Extracting prog: 1m22.161396661s Minimizing prog: 42m40.549090408s Simplifying prog options: 0s Extracting C: 1m9.381488696s Simplifying C: 20m12.79716472s extracting reproducer from 38 programs first checking the prog from the crash report single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU-ioctl$KVM_NMI-ioctl$KVM_SET_REGS-ioctl$KVM_RUN-ioctl$BINDER_WRITE_READ-ioctl$KVM_SET_MSRS-openat$tun-ioctl$TUNSETTXFILTER-openat$selinux_status detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) ioctl$KVM_NMI(r3, 0xae9a) ioctl$KVM_SET_REGS(r8, 0x4090ae82, &(0x7f0000000380)={[0x0, 0x100000000, 0x0, 0x81, 0x100000, 0x0, 0x2004c8, 0x8000000, 0x0, 0x1, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x2], 0x0, 0x200}) ioctl$KVM_RUN(r8, 0xae80, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000800)={0x10, 0x0, &(0x7f0000000600)=[@request_death={0x400c630e, 0xfffffffc}], 0x0, 0x0, 0x0}) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0x4008ae89, &(0x7f0000000000)={0x1, 0x0, [{0x2ff, 0x0, 0x5}]}) r9 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) ioctl$TUNSETTXFILTER(r9, 0x400454ca, &(0x7f0000000000)=ANY=[]) openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) program crashed: null pointer dereference occurred in ::from_ptr single: successfully extracted reproducer found reproducer with 29 syscalls minimizing guilty program testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU-ioctl$KVM_NMI-ioctl$KVM_SET_REGS-ioctl$KVM_RUN-ioctl$BINDER_WRITE_READ-ioctl$KVM_SET_MSRS-openat$tun-ioctl$TUNSETTXFILTER detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) ioctl$KVM_NMI(r3, 0xae9a) ioctl$KVM_SET_REGS(r8, 0x4090ae82, &(0x7f0000000380)={[0x0, 0x100000000, 0x0, 0x81, 0x100000, 0x0, 0x2004c8, 0x8000000, 0x0, 0x1, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x2], 0x0, 0x200}) ioctl$KVM_RUN(r8, 0xae80, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000800)={0x10, 0x0, &(0x7f0000000600)=[@request_death={0x400c630e, 0xfffffffc}], 0x0, 0x0, 0x0}) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0x4008ae89, &(0x7f0000000000)={0x1, 0x0, [{0x2ff, 0x0, 0x5}]}) r9 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) ioctl$TUNSETTXFILTER(r9, 0x400454ca, &(0x7f0000000000)=ANY=[]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU-ioctl$KVM_NMI-ioctl$KVM_SET_REGS-ioctl$KVM_RUN-ioctl$BINDER_WRITE_READ-ioctl$KVM_SET_MSRS-openat$tun detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) ioctl$KVM_NMI(r3, 0xae9a) ioctl$KVM_SET_REGS(r8, 0x4090ae82, &(0x7f0000000380)={[0x0, 0x100000000, 0x0, 0x81, 0x100000, 0x0, 0x2004c8, 0x8000000, 0x0, 0x1, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x2], 0x0, 0x200}) ioctl$KVM_RUN(r8, 0xae80, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000800)={0x10, 0x0, &(0x7f0000000600)=[@request_death={0x400c630e, 0xfffffffc}], 0x0, 0x0, 0x0}) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0x4008ae89, &(0x7f0000000000)={0x1, 0x0, [{0x2ff, 0x0, 0x5}]}) openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU-ioctl$KVM_NMI-ioctl$KVM_SET_REGS-ioctl$KVM_RUN-ioctl$BINDER_WRITE_READ-ioctl$KVM_SET_MSRS detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) ioctl$KVM_NMI(r3, 0xae9a) ioctl$KVM_SET_REGS(r8, 0x4090ae82, &(0x7f0000000380)={[0x0, 0x100000000, 0x0, 0x81, 0x100000, 0x0, 0x2004c8, 0x8000000, 0x0, 0x1, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x2], 0x0, 0x200}) ioctl$KVM_RUN(r8, 0xae80, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000800)={0x10, 0x0, &(0x7f0000000600)=[@request_death={0x400c630e, 0xfffffffc}], 0x0, 0x0, 0x0}) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0x4008ae89, &(0x7f0000000000)={0x1, 0x0, [{0x2ff, 0x0, 0x5}]}) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU-ioctl$KVM_NMI-ioctl$KVM_SET_REGS-ioctl$KVM_RUN-ioctl$BINDER_WRITE_READ detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) ioctl$KVM_NMI(r3, 0xae9a) ioctl$KVM_SET_REGS(r8, 0x4090ae82, &(0x7f0000000380)={[0x0, 0x100000000, 0x0, 0x81, 0x100000, 0x0, 0x2004c8, 0x8000000, 0x0, 0x1, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x2], 0x0, 0x200}) ioctl$KVM_RUN(r8, 0xae80, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000800)={0x10, 0x0, &(0x7f0000000600)=[@request_death={0x400c630e, 0xfffffffc}], 0x0, 0x0, 0x0}) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU-ioctl$KVM_NMI-ioctl$KVM_SET_REGS-ioctl$KVM_RUN detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) ioctl$KVM_NMI(r3, 0xae9a) ioctl$KVM_SET_REGS(r8, 0x4090ae82, &(0x7f0000000380)={[0x0, 0x100000000, 0x0, 0x81, 0x100000, 0x0, 0x2004c8, 0x8000000, 0x0, 0x1, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x2], 0x0, 0x200}) ioctl$KVM_RUN(r8, 0xae80, 0x0) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU-ioctl$KVM_NMI-ioctl$KVM_SET_REGS detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) ioctl$KVM_NMI(r3, 0xae9a) ioctl$KVM_SET_REGS(r8, 0x4090ae82, &(0x7f0000000380)={[0x0, 0x100000000, 0x0, 0x81, 0x100000, 0x0, 0x2004c8, 0x8000000, 0x0, 0x1, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x2], 0x0, 0x200}) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU-ioctl$KVM_NMI detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) ioctl$KVM_NMI(r3, 0xae9a) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_CREATE_VCPU detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r3 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r4]) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r2}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r5 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r5, 0x0, 0xd, 0x0, 0x0) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x1) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r2 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r3]) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r4 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r4, 0x0, 0xd, 0x0, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm-ioctl$KVM_CREATE_VM detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r2 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r3]) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r4 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r4, 0x0, 0xd, 0x0, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int-openat$kvm detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r2 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r3]) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r4 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r4, 0x0, 0xd, 0x0, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x161642, 0x0) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp-setsockopt$inet_int detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r2 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r3]) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) r4 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_int(r4, 0x0, 0xd, 0x0, 0x0) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ-socket$inet_icmp detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r2 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r3]) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) socket$inet_icmp(0x2, 0x2, 0x1) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd-ioctl$BINDER_WRITE_READ detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r2 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r2, @ANYBLOB=',wfdno=', @ANYRESHEX=r3]) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x4c, 0x0, &(0x7f0000000140)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x58, 0x18, &(0x7f00000001c0)={@flat=@handle={0x73682a85, 0x1, 0x1}, @fd={0x66642a85, 0x0, r1}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x2, 0x18}}, &(0x7f0000000280)={0x0, 0x18, 0x30}}, 0x10}], 0x0, 0x0, 0x0}) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r2, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-connect$bt_l2cap detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$bt_l2cap(r1, &(0x7f0000000000)={0x1f, 0x3ff, @any, 0x7, 0x1}, 0xe) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_open_procfs-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-openat$uhid-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$uhid(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-ioctl$TCGETS-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) ioctl$TCGETS(0xffffffffffffffff, 0x5401, &(0x7f0000000d00)) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-mmap$binder-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-ioctl$BINDER_SET_CONTEXT_MGR_EXT-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100}) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r1, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-timer_gettime-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) timer_gettime(0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-ioctl$KVM_GET_DIRTY_LOG-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) ioctl$KVM_GET_DIRTY_LOG(0xffffffffffffffff, 0x4010ae42, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VM-openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$KVM_SET_USER_MEMORY_REGION-openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000100)={0x1fd, 0x0, 0xeeee8000, 0x1000, &(0x7f0000fec000/0x1000)=nil}) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program crashed: null pointer dereference occurred in ::from_ptr testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, 0x0) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, 0x0, &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', 0x0, 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, 0x0) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB, @ANYRESHEX=r1]) program did not crash testing program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd detailed listing: executing program 0: openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) mount$9p_fd(0x0, &(0x7f0000000300)='.\x00', &(0x7f0000000080), 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB, @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r1]) program did not crash extracting C reproducer testing compiled C program (duration=32.433026358s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr simplifying C reproducer testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program did not crash testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program did not crash testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program did not crash testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program did not crash testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr testing compiled C program (duration=32.433026358s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_open_procfs-syz_init_net_socket$bt_l2cap-mount$9p_fd program crashed: null pointer dereference occurred in ::from_ptr reproducing took 1h5m24.889219876s repro crashed as (corrupted=false): rust_kernel: panicked at rust/kernel/sync/poll.rs:54:18: null pointer dereference occurred ------------[ cut here ]------------ kernel BUG at rust/helpers/bug.c:7! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 323 Comm: kworker/0:6 Not tainted 6.12.23-syzkaller-g6c1c18fcb8b7 #0 ba78288b1e32eb9f88d3f8d8da6b79a037cd8362 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: events p9_poll_workfn RIP: 0010:rust_helper_BUG+0x8/0x10 rust/helpers/bug.c:7 Code: cc cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 dc a5 2a bf 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 <0f> 0b 66 0f 1f 44 00 00 b8 96 61 63 33 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000123f890 EFLAGS: 00010246 RAX: 000000000000005a RBX: 1ffff92000247f14 RCX: a3ac999ac45c5400 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: ffffc9000123f890 R08: ffffc9000123f587 R09: 1ffff92000247eb0 R10: dffffc0000000000 R11: fffff52000247eb1 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000123f8c0 R15: ffffc9000123f8f0 FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001000 CR3: 00000001214e4000 CR4: 00000000003526b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __rustc::rust_begin_unwind+0x15b/0x160 rust/kernel/lib.rs:128 core::panicking::panic_nounwind_fmt::runtime usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:117 [inline] core::panicking::panic_nounwind_fmt+0xec/0xf0 usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics/mod.rs:3241 core::panicking::panic_null_pointer_dereference+0x49/0x4c usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:304 ::from_ptr+0x40/0x40 rust/kernel/sync/poll.rs:54 rust_binder::rust_binder_poll+0xe2/0x570 drivers/android/binder/rust_binder.rs:475 vfs_poll include/linux/poll.h:92 [inline] p9_fd_poll net/9p/trans_fd.c:236 [inline] p9_poll_mux net/9p/trans_fd.c:628 [inline] p9_poll_workfn+0x389/0x600 net/9p/trans_fd.c:1177 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0x7d2/0x1020 kernel/workqueue.c:3319 worker_thread+0xc58/0x1250 kernel/workqueue.c:3400 kthread+0x2c7/0x370 kernel/kthread.c:389 ret_from_fork+0x64/0xa0 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:rust_helper_BUG+0x8/0x10 rust/helpers/bug.c:7 Code: cc cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 dc a5 2a bf 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 <0f> 0b 66 0f 1f 44 00 00 b8 96 61 63 33 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000123f890 EFLAGS: 00010246 RAX: 000000000000005a RBX: 1ffff92000247f14 RCX: a3ac999ac45c5400 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: ffffc9000123f890 R08: ffffc9000123f587 R09: 1ffff92000247eb0 R10: dffffc0000000000 R11: fffff52000247eb1 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000123f8c0 R15: ffffc9000123f8f0 FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001000 CR3: 00000001214e4000 CR4: 00000000003526b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 final repro crashed as (corrupted=false): rust_kernel: panicked at rust/kernel/sync/poll.rs:54:18: null pointer dereference occurred ------------[ cut here ]------------ kernel BUG at rust/helpers/bug.c:7! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 323 Comm: kworker/0:6 Not tainted 6.12.23-syzkaller-g6c1c18fcb8b7 #0 ba78288b1e32eb9f88d3f8d8da6b79a037cd8362 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: events p9_poll_workfn RIP: 0010:rust_helper_BUG+0x8/0x10 rust/helpers/bug.c:7 Code: cc cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 dc a5 2a bf 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 <0f> 0b 66 0f 1f 44 00 00 b8 96 61 63 33 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000123f890 EFLAGS: 00010246 RAX: 000000000000005a RBX: 1ffff92000247f14 RCX: a3ac999ac45c5400 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: ffffc9000123f890 R08: ffffc9000123f587 R09: 1ffff92000247eb0 R10: dffffc0000000000 R11: fffff52000247eb1 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000123f8c0 R15: ffffc9000123f8f0 FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001000 CR3: 00000001214e4000 CR4: 00000000003526b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __rustc::rust_begin_unwind+0x15b/0x160 rust/kernel/lib.rs:128 core::panicking::panic_nounwind_fmt::runtime usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:117 [inline] core::panicking::panic_nounwind_fmt+0xec/0xf0 usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/intrinsics/mod.rs:3241 core::panicking::panic_null_pointer_dereference+0x49/0x4c usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:304 ::from_ptr+0x40/0x40 rust/kernel/sync/poll.rs:54 rust_binder::rust_binder_poll+0xe2/0x570 drivers/android/binder/rust_binder.rs:475 vfs_poll include/linux/poll.h:92 [inline] p9_fd_poll net/9p/trans_fd.c:236 [inline] p9_poll_mux net/9p/trans_fd.c:628 [inline] p9_poll_workfn+0x389/0x600 net/9p/trans_fd.c:1177 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0x7d2/0x1020 kernel/workqueue.c:3319 worker_thread+0xc58/0x1250 kernel/workqueue.c:3400 kthread+0x2c7/0x370 kernel/kthread.c:389 ret_from_fork+0x64/0xa0 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:rust_helper_BUG+0x8/0x10 rust/helpers/bug.c:7 Code: cc cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 dc a5 2a bf 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 <0f> 0b 66 0f 1f 44 00 00 b8 96 61 63 33 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000123f890 EFLAGS: 00010246 RAX: 000000000000005a RBX: 1ffff92000247f14 RCX: a3ac999ac45c5400 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: ffffc9000123f890 R08: ffffc9000123f587 R09: 1ffff92000247eb0 R10: dffffc0000000000 R11: fffff52000247eb1 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000123f8c0 R15: ffffc9000123f8f0 FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001000 CR3: 00000001214e4000 CR4: 00000000003526b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400