Extracting prog: 5m30.279041379s Minimizing prog: 23m9.408857437s Simplifying prog options: 0s Extracting C: 31.083595176s Simplifying C: 14m9.785524276s extracting reproducer from 48 programs first checking the prog from the crash report single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash single: failed to extract reproducer bisect: bisecting 48 programs with base timeout 30s testing program (duration=42s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4] detailed listing: executing program 1: r0 = fsopen(&(0x7f0000000000)='exfat\x00', 0x0) fsconfig$FSCONFIG_SET_STRING(r0, 0x1, &(0x7f0000001100)='iocharset', &(0x7f0000001140)='\xe0^@&&}\'\x00', 0x0) close(0x3) executing program 1: r0 = syz_init_net_socket$nfc_raw(0x27, 0x5, 0x0) r1 = dup(r0) connect$inet6(r1, &(0x7f00000000c0)={0x27, 0x4c21, 0x1, @remote, 0x7}, 0x1c) executing program 1: r0 = socket(0x10, 0x80002, 0x0) sendmsg(r0, &(0x7f0000001180)={0x0, 0x0, &(0x7f0000000680)=[{&(0x7f0000000040)="24000000180003041dfffd946f610500020100000005fe060c10880008000f00fff3c00e140000001a00ffffba16a0aa1c091dbfa1090000", 0x38}], 0x1}, 0x0) recvmmsg(r0, &(0x7f0000000b00)=[{{0x0, 0x0, 0x0}, 0x81}, {{0x0, 0x0, 0x0}, 0x1ff}, {{0x0, 0x0, &(0x7f00000005c0)=[{&(0x7f0000000480)=""/205, 0xcd}, {&(0x7f0000000580)=""/50, 0x32}, {&(0x7f0000002c80)=""/4096, 0x1000}], 0x3}, 0x7}], 0x3, 0x2, &(0x7f0000000c00)={0x0, 0x3938700}) executing program 1: timer_create(0x0, &(0x7f0000000300)={0x0, 0x21, 0x0, @thr={0x0, 0x0}}, &(0x7f0000000100)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, 0x0) clock_nanosleep(0xb, 0x0, &(0x7f0000000000)={0x77359400}, 0xfffffffffffffffe) executing program 1: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x0, 0x0) ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f00000002c0)=0x20) mmap$fb(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x2000004, 0x11, r0, 0x6f000) executing program 1: r0 = syz_open_dev$vbi(&(0x7f0000000080), 0x3, 0x2) ioctl$VIDIOC_S_OUTPUT(r0, 0xc004562f, &(0x7f0000000000)=0x1) ioctl$VIDIOC_S_DV_TIMINGS(r0, 0xc0845657, &(0x7f00000002c0)={0x0, @bt={0x2d0, 0x191, 0x1, 0x0, 0xdd9f83, 0x1, 0x2f, 0xf3, 0x2, 0x9, 0x722, 0x6, 0x7, 0x82, 0x27, 0x38, {0x0, 0x6fd8e84b}, 0x3, 0xed}}) executing program 32: r0 = syz_open_dev$vbi(&(0x7f0000000080), 0x3, 0x2) ioctl$VIDIOC_S_OUTPUT(r0, 0xc004562f, &(0x7f0000000000)=0x1) ioctl$VIDIOC_S_DV_TIMINGS(r0, 0xc0845657, &(0x7f00000002c0)={0x0, @bt={0x2d0, 0x191, 0x1, 0x0, 0xdd9f83, 0x1, 0x2f, 0xf3, 0x2, 0x9, 0x722, 0x6, 0x7, 0x82, 0x27, 0x38, {0x0, 0x6fd8e84b}, 0x3, 0xed}}) executing program 2: r0 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_TX_RING(r0, 0x11b, 0x3, &(0x7f0000001780)=0x100000, 0x4) setsockopt$XDP_TX_RING(r0, 0x11b, 0x3, &(0x7f0000000180)=0x2000, 0x4) executing program 2: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff) sendmsg$TIPC_NL_LINK_SET(r0, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000900)={0x38, r1, 0x601, 0x70bd26, 0x25dfdbfb, {}, [@TIPC_NLA_LINK={0x24, 0x4, 0x0, 0x1, [@TIPC_NLA_LINK_NAME={0x13, 0x1, 'broadcast-link\x00'}, @TIPC_NLA_LINK_PROP={0xc, 0x7, 0x0, 0x1, [@TIPC_NLA_PROP_PRIO={0x8, 0x5, 0x18}]}]}]}, 0x38}, 0x1, 0x0, 0x0, 0x20000080}, 0xc000) executing program 2: r0 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0) ioctl$UI_ABS_SETUP(r0, 0x401c5504, 0x0) ioctl$UI_END_FF_UPLOAD(r0, 0x406855c9, 0x0) executing program 2: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0) mount$tmpfs(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f00000000c0), 0x0, 0x0) umount2(&(0x7f00000002c0)='./file0\x00', 0xb) executing program 2: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x0, 0x51) ioctl$FS_IOC_FSSETXATTR(r0, 0x401c5820, &(0x7f0000000080)={0x8}) link(&(0x7f0000000080)='.\x00', &(0x7f00000000c0)='./file0\x00') executing program 2: r0 = socket(0xa, 0x2, 0x0) setsockopt$inet_int(r0, 0x0, 0x18, &(0x7f0000000080)=0x200, 0x4) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0xc, @empty, 0x7}, 0x1c) executing program 33: r0 = socket(0xa, 0x2, 0x0) setsockopt$inet_int(r0, 0x0, 0x18, &(0x7f0000000080)=0x200, 0x4) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0xc, @empty, 0x7}, 0x1c) executing program 5: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$devlink(&(0x7f0000000180), 0xffffffffffffffff) sendmsg$DEVLINK_CMD_SB_OCC_SNAPSHOT(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000002c0)={0x3c, r1, 0x1, 0x70bd2d, 0x25dfdbff, {}, [{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x40}, 0x80) executing program 5: sendmsg$NFNL_MSG_CTHELPER_NEW(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000100)={0x64, 0x0, 0x9, 0x801, 0x0, 0x0, {}, [@NFCTH_PRIV_DATA_LEN={0x8}, @NFCTH_NAME={0x9, 0x1, 'syz0\x00'}, @NFCTH_TUPLE={0x3c, 0x2, [@CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @mcast1}, {0x14, 0x4, @private1}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}]}]}, 0x64}}, 0x0) r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10) sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000040)=ANY=[@ANYBLOB="280100002f00010000000000fcdbdf250801f2800c00180008ac0f000010000014000100fc00000000000000000000000000000008004400", @ANYRES32=0x0, @ANYBLOB="d900"], 0x128}], 0x1, 0x0, 0x0, 0x1}, 0x0) executing program 5: r0 = openat$vicodec0(0xffffffffffffff9c, &(0x7f00000004c0), 0x2, 0x0) ioctl$VIDIOC_REQBUFS(r0, 0xc0145608, &(0x7f0000000040)={0x201, 0xa, 0x2}) ioctl$VIDIOC_PREPARE_BUF(r0, 0xc058565d, &(0x7f0000000200)=@multiplanar_userptr={0x7, 0xa, 0x4, 0x0, 0xa, {}, {0x5, 0x8, 0xc1, 0x6b, 0x9, 0x2, "84653375"}, 0xffb, 0x2, {0x0}}) executing program 5: r0 = socket$inet6(0xa, 0x2, 0x0) setsockopt$inet6_int(r0, 0x29, 0x21, &(0x7f0000001880)=0x40, 0x4) sendmmsg$inet6(r0, &(0x7f0000000980)=[{{&(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback, 0x40210}, 0x1c, 0x0}}], 0x1, 0x0) executing program 5: r0 = open(&(0x7f0000000300)='.\x00', 0x0, 0x0) ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f00000001c0)=0x10) mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file2\x00', 0x81c0, 0x0) executing program 5: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000100), r0) sendmsg$NL80211_CMD_DEAUTHENTICATE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000003c0)={0x24, r1, 0xfc5, 0x0, 0x0, {{0x11}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x8, 0x2a, [@perr={0x84, 0xffffffffffffff21}]}]}, 0x24}}, 0x0) executing program 34: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000100), r0) sendmsg$NL80211_CMD_DEAUTHENTICATE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000003c0)={0x24, r1, 0xfc5, 0x0, 0x0, {{0x11}, {@val={0x8}, @void}}, [@NL80211_ATTR_IE={0x8, 0x2a, [@perr={0x84, 0xffffffffffffff21}]}]}, 0x24}}, 0x0) executing program 4: openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x2c040, 0x0) sendmsg$unix(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000002480)=[{0x0}, {0x0}, {0x0}, {0x0}, {0x0}], 0x5, &(0x7f0000000040), 0x27744301c852fef0}, 0x0) setsockopt$inet6_IPV6_ADDRFORM(0xffffffffffffffff, 0x29, 0x1, &(0x7f0000000040), 0x4) mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f0000000000)='nfs4\x00', 0x0, &(0x7f00000001c0)='\x01') executing program 4: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f00000001c0)={@in={{0x2, 0x4e20, @initdev={0xac, 0x1e, 0x1, 0x0}}}, 0x0, 0x0, 0xb, 0x0, "f4bccf586b5f3b0e7b6c155aed1116bd4c34dae2782f0a8869abaf184ee6e562296395ad1f3287225c0c16903aa0c87ae17b13685a5fed65569153bdfc1e39a8ba4809e40d4bf5f3280656e4fa99b739"}, 0xd8) setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in={{0x2, 0x4e22, @multicast2}}, 0x0, 0x0, 0xb, 0x0, "f6a7346a1ca3caf66200f0e70b995efa20d5ddc09c0bc0c88e00bdea5e6998967d569964c8b68dae57dea91c0e3ef03a96483bcaaa5ab222d1993083e8e3619fbbff30da0288a8b78a3f921c40fdc06a"}, 0xd8) setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000400)={@in={{0x2, 0x4e20, @multicast2}}, 0x0, 0x0, 0x0, 0x0, "698e86252c563a2eb894ac1de863c527984bfa5ff139aeeef086eed112e6f0ffba88c7d0888990f99dc2416c1cbccf99d18464a65c3587c97aee9217b992893cebfc606ada5e14e782e63da22a6fe97d"}, 0xd8) executing program 4: r0 = socket$inet6(0xa, 0x2, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000000280)={@mcast2, 0x800, 0x0, 0x103, 0x1}, 0x20) setsockopt$inet6_int(r0, 0x29, 0x1000000000021, &(0x7f0000000040)=0x5, 0x4) sendmsg$inet6(r0, &(0x7f0000000140)={&(0x7f0000000080)={0xa, 0x4e26, 0x80000, @mcast2}, 0x1c, 0x0, 0x0, &(0x7f0000002300)=[@hopopts_2292={{0x18, 0x29, 0x36, {0x2b}}}, @hopopts={{0x18, 0x29, 0x3b, {0x85}}}], 0x30}, 0x810) executing program 4: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x0, 0x0) ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f00000002c0)=0x20) mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x0) rename(&(0x7f0000000280)='./file0\x00', &(0x7f0000000300)='./file1\x00') executing program 4: r0 = socket$nl_generic(0x10, 0x3, 0x10) socket(0x1e, 0x805, 0x0) r1 = syz_genetlink_get_family_id$tipc(&(0x7f0000001600), 0xffffffffffffffff) sendmsg$TIPC_CMD_SHOW_PORTS(r0, &(0x7f00000016c0)={0x0, 0x0, &(0x7f0000001680)={&(0x7f0000001640)={0x1c, r1, 0x1}, 0x1c}}, 0x0) executing program 4: r0 = socket$inet6(0xa, 0x800000000000002, 0x0) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @initdev={0xfe, 0x88, '\x00', 0xfc, 0x0}, 0x2}, 0x1c) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20, 0x0, @ipv4={'\x00', '\xff\xff', @loopback}}, 0x1c) connect$inet6(r0, &(0x7f0000000680)={0xa, 0x4e20, 0xe, @ipv4={'\x00', '\xff\xff', @private=0xa010101}, 0x7}, 0x1c) executing program 35: r0 = socket$inet6(0xa, 0x800000000000002, 0x0) connect$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @initdev={0xfe, 0x88, '\x00', 0xfc, 0x0}, 0x2}, 0x1c) connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20, 0x0, @ipv4={'\x00', '\xff\xff', @loopback}}, 0x1c) connect$inet6(r0, &(0x7f0000000680)={0xa, 0x4e20, 0xe, @ipv4={'\x00', '\xff\xff', @private=0xa010101}, 0x7}, 0x1c) executing program 0: mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.net/syz0\x00', 0x1ff) r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r1 = openat$cgroup_int(r0, &(0x7f0000000080)='cgroup.clone_children\x00', 0x2, 0x0) sendfile(r1, r1, 0x0, 0x100000000) executing program 0: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000300), 0x382, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000080)=0xf) ioctl$TCFLSH(r0, 0x400455c8, 0x0) ioctl$TCFLSH(r0, 0x800455ca, 0x2) executing program 3: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000100), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000008c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_NEW_INTERFACE(r0, &(0x7f00000004c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)={0x4c, r1, 0x1, 0xfffffffc, 0x25dfdbfc, {{}, {@void, @val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFNAME={0x14, 0x4, 'nicvf0\x00'}, @NL80211_ATTR_IFTYPE={0x8, 0x5, 0x6}, @mon_options=[@NL80211_ATTR_MNTR_FLAGS={0x8, 0x17, 0x0, 0x1, [@NL80211_MNTR_FLAG_FCSFAIL={0x4}]}, @NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR={0xa}]]}, 0x4c}, 0x1, 0x0, 0x0, 0x800}, 0x0) executing program 3: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0xf, &(0x7f0000000100)=0x207, 0x4) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'gretap0\x00', 0x0}) sendto$packet(r0, &(0x7f00000002c0)="05031600d3fc140000004788031c09103c28", 0xfce0, 0x4, &(0x7f0000000140)={0x11, 0x86dd, r1, 0x1, 0x0, 0x6, @multicast}, 0x14) executing program 3: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x2002, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1) ioctl$KVM_SET_MSRS(r2, 0x4008ae89, &(0x7f0000000100)={0x1, 0x0, [{0x4b564d00}]}) executing program 3: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nfc(&(0x7f0000000bc0), r0) sendmsg$NFC_CMD_DEP_LINK_UP(r0, &(0x7f0000000dc0)={0x0, 0x0, &(0x7f0000000d80)={&(0x7f0000000d00)={0x2c, r1, 0x1, 0x70bd26, 0x25dfdbfd, {}, [@NFC_ATTR_TARGET_INDEX={0x8, 0x4, 0x1}, @NFC_ATTR_DEVICE_INDEX={0x8}, @NFC_ATTR_COMM_MODE={0x5, 0xa, 0x1}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20000881}, 0x4000) syz_genetlink_get_family_id$netlbl_cipso(0x0, 0xffffffffffffffff) executing program 3: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="140000001000010000000000000000000500000a28000000000a030000000000000000000a00000708000240000000020900010073797a31000000002c000000030a010100000000000000000a0000070900010073797a31000000000900030073797a320000000014000000110001"], 0x7c}, 0x1, 0x0, 0x0, 0x4000}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000009b40)={0x0, 0x0, &(0x7f0000009b00)={&(0x7f0000000380)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x5}}, [@NFT_MSG_NEWSET={0x44, 0x9, 0xa, 0x401, 0x0, 0x0, {0xa, 0x0, 0x4}, [@NFTA_SET_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_SET_KEY_LEN={0x8, 0x5, 0x1, 0x0, 0x2}, @NFTA_SET_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_ID={0x8}, @NFTA_SET_FLAGS={0x8, 0x3, 0x1, 0x0, 0x4}]}, @NFT_MSG_NEWSETELEM={0x40, 0xc, 0xa, 0x5, 0x0, 0x0, {0xa, 0x0, 0x6}, [@NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_ELEMENTS={0x14, 0x3, 0x0, 0x1, [{0x10, 0x0, 0x0, 0x1, [@NFTA_SET_ELEM_KEY={0xc, 0x1, 0x0, 0x1, [@NFTA_DATA_VALUE={0x6, 0x1, '\x00\x00'}]}]}]}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x1}}}, 0xac}, 0x1, 0x0, 0x0, 0x4000850}, 0x40) sendmsg$NFT_BATCH(r0, &(0x7f0000009b40)={0x0, 0x0, &(0x7f0000009b00)={&(0x7f0000000440)=ANY=[@ANYBLOB="140000001000010000000000000000000500000a4c000000090a010400000000000000000a0000040900010073797a310000000008000540000000020900020073797a310000000008000a40fffffffc080003400000001408000c4000000e45400000000c0a010100000000000000000a0000060900020073797a31000000000900010073797a310000000014000380100000800c000180060001"], 0xb4}, 0x1, 0x0, 0x0, 0x4000850}, 0x40) executing program 3: ioctl$SNDRV_CTL_IOCTL_ELEM_UNLOCK(0xffffffffffffffff, 0x40405515, &(0x7f0000000040)={0x9, 0x5, 0x128c, 0x1, 'syz0\x00', 0x1}) r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000140)=ANY=[@ANYBLOB="12010000413f5f201d0650c16fce0102030109021b00010000100009043300011870f500090582020002"], 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0xa8, &(0x7f0000000040)=ANY=[@ANYBLOB="6b0ee0b3d41b1b"]) executing program 6: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='blkio.bfq.group_wait_time\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x88fd537e5c114b6e, 0x11, r0, 0x0) r1 = socket(0x2b, 0x80801, 0x1) setsockopt$inet6_tcp_int(r1, 0x11e, 0x1, &(0x7f0000000280)=0x400, 0x4) executing program 6: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x83, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_TPR_ACCESS_REPORTING(r2, 0xc028ae92, &(0x7f0000000140)={0x7}) executing program 6: sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={0x0, 0xfffffffffffffd2a}, 0x1, 0x0, 0x0, 0x4008005}, 0x4048080) ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'}) r0 = socket$nl_route(0x10, 0x3, 0x0) ioctl(r0, 0x8b28, &(0x7f0000000040)) executing program 0: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000100)=0xd) r1 = socket(0x40000000015, 0x805, 0x0) ppoll(&(0x7f0000000200)=[{r0, 0x420a}, {r1, 0x6328}], 0x2, 0x0, 0x0, 0x0) executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.numa_stat\x00', 0x26e1, 0x0) close(r0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)) ioctl$SIOCSIFHWADDR(r0, 0x8b0b, &(0x7f0000000000)={'wlan1\x00', @random='\x00\x00 \x00'}) executing program 6: mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000040), 0x42, 0x0) mount$fuse(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000002100), 0x280449c, &(0x7f0000002140)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x4000}}) write$FUSE_NOTIFY_DELETE(r0, &(0x7f0000000080)={0x2a, 0x6, 0x0, {0x1, 0x200000000004, 0x1, 0x2, '\x00', 0x8}}, 0x2a) executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x28100, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_CAP_HYPERV_ENLIGHTENED_VMCS(r2, 0x4068aea3, &(0x7f0000000000)={0xa3, 0x0, 0xfffffffffffffffe}) executing program 6: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x28100, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_GET_NESTED_STATE(r2, 0xc080aebe, 0x0) executing program 7: socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000002c0)={0xffffffffffffffff}) r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r1, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'rfc4543(gcm(aes))\x00'}, 0x58) close_range(r0, 0xffffffffffffffff, 0x0) executing program 0: mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x8031, 0xffffffffffffffff, 0x6a855000) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x15) mincore(&(0x7f0000000000/0x800000)=nil, 0x800000, &(0x7f0000000000)=""/188) executing program 6: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) executing program 7: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000540), 0x81400, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_CAP_VM_DISABLE_NX_HUGE_PAGES(r1, 0x4068aea3, &(0x7f0000000000)) program did not crash replaying the whole log did not cause a kernel crash single: executing 1 programs separately with timeout 1m40s testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program crashed: general protection fault in do_dentry_open single: successfully extracted reproducer found reproducer with 4 syscalls minimizing guilty program testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, 0x0, 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, 0x0, 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, 0x0, &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', 0x0, 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, 0x0) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(0x0, 0x551083, 0x28) program did not crash extracting C reproducer testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open program crashed: general protection fault in do_dentry_open simplifying C reproducer testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open program crashed: general protection fault in do_dentry_open testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open program crashed: general protection fault in do_dentry_open testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open program crashed: general protection fault in do_dentry_open testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open program crashed: general protection fault in do_dentry_open testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open program crashed: general protection fault in do_dentry_open testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open program crashed: general protection fault in do_dentry_open testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open program crashed: general protection fault in do_dentry_open testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program crashed: general protection fault in do_dentry_open validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program crashed: general protection fault in do_dentry_open validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mkdirat-mount$overlay-open detailed listing: executing program 0: mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0xc1) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000200), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) open(&(0x7f0000000040)='./file0\x00', 0x551083, 0x28) program crashed: general protection fault in do_dentry_open validation run: crashed=true reproducing took 47m4.393943726s repro crashed as (corrupted=false): Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 0 UID: 0 PID: 6035 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 RIP: 0010:do_dentry_open+0xaf/0x14e0 fs/open.c:896 Code: 44 24 28 80 3c 28 00 74 08 4c 89 ff e8 fa 5e ef ff 4c 89 7c 24 20 4d 89 27 4d 8d 7c 24 30 4c 89 f8 48 c1 e8 03 48 89 44 24 58 <80> 3c 28 00 74 08 4c 89 ff e8 e3 5d ef ff 4c 89 7c 24 60 4d 8b 3f RSP: 0018:ffffc900037d7638 EFLAGS: 00010206 RAX: 0000000000000006 RBX: ffff88807217db60 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000ffffffff RBP: dffffc0000000000 R08: ffff88807b54d9b3 R09: 1ffff1100f6a9b36 R10: dffffc0000000000 R11: ffffed100f6a9b37 R12: 0000000000000000 R13: 1ffff1100e42fb7d R14: ffff88807217dbe8 R15: 0000000000000030 FS: 00005555907f6500(0000) GS:ffff888124de1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001000 CR3: 00000000772e8000 CR4: 00000000003526f0 Call Trace: vfs_open+0x3b/0x340 fs/open.c:1081 backing_file_open_user_path+0x24/0x50 fs/file_table.c:73 backing_tmpfile_open+0x9b/0xf0 fs/backing-file.c:71 ovl_create_tmpfile fs/overlayfs/dir.c:1392 [inline] ovl_tmpfile+0x400/0x810 fs/overlayfs/dir.c:1449 vfs_tmpfile+0x3ff/0x890 fs/namei.c:4744 do_tmpfile+0xd3/0x240 fs/namei.c:4809 path_openat+0x300d/0x3860 fs/namei.c:4843 do_file_open+0x23e/0x4a0 fs/namei.c:4881 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_open fs/open.c:1380 [inline] __se_sys_open fs/open.c:1376 [inline] __x64_sys_open+0x11e/0x150 fs/open.c:1376 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff99279c799 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff78638ef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007ff992a15fa0 RCX: 00007ff99279c799 RDX: 0000000000000028 RSI: 0000000000551083 RDI: 0000200000000040 RBP: 00007ff992832c99 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ff992a15fac R14: 00007ff992a15fa0 R15: 00007ff992a15fa0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:do_dentry_open+0xaf/0x14e0 fs/open.c:896 Code: 44 24 28 80 3c 28 00 74 08 4c 89 ff e8 fa 5e ef ff 4c 89 7c 24 20 4d 89 27 4d 8d 7c 24 30 4c 89 f8 48 c1 e8 03 48 89 44 24 58 <80> 3c 28 00 74 08 4c 89 ff e8 e3 5d ef ff 4c 89 7c 24 60 4d 8b 3f RSP: 0018:ffffc900037d7638 EFLAGS: 00010206 RAX: 0000000000000006 RBX: ffff88807217db60 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000ffffffff RBP: dffffc0000000000 R08: ffff88807b54d9b3 R09: 1ffff1100f6a9b36 R10: dffffc0000000000 R11: ffffed100f6a9b37 R12: 0000000000000000 R13: 1ffff1100e42fb7d R14: ffff88807217dbe8 R15: 0000000000000030 FS: 00005555907f6500(0000) GS:ffff888124de1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001000 CR3: 00000000772e8000 CR4: 00000000003526f0 ---------------- Code disassembly (best guess): 0: 44 24 28 rex.R and $0x28,%al 3: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) 7: 74 08 je 0x11 9: 4c 89 ff mov %r15,%rdi c: e8 fa 5e ef ff call 0xffef5f0b 11: 4c 89 7c 24 20 mov %r15,0x20(%rsp) 16: 4d 89 27 mov %r12,(%r15) 19: 4d 8d 7c 24 30 lea 0x30(%r12),%r15 1e: 4c 89 f8 mov %r15,%rax 21: 48 c1 e8 03 shr $0x3,%rax 25: 48 89 44 24 58 mov %rax,0x58(%rsp) * 2a: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) <-- trapping instruction 2e: 74 08 je 0x38 30: 4c 89 ff mov %r15,%rdi 33: e8 e3 5d ef ff call 0xffef5e1b 38: 4c 89 7c 24 60 mov %r15,0x60(%rsp) 3d: 4d 8b 3f mov (%r15),%r15 final repro crashed as (corrupted=false): Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 0 UID: 0 PID: 6035 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 RIP: 0010:do_dentry_open+0xaf/0x14e0 fs/open.c:896 Code: 44 24 28 80 3c 28 00 74 08 4c 89 ff e8 fa 5e ef ff 4c 89 7c 24 20 4d 89 27 4d 8d 7c 24 30 4c 89 f8 48 c1 e8 03 48 89 44 24 58 <80> 3c 28 00 74 08 4c 89 ff e8 e3 5d ef ff 4c 89 7c 24 60 4d 8b 3f RSP: 0018:ffffc900037d7638 EFLAGS: 00010206 RAX: 0000000000000006 RBX: ffff88807217db60 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000ffffffff RBP: dffffc0000000000 R08: ffff88807b54d9b3 R09: 1ffff1100f6a9b36 R10: dffffc0000000000 R11: ffffed100f6a9b37 R12: 0000000000000000 R13: 1ffff1100e42fb7d R14: ffff88807217dbe8 R15: 0000000000000030 FS: 00005555907f6500(0000) GS:ffff888124de1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001000 CR3: 00000000772e8000 CR4: 00000000003526f0 Call Trace: vfs_open+0x3b/0x340 fs/open.c:1081 backing_file_open_user_path+0x24/0x50 fs/file_table.c:73 backing_tmpfile_open+0x9b/0xf0 fs/backing-file.c:71 ovl_create_tmpfile fs/overlayfs/dir.c:1392 [inline] ovl_tmpfile+0x400/0x810 fs/overlayfs/dir.c:1449 vfs_tmpfile+0x3ff/0x890 fs/namei.c:4744 do_tmpfile+0xd3/0x240 fs/namei.c:4809 path_openat+0x300d/0x3860 fs/namei.c:4843 do_file_open+0x23e/0x4a0 fs/namei.c:4881 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_open fs/open.c:1380 [inline] __se_sys_open fs/open.c:1376 [inline] __x64_sys_open+0x11e/0x150 fs/open.c:1376 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff99279c799 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff78638ef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007ff992a15fa0 RCX: 00007ff99279c799 RDX: 0000000000000028 RSI: 0000000000551083 RDI: 0000200000000040 RBP: 00007ff992832c99 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ff992a15fac R14: 00007ff992a15fa0 R15: 00007ff992a15fa0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:do_dentry_open+0xaf/0x14e0 fs/open.c:896 Code: 44 24 28 80 3c 28 00 74 08 4c 89 ff e8 fa 5e ef ff 4c 89 7c 24 20 4d 89 27 4d 8d 7c 24 30 4c 89 f8 48 c1 e8 03 48 89 44 24 58 <80> 3c 28 00 74 08 4c 89 ff e8 e3 5d ef ff 4c 89 7c 24 60 4d 8b 3f RSP: 0018:ffffc900037d7638 EFLAGS: 00010206 RAX: 0000000000000006 RBX: ffff88807217db60 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000ffffffff RBP: dffffc0000000000 R08: ffff88807b54d9b3 R09: 1ffff1100f6a9b36 R10: dffffc0000000000 R11: ffffed100f6a9b37 R12: 0000000000000000 R13: 1ffff1100e42fb7d R14: ffff88807217dbe8 R15: 0000000000000030 FS: 00005555907f6500(0000) GS:ffff888124de1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000001000 CR3: 00000000772e8000 CR4: 00000000003526f0 ---------------- Code disassembly (best guess): 0: 44 24 28 rex.R and $0x28,%al 3: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) 7: 74 08 je 0x11 9: 4c 89 ff mov %r15,%rdi c: e8 fa 5e ef ff call 0xffef5f0b 11: 4c 89 7c 24 20 mov %r15,0x20(%rsp) 16: 4d 89 27 mov %r12,(%r15) 19: 4d 8d 7c 24 30 lea 0x30(%r12),%r15 1e: 4c 89 f8 mov %r15,%rax 21: 48 c1 e8 03 shr $0x3,%rax 25: 48 89 44 24 58 mov %rax,0x58(%rsp) * 2a: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) <-- trapping instruction 2e: 74 08 je 0x38 30: 4c 89 ff mov %r15,%rdi 33: e8 e3 5d ef ff call 0xffef5e1b 38: 4c 89 7c 24 60 mov %r15,0x60(%rsp) 3d: 4d 8b 3f mov (%r15),%r15