f56f0a6ee401319e347e6e9b6464002a612f46454ba0a03e9dde06aaab404c4d3267969b9bc353e254c1dc61df617c51eab7cd4a656a662d80c9e1179a9cedd4ecccf937a5ee2016aa9948b4be1dcd89bf97745edbecc5f006b15212a968e554880e6eaade43984cba8f248b7d0b649f403510edea6d60d68685f3be16914c8c7e12dcd4216564c3e30a0ac9dec2400933b"], &(0x7f0000000340)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000880), 0xfffffffffffffddd}, 0x48)
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000300)={r3, 0xe0, &(0x7f0000000480)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffe2, 0x0, 0x8, 0x0, 0x0}}, 0x10)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0xb, 0x100, 0x100, 0x9, 0x1, 0x1}, 0x48)
bpf$MAP_LOOKUP_BATCH(0x1b, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000100), 0x0, 0x3, r4}, 0x38)
bpf$LINK_GET_NEXT_ID(0x1f, &(0x7f0000000d00), 0x8)
bpf$BPF_LINK_UPDATE(0x1d, &(0x7f0000000040), 0x10)
executing program 2:
r0 = socket$tipc(0x1e, 0x5, 0x0)
setsockopt$TIPC_GROUP_JOIN(r0, 0x10f, 0x87, &(0x7f0000000100)={0x43, 0x0, 0x0, 0x3}, 0x10)
sendmsg$tipc(r0, &(0x7f00000005c0)={&(0x7f0000000000), 0x10, 0x0}, 0x0)
sendmsg$IPSET_CMD_CREATE(0xffffffffffffffff, 0x0, 0x0)
executing program 1:
getpid()
sched_setscheduler(0x0, 0x0, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x4)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0x400c620e, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/profiling', 0x22042, 0x0)
write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x2d}, 0x7)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0)
socket$tipc(0x1e, 0x0, 0x0)
r4 = syz_open_dev$media(&(0x7f0000000080), 0x3f, 0x0)
syz_emit_vhci(0x0, 0x17)
ioctl$MEDIA_IOC_ENUM_LINKS(0xffffffffffffffff, 0xc0287c02, 0x0)
r5 = syz_open_dev$media(&(0x7f00000001c0), 0x4, 0x0)
ioctl$MEDIA_IOC_G_TOPOLOGY(r5, 0xc0487c04, 0x0)
syz_open_dev$media(&(0x7f0000000000), 0x0, 0x0)
ioctl$MEDIA_IOC_ENUM_LINKS(r4, 0xc0287c02, &(0x7f0000000180)={0x80000000, 0x0, &(0x7f0000000400)})
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000014c0)={0x11, 0x3, &(0x7f0000000100)=ANY=[@ANYBLOB="18000000000000000000000000ed000095"], &(0x7f00000000c0)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000000)='contention_begin\x00', r6}, 0x10)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
ioctl$FS_IOC_GETFSLABEL(r7, 0x800452d2, &(0x7f0000000100))
executing program 2:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCSIFBR(r0, 0x8941, &(0x7f00000000c0)=@add_del={0x3, 0x0})
executing program 4:
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl802154(&(0x7f0000000380), 0xffffffffffffffff)
sendmsg$IEEE802154_LLSEC_ADD_SECLEVEL(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000340)={&(0x7f00000000c0)={0x24, 0x0, 0x60b, 0x0, 0x0, {}, [@IEEE802154_ATTR_DEV_INDEX={0x8}, @IEEE802154_ATTR_LLSEC_FRAME_TYPE={0x5}]}, 0x24}}, 0x0)
sendmsg$NL802154_CMD_GET_INTERFACE(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2000000}, 0xc, 0x0}, 0x0)
syz_open_dev$vcsu(0x0, 0x0, 0x0)
syz_genetlink_get_family_id$nl80211(&(0x7f00000003c0), 0xffffffffffffffff)
sendmsg$NL802154_CMD_DEL_SEC_DEVKEY(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000200)={0x58, r1, 0x1, 0x0, 0x0, {}, [@NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x100000001}, @NL802154_ATTR_SEC_DEVKEY={0x38, 0x2f, 0x0, 0x1, [@NL802154_DEVKEY_ATTR_EXTENDED_ADDR={0xc}, @NL802154_DEVKEY_ATTR_ID={0x28, 0x3, 0x0, 0x1, [@NL802154_KEY_ID_ATTR_IMPLICIT={0x1c, 0x3, 0x0, 0x1, [@NL802154_DEV_ADDR_ATTR_PAN_ID={0x6}, @NL802154_DEV_ADDR_ATTR_SHORT={0x6}, @NL802154_DEV_ADDR_ATTR_MODE={0x8, 0x2, 0x2}]}, @NL802154_KEY_ID_ATTR_MODE={0x8}]}]}]}, 0x58}}, 0x0)
executing program 2:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x3, &(0x7f0000000180)=@framed, &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000080)='sched_switch\x00', r3}, 0x10)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f000000c2c0)={0x0, 0x0, 0x0}, 0x0)
r4 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r4, 0x29, 0x40, &(0x7f0000000680)=@raw={'raw\x00', 0x3c1, 0x3, 0x2b8, 0xf0, 0x6c, 0x200, 0x0, 0x0, 0x1e8, 0x2e8, 0x2e8, 0x1e8, 0x2e8, 0x3, 0x0, {[{{@uncond, 0x0, 0xa8, 0xf0}, @common=@unspec=@LED={0x48, 'LED\x00', 0x0, {'syz1\x00'}}}, {{@ipv6={@local, @local, [], [], 'ip6_vti0\x00', 'veth0\x00'}, 0x0, 0xd0, 0xf8, 0x0, {}, [@common=@unspec=@connlabel={{0x28}}]}, @common=@inet=@SET1={0x28}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x318)
executing program 4:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000000000000000000004b64ffec850000006d000000670000000500000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000180)='tlb_flush\x00', r0}, 0x10)
bpf$ENABLE_STATS(0x20, 0x0, 0x0)
r1 = getpid()
process_vm_readv(r1, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
r2 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r2, &(0x7f0000000340)={0x26, 'hash\x00', 0x0, 0x0, 'wp512-generic\x00'}, 0x58)
r3 = accept$alg(r2, 0x0, 0x0)
sendmmsg$alg(r3, &(0x7f0000000b80)=[{0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000000100)='v', 0xf4240}], 0x1}], 0x1, 0x8004)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r2=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000000c0)=ANY=[@ANYBLOB="3c00000010000100"/20, @ANYRES32=r2, @ANYBLOB="00000000000000001c0012800b00010009006373656300000c0002"], 0x3c}}, 0x0)
executing program 2:
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000240)={0x0, 0xffffffffffffffff, 0x0, 0x7, &(0x7f0000000000)='cgroup\x00'}, 0x30)
r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x9, 0x4, &(0x7f00000008c0)=ANY=[@ANYBLOB="180000000000000000000000000000006112000000000000950000000000000051fa7824c74186dc02ec0696c37b64e3b24da3180100000005165c0f63cdc2e82818254950ee03568b8809a1ff4c7c4750eabfafcb9531b31e6a86827d1010c5a909ab98e00e19644a88e95ba26d1c9eecddb2d11c541418ceeb29b9b6829c6e433822bdb3cc85244aab60c1aae1314d7381fcfeb970bea672cf1e926f6a51479343144648a07a975bd89dc398712376610f6254f12495b4658319684387f6f3543205d4bc4ce05b8b961103673dff7f158052e62b20f05fd24108d8363d44fcd0f8f3647899762a17282a1914452d11f557c28f396eebdc858558db0276d14f9035f2b5f703e5be7e4acf8b78c2834ae5805fffee38a9a0033d520bcf6b08ede50899d4b9bdf85c71c5de2503dab358f42a2624c7daa9ed44039aab46419496362e54cfad05a0004ac71a003d7b85d07191bed4e5a890826300214146f7ed569985439baa355c2766dd056f5d79e454f3d873095e7a237bc06d035a8d601f21746d886419f38b34a495040000000071c2f0cce8c93cc17e9afa314fcb2ba15d646c66b0f65021829f87d988b4e2d71753b1549fa734f0b2e56dbd21ed2e09d0cddad721971637f384eed3034597c93e1c52f42cad0ed09c395dc6e9703660fefa1c80f467367c006f25caf0cbcefd13d68839893e39c588eb032905f91cafa4996dbf0c9be9654db05fb918086cc8228d02a3092c0830b8f587a5624515298b2d4eb2bde6f9a2eb83d53f717f13fa7552d92c51dbd32ea50c490ecd085d2811a7555c538cffffff7f00000000dd872244bfa64779e0f43a9c277e2910b7ccdc3d6726d34ad2101033a623ca2a49ad344884289130bc71cee2b7de62bf48129ae1af052a2d46a61625735a9eea7f793946b3229e861d8ea49806b3f7d4295f6b000000000000f337b1ceb2d8a65dcdcd895d7ba37098d2593fdaaef445af5bee02019c00000099b13ecda2a5b37de0519e974cba92ebaf0f701611a9b027ce04340bda4594cc9049c3f101629ab028145e004209ebe71a6fe84af50804000000000000004a27213354964e250a98fe357676f94b6947383e320fbb1118f586d5b9b1b977e1e1a4490ff67703a9b5900f8a6f8a805879dd91ec5ff435b219c53680c0ae04dcc4ef69b98fcb0d6b6a03a8b71a66b4e2876dc4b610444bf10000000000b046b6ae5d68156bcbd6d8793ade9a22ac8fc7857e5bbc14adc4e12b08f350c6789283b9990c72e64372a1f79769a8bdc632fc1a0b3417855d8b7d25ca4d404c23631ad3d2f55dcd385371c86170a4bca58c2b2b4eabc365f45bd10bb45b0c5bc354456a52be18d9b44014d20a3c51c8f013dade83562e73278662829e4f5a9ac00fd91178468c737f0872d97d38d11a176be5a0d7294c51eb161eddcfefa8837c7430721851ec2a107af0df6d43e732bbc01e76c66895eb85d36798d61622773591ee21ad9f6a1b73fa9cf3ffeb8a00b63af800a81d0fb8aa29df8b8ad6fbafefb5802a23cbdeeabceda5bfc5ff2fa5c1d61d04a1324794c6ed000696d9f04010c35474e690545c3d9bd836d4cef2585ba616e01c3d000000000000000000470ebc6f3453ecbf3047e4547d7632d3ad21798e730cb5d1da059b5bdb8107815dff995c0788906790406dfb4f8ee9f24ff94233e2e6e581e6e5de33a5f254c9a8b612547473c3001df3928dac9203b744619082421a8da7c00000000000000000000000000000018a73ef40cca690fb7595c6962984f8276677be6f66cbdbccf1896433808c9c84d74ac4a7c186a04a2250972f7acb156b21f9826b6acb7db32c4e3b3ec8b59fd972975edb1da872d81a35e4fda2f5cbde6b40bea20418c6e9dad30b791eea58f53e80fee4dd7fe08373ea2784fcd3a65261de71eb866458d2c22a"], &(0x7f0000000100)='GPL\x00'}, 0x70)
bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000040)={@cgroup=r0, r1, 0x2}, 0x10)
socket$kcm(0xa, 0x5, 0x0)
executing program 3:
r0 = socket$inet(0x2, 0x2, 0x1)
r1 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000040)={'bridge_slave_0\x00', <r2=>0x0})
sendmsg$inet(r0, &(0x7f0000000380)={&(0x7f0000000300)={0x2, 0x0, @broadcast}, 0x10, &(0x7f00000000c0)=[{&(0x7f0000000400)='\b\x00', 0x2}, {&(0x7f0000000180)="96bc1480bb58", 0x6}], 0x2, &(0x7f0000000240)=[@ip_pktinfo={{0x1c, 0x0, 0x8, {r2, @rand_addr, @remote}}}], 0x20}, 0x0)
executing program 2:
r0 = syz_open_dev$evdev(&(0x7f0000000000), 0x0, 0x0)
ioctl$EVIOCGMTSLOTS(r0, 0x8040450a, &(0x7f0000000600)=""/140)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 5 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$evdev-ioctl$EVIOCGMTSLOTS
detailed listing:
executing program 0:
r0 = syz_open_dev$evdev(&(0x7f0000000000), 0x0, 0x0)
ioctl$EVIOCGMTSLOTS(r0, 0x8040450a, &(0x7f0000000600)=""/140)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet-socket$packet-ioctl$sock_SIOCGIFINDEX-sendmsg$inet
detailed listing:
executing program 0:
r0 = socket$inet(0x2, 0x2, 0x1)
r1 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000040)={'bridge_slave_0\x00', <r2=>0x0})
sendmsg$inet(r0, &(0x7f0000000380)={&(0x7f0000000300)={0x2, 0x0, @broadcast}, 0x10, &(0x7f00000000c0)=[{&(0x7f0000000400)='\b\x00', 0x2}, {&(0x7f0000000180)="96bc1480bb58", 0x6}], 0x2, &(0x7f0000000240)=[@ip_pktinfo={{0x1c, 0x0, 0x8, {r2, @rand_addr, @remote}}}], 0x20}, 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ENABLE_STATS-getpid-process_vm_readv-socket$alg-bind$alg-accept$alg-sendmmsg$alg
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000000000000000000004b64ffec850000006d000000670000000500000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000180)='tlb_flush\x00', r0}, 0x10)
bpf$ENABLE_STATS(0x20, 0x0, 0x0)
r1 = getpid()
process_vm_readv(r1, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
r2 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r2, &(0x7f0000000340)={0x26, 'hash\x00', 0x0, 0x0, 'wp512-generic\x00'}, 0x58)
r3 = accept$alg(r2, 0x0, 0x0)
sendmmsg$alg(r3, &(0x7f0000000b80)=[{0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000000100)='v', 0xf4240}], 0x1}], 0x1, 0x8004)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-sched_setscheduler-openat$binderfs-ioctl$BINDER_WRITE_READ-openat$sysfs-write$P9_RUNLINKAT-ioctl$BINDER_WRITE_READ-socket$tipc-syz_open_dev$media-syz_emit_vhci-ioctl$MEDIA_IOC_ENUM_LINKS-syz_open_dev$media-ioctl$MEDIA_IOC_G_TOPOLOGY-syz_open_dev$media-ioctl$MEDIA_IOC_ENUM_LINKS-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_init_net_socket$bt_l2cap-ioctl$FS_IOC_GETFSLABEL
detailed listing:
executing program 0:
getpid()
sched_setscheduler(0x0, 0x0, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x4)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0x400c620e, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/profiling', 0x22042, 0x0)
write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x2d}, 0x7)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0)
socket$tipc(0x1e, 0x0, 0x0)
r4 = syz_open_dev$media(&(0x7f0000000080), 0x3f, 0x0)
syz_emit_vhci(0x0, 0x17)
ioctl$MEDIA_IOC_ENUM_LINKS(0xffffffffffffffff, 0xc0287c02, 0x0)
r5 = syz_open_dev$media(&(0x7f00000001c0), 0x4, 0x0)
ioctl$MEDIA_IOC_G_TOPOLOGY(r5, 0xc0487c04, 0x0)
syz_open_dev$media(&(0x7f0000000000), 0x0, 0x0)
ioctl$MEDIA_IOC_ENUM_LINKS(r4, 0xc0287c02, &(0x7f0000000180)={0x80000000, 0x0, &(0x7f0000000400)})
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000014c0)={0x11, 0x3, &(0x7f0000000100)=ANY=[@ANYBLOB="18000000000000000000000000ed000095"], &(0x7f00000000c0)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000000)='contention_begin\x00', r6}, 0x10)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
ioctl$FS_IOC_GETFSLABEL(r7, 0x800452d2, &(0x7f0000000100))

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
single: successfully extracted reproducer
found reproducer with 4 syscalls
minimizing guilty program
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io$hid-syz_usb_control_io
detailed listing:
executing program 0:
syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0)
syz_usb_control_io(0xffffffffffffffff, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
simplifying C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
reproducing took 55m20.953078931s
repro crashed as (corrupted=false):
mcp2221 0003:04D8:00DD.0001: unknown main item tag 0x0
mcp2221 0003:04D8:00DD.0001: unknown main item tag 0x0
mcp2221 0003:04D8:00DD.0001: USB HID v0.00 Device [HID 04d8:00dd] on usb-dummy_hcd.0-1/input0
Unable to handle kernel paging request at virtual address dfff800000000000
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 5.15.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mcp_smbus_xfer+0x64/0xdb0 drivers/hid/hid-mcp2221.c:418
lr : mcp_smbus_xfer+0x44/0xdb0 drivers/hid/hid-mcp2221.c:414
sp : ffff800018be5f40
x29: ffff800018be5f40 x28: 0000000000000000 x27: dfff800000000000
x26: 1fffe0001964f036 x25: 0000000000000000 x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000018 x21: 0000000000000000
x20: 1ffff00002947e30 x19: 0000000000000000 x18: ffff800018be5d20
x17: 0000000000000000 x16: ffff800011ab3128 x15: 000000000000c4b7
x14: 000000003b0214a6 x13: dfff800000000000 x12: 0000f2f2f2f2f202
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000c0a81b40
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000018 x0 : ffff0000cb278088
Call trace:
 mcp_smbus_xfer+0x64/0xdb0 drivers/hid/hid-mcp2221.c:418
 __i2c_smbus_xfer+0x570/0x2b70 drivers/i2c/i2c-core-smbus.c:589
 i2c_smbus_xfer+0x210/0x31c drivers/i2c/i2c-core-smbus.c:544
 i2c_default_probe+0x1c0/0x248
 i2c_detect_address drivers/i2c/i2c-core-base.c:2408 [inline]
 i2c_detect drivers/i2c/i2c-core-base.c:2483 [inline]
 i2c_do_add_adapter+0x3c4/0x8d4 drivers/i2c/i2c-core-base.c:1372
 __process_new_adapter+0x28/0x3c drivers/i2c/i2c-core-base.c:1379
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 i2c_register_adapter+0xcc8/0xf8c drivers/i2c/i2c-core-base.c:1542
 i2c_add_adapter+0x170/0x250
 mcp2221_probe+0x240/0x56c drivers/hid/hid-mcp2221.c:882
 hid_device_probe+0x23c/0x338 drivers/hid/hid-core.c:2307
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 hid_add_device+0x318/0x4b4 drivers/hid/hid-core.c:2459
 usbhid_probe+0x868/0xba8 drivers/hid/usbhid/hid-core.c:1424
 usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 usb_new_device+0x900/0x145c drivers/usb/core/hub.c:2593
 hub_port_connect drivers/usb/core/hub.c:5455 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 port_event drivers/usb/core/hub.c:5741 [inline]
 hub_event+0x236c/0x46b8 drivers/usb/core/hub.c:5823
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: aa1303e0 96502d95 f9400273 d343fe7c (387b6b88) 
---[ end trace 799fd7c61a10f279 ]---
----------------
Code disassembly (best guess):
   0:	aa1303e0 	mov	x0, x19
   4:	96502d95 	bl	0xfffffffff940b658
   8:	f9400273 	ldr	x19, [x19]
   c:	d343fe7c 	lsr	x28, x19, #3
* 10:	387b6b88 	ldrb	w8, [x28, x27] <-- trapping instruction

final repro crashed as (corrupted=false):
mcp2221 0003:04D8:00DD.0001: unknown main item tag 0x0
mcp2221 0003:04D8:00DD.0001: unknown main item tag 0x0
mcp2221 0003:04D8:00DD.0001: USB HID v0.00 Device [HID 04d8:00dd] on usb-dummy_hcd.0-1/input0
Unable to handle kernel paging request at virtual address dfff800000000000
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 5.15.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mcp_smbus_xfer+0x64/0xdb0 drivers/hid/hid-mcp2221.c:418
lr : mcp_smbus_xfer+0x44/0xdb0 drivers/hid/hid-mcp2221.c:414
sp : ffff800018be5f40
x29: ffff800018be5f40 x28: 0000000000000000 x27: dfff800000000000
x26: 1fffe0001964f036 x25: 0000000000000000 x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000018 x21: 0000000000000000
x20: 1ffff00002947e30 x19: 0000000000000000 x18: ffff800018be5d20
x17: 0000000000000000 x16: ffff800011ab3128 x15: 000000000000c4b7
x14: 000000003b0214a6 x13: dfff800000000000 x12: 0000f2f2f2f2f202
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000c0a81b40
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000018 x0 : ffff0000cb278088
Call trace:
 mcp_smbus_xfer+0x64/0xdb0 drivers/hid/hid-mcp2221.c:418
 __i2c_smbus_xfer+0x570/0x2b70 drivers/i2c/i2c-core-smbus.c:589
 i2c_smbus_xfer+0x210/0x31c drivers/i2c/i2c-core-smbus.c:544
 i2c_default_probe+0x1c0/0x248
 i2c_detect_address drivers/i2c/i2c-core-base.c:2408 [inline]
 i2c_detect drivers/i2c/i2c-core-base.c:2483 [inline]
 i2c_do_add_adapter+0x3c4/0x8d4 drivers/i2c/i2c-core-base.c:1372
 __process_new_adapter+0x28/0x3c drivers/i2c/i2c-core-base.c:1379
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 i2c_register_adapter+0xcc8/0xf8c drivers/i2c/i2c-core-base.c:1542
 i2c_add_adapter+0x170/0x250
 mcp2221_probe+0x240/0x56c drivers/hid/hid-mcp2221.c:882
 hid_device_probe+0x23c/0x338 drivers/hid/hid-core.c:2307
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 hid_add_device+0x318/0x4b4 drivers/hid/hid-core.c:2459
 usbhid_probe+0x868/0xba8 drivers/hid/usbhid/hid-core.c:1424
 usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 usb_new_device+0x900/0x145c drivers/usb/core/hub.c:2593
 hub_port_connect drivers/usb/core/hub.c:5455 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 port_event drivers/usb/core/hub.c:5741 [inline]
 hub_event+0x236c/0x46b8 drivers/usb/core/hub.c:5823
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: aa1303e0 96502d95 f9400273 d343fe7c (387b6b88) 
---[ end trace 799fd7c61a10f279 ]---
----------------
Code disassembly (best guess):
   0:	aa1303e0 	mov	x0, x19
   4:	96502d95 	bl	0xfffffffff940b658
   8:	f9400273 	ldr	x19, [x19]
   c:	d343fe7c 	lsr	x28, x19, #3
* 10:	387b6b88 	ldrb	w8, [x28, x27] <-- trapping instruction