last executing test programs: 7m17.424594609s ago: executing program 0 (id=857): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) (async) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000), 0x2002, 0x0) ioctl$SNDCTL_DSP_SETFMT(r1, 0xc0045005, &(0x7f0000001180)=0x2000000) (async, rerun: 64) mmap$dsp(&(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x3, 0x4000010, r1, 0x0) (async, rerun: 64) ioctl$SNDCTL_DSP_GETOPTR(r1, 0x5008, 0x0) (async, rerun: 32) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) (rerun: 32) setsockopt(r2, 0x84, 0x7f, &(0x7f0000000040)="02007f000980ffff", 0x8) ioctl$SNDCTL_DSP_SYNC(r1, 0x5001, 0x0) (async, rerun: 32) ioctl$SNDCTL_DSP_GETOSPACE(r1, 0x8010500c, &(0x7f00000000c0)) (async, rerun: 32) r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) (async) syz_init_net_socket$x25(0x9, 0x5, 0x0) (async) r4 = socket(0x10, 0x803, 0x0) sendto(r4, &(0x7f0000000740)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0) (async) recvmmsg(r4, &(0x7f0000009800)=[{{0x0, 0x0, 0x0}, 0x4}, {{0x0, 0x0, 0x0}, 0x9}, {{0x0, 0x0, &(0x7f0000000880)=[{&(0x7f0000003740)=""/4111, 0x100f}, {&(0x7f0000001500)=""/201, 0xc9}, {&(0x7f00000032c0)=""/246, 0xf6}, {&(0x7f0000001240)=""/235, 0xeb}, {&(0x7f0000000400)=""/76, 0x4c}, {&(0x7f00000013c0)=""/268, 0x10c}, {&(0x7f0000001180)=""/151, 0x97}, {&(0x7f0000001000)=""/83, 0x53}, {&(0x7f0000001080)=""/130, 0x82}], 0x9}, 0x81}], 0x3, 0x40002100, 0x0) unshare(0x22020600) (async) r5 = syz_socket_connect_nvme_tcp() ioctl$sock_ifreq(r5, 0x8934, &(0x7f0000000080)={'veth0\x00', @ifru_names='lo\x00'}) (async) ioctl$KVM_SET_IRQCHIP(r3, 0x4048aec9, &(0x7f0000000380)={0x3, 0x0, @ioapic={0x2, 0x2, 0x101, 0x5, 0x0, [{0xd, 0x9, 0x6, '\x00', 0x1}, {0x6, 0x2, 0x26, '\x00', 0xfc}, {0x2, 0xef, 0xd, '\x00', 0xee}, {0xfb, 0x7, 0xd}, {0x13, 0x9, 0x2, '\x00', 0x62}, {0x0, 0x3, 0x2, '\x00', 0xd3}, {0xf, 0x0, 0x8, '\x00', 0x4}, {0x9, 0xdb, 0x1}, {0x81, 0x23, 0x5, '\x00', 0x2}, {0xde, 0x20, 0x3}, {0x40, 0x4, 0xf8, '\x00', 0x1}, {0xf5, 0x5, 0x4, '\x00', 0xb5}, {0x7, 0x3, 0x2b, '\x00', 0x6}, {0x4, 0x0, 0x0, '\x00', 0xe9}, {0x10, 0x39, 0x40, '\x00', 0xcf}, {0x6c, 0x3f, 0x0, '\x00', 0x72}, {0x6e, 0x4, 0x4, '\x00', 0xe}, {0x7, 0x2, 0x8, '\x00', 0x7}, {0xf, 0x7, 0x5}, {0x1, 0x6, 0x9}, {0x4, 0x6, 0x1, '\x00', 0x49}, {0xee, 0x2, 0x91, '\x00', 0xba}, {0x2, 0x8, 0x2, '\x00', 0xc3}, {0x8, 0x9, 0x54, '\x00', 0x9}]}}) (async, rerun: 32) r6 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000040), 0x28200, 0x0) (rerun: 32) personality(0x5400004) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x5) (async) ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000340)) (async) mmap(&(0x7f0000787000/0x4000)=nil, 0x4000, 0xb, 0x202812, r6, 0x7dfff000) 7m16.702237636s ago: executing program 0 (id=858): r0 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000340), 0xffffffffffffffff) r1 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$TIPC_NL_BEARER_GET(r1, &(0x7f0000000ac0)={0x0, 0x0, &(0x7f0000000a80)={&(0x7f0000000940)={0x14, r0, 0x705, 0x70bd23, 0x25dfdbfd}, 0x14}, 0x1, 0x0, 0x0, 0x20004000}, 0x4000) (fail_nth: 8) 7m16.570403579s ago: executing program 0 (id=861): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_START_AP(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000380)={0x70, r1, 0x5, 0x0, 0x300, {{}, {@val={0x8, 0x3, r2}, @void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={0x41, 0xe, {{{}, {0x300}, @broadcast, @device_a, @from_mac=@broadcast}, 0x0, @random=0x7, 0x1, @void, @void, @void, @val={0x4, 0x6, {0xf0, 0x2, 0x7f, 0xa706}}, @val={0x6, 0x2, 0x6}, @void, @val={0x25, 0x3, {0x1, 0x8c, 0x8}}, @void, @void, @void, @val={0x72, 0x6}, @void, @void}}], @NL80211_ATTR_BEACON_INTERVAL={0x8}, @NL80211_ATTR_DTIM_PERIOD={0x8}]}, 0x70}, 0x1, 0x0, 0x0, 0x20004090}, 0x0) 7m16.43498934s ago: executing program 0 (id=862): r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000940)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f00000001c0)="d8000000180081054e81f782db44b904021d005c06007c09e8fe55a10a0015400100142603600e1208000b0000000401a80016000800014009001100036010fab94dcf5c0461c1d67f6f94007134cf6ee08000a0e408e8d8ef52a98516277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee4ce1b14d6d930dfe1d9d322fe7c9f8775730d16a4683f5aeb4edbb57a5025ccca9e00360d070100000040", 0xa2}], 0x1}, 0x0) mount$9p_fd(0x0, &(0x7f00000001c0)='.\x00', 0x0, 0x0, 0x0) sendmmsg$inet(r0, &(0x7f0000005200)=[{{0x0, 0x4b, &(0x7f0000000000), 0x1}, 0xa000000}], 0x1, 0x0) 7m16.312113794s ago: executing program 0 (id=863): r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0xa00, 0x0) r1 = socket$inet_icmp(0x2, 0x2, 0x1) setsockopt$inet_MCAST_MSFILTER(r1, 0x0, 0x30, &(0x7f00000000c0)=ANY=[@ANYBLOB="040000000000000002004e237f0000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002"], 0x190) r2 = open(&(0x7f0000000300)='.\x00', 0x0, 0x0) r3 = socket(0x28, 0x5, 0x0) connect$vsock_stream(r3, &(0x7f0000000080)={0x28, 0x0, 0x0, @my=0x0}, 0x10) ioctl$FS_IOC_SETFLAGS(r2, 0x40086602, &(0x7f00000001c0)=0x10) stat(&(0x7f0000000040)='./file2/file0\x00', &(0x7f0000000200)) mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file2\x00', 0x81c0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x12, r0, 0x45809000) r4 = socket$inet_tcp(0x2, 0x1, 0x0) sendto$inet(r4, &(0x7f0000000000)="6117444200000000", 0x8, 0x24020804, &(0x7f0000000140)={0x2, 0x4e24, @multicast2}, 0x10) syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0) 7m15.648768009s ago: executing program 0 (id=866): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_START_AP(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000380)={0x70, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={0x41, 0xe, {{{}, {0x300}, @broadcast, @device_a, @from_mac=@broadcast}, 0x0, @random=0x7, 0x1, @void, @void, @void, @val={0x4, 0x6, {0xf0, 0x2, 0x7f, 0xa706}}, @val={0x6, 0x2, 0x6}, @void, @val={0x25, 0x3, {0x1, 0x8c, 0x8}}, @void, @void, @void, @val={0x72, 0x6}, @void, @void}}], @NL80211_ATTR_BEACON_INTERVAL={0x8}, @NL80211_ATTR_DTIM_PERIOD={0x8}]}, 0x70}, 0x1, 0x0, 0x0, 0x20004090}, 0x0) (fail_nth: 9) 7m0.279532363s ago: executing program 32 (id=866): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_START_AP(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000380)={0x70, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={0x41, 0xe, {{{}, {0x300}, @broadcast, @device_a, @from_mac=@broadcast}, 0x0, @random=0x7, 0x1, @void, @void, @void, @val={0x4, 0x6, {0xf0, 0x2, 0x7f, 0xa706}}, @val={0x6, 0x2, 0x6}, @void, @val={0x25, 0x3, {0x1, 0x8c, 0x8}}, @void, @void, @void, @val={0x72, 0x6}, @void, @void}}], @NL80211_ATTR_BEACON_INTERVAL={0x8}, @NL80211_ATTR_DTIM_PERIOD={0x8}]}, 0x70}, 0x1, 0x0, 0x0, 0x20004090}, 0x0) (fail_nth: 9) 4.862108637s ago: executing program 2 (id=3636): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$devlink(&(0x7f0000000180), 0xffffffffffffffff) sendmsg$DEVLINK_CMD_SB_OCC_SNAPSHOT(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000002c0)={0x3c, r1, 0x1, 0x70bd2d, 0x25dfdbff, {}, [{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x40}, 0x80) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xf, 0x4008031, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x2000000000000000, 0x2) r2 = socket$qrtr(0x2a, 0x2, 0x0) connect$qrtr(r2, &(0x7f0000000000)={0x2a, 0x1, 0x2}, 0xc) writev(r2, &(0x7f0000000b00)=[{&(0x7f00000003c0)='l', 0x1}], 0x1) r3 = socket$alg(0x26, 0x5, 0x0) bind$alg(r3, &(0x7f0000000140)={0x26, 'hash\x00', 0x0, 0x0, 'crc32c\x00'}, 0x58) accept4(r3, 0x0, 0x0, 0x0) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x18) r4 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi0\x00', 0x18281, 0x0) ioctl$COMEDI_DEVCONFIG(r4, 0x40946400, &(0x7f0000000180)={'pcl711\x00', [0x4, 0x9, 0x8, 0xfffffffb, 0x1000, 0x104, 0x6623, 0x6, 0xb, 0x0, 0xfffffffa, 0x2, 0xfffffffe, 0x8, 0x6, 0x7, 0xfffffffd, 0x7, 0x4, 0xa261, 0x10, 0x2, 0x9, 0x9, 0x5, 0x4, 0x1, 0xc005, 0x59, 0x7, 0x2000004]}) 3.506325203s ago: executing program 2 (id=3646): clock_gettime(0x0, &(0x7f00000000c0)={0x0, 0x0}) pselect6(0xfffffffffffffec0, 0x0, 0x0, 0x0, &(0x7f0000000080)={r0, r1+60000000}, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) r2 = syz_open_dev$evdev(0x0, 0x2, 0x862b01) ioctl$EVIOCSFF(0xffffffffffffffff, 0x40304580, &(0x7f0000000480)={0x0, 0x0, 0x0, {0x0, 0x1}, {0x3a, 0x2}}) write$char_usb(r2, &(0x7f0000000040)="e2", 0x2250) 3.460630074s ago: executing program 2 (id=3647): r0 = socket(0x10, 0x3, 0x0) write(r0, &(0x7f0000000000)="2400000011005f0414f9f4070009040081000000200000000081000008000f0001000000", 0x24) 2.898437425s ago: executing program 2 (id=3649): r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000100), 0x80000, 0x0) mmap(&(0x7f0000173000/0x2000)=nil, 0x2000, 0x2000002, 0x19812, r0, 0x45809000) mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff) mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2) mprotect(&(0x7f000021f000/0x4000)=nil, 0x4000, 0x4) mremap(&(0x7f0000b50000/0x2000)=nil, 0x2000, 0x1000, 0x0, &(0x7f0000ffe000/0x1000)=nil) mlock2(&(0x7f00002e5000/0xc00000)=nil, 0xc00000, 0x0) 2.755535446s ago: executing program 3 (id=3650): mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x2) r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r1 = openat$cgroup_subtree(r0, &(0x7f0000000080), 0x2, 0x0) r2 = dup(r1) read$FUSE(r2, &(0x7f0000002240)={0x2020}, 0x2020) 2.660081191s ago: executing program 3 (id=3651): mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x2) r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r1 = openat$cgroup_subtree(r0, &(0x7f0000000080), 0x2, 0x0) r2 = dup(r1) read$FUSE(r2, &(0x7f0000002240)={0x2020}, 0x2020) (fail_nth: 1) 2.270389926s ago: executing program 1 (id=3652): r0 = creat(&(0x7f0000001380)='./file0\x00', 0x4) mount(&(0x7f0000001400)=@rnullb, &(0x7f0000001440)='./file0\x00', &(0x7f0000001480)='qnx4\x00', 0x0, 0x0) ioctl$KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2(r0, 0x4068aea3, &(0x7f0000000000)={0xa8, 0x0, 0x1}) 2.248585763s ago: executing program 3 (id=3653): syz_open_dev$vim2m(0x0, 0x2, 0x2) writev(0xffffffffffffffff, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f00000007c0)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) openat$kvm(0xffffffffffffff9c, 0x0, 0x5e9c41, 0x0) pipe(&(0x7f0000000400)={0xffffffffffffffff, 0xffffffffffffffff}) vmsplice(r1, &(0x7f00000000c0)=[{&(0x7f0000000180)="77690addcfbe1fbb66ec", 0xff3b}], 0x1, 0x1) close(r1) r2 = socket$inet(0x2, 0x4000000000000001, 0x0) setsockopt$inet_tcp_TCP_MD5SIG(r2, 0x6, 0xe, &(0x7f0000000480)={@in={{0x2, 0x4e23, @loopback}}, 0x0, 0x20000000005, 0x21}, 0xd8) bind$inet(r2, &(0x7f0000deb000)={0x2, 0x4e23, @multicast2}, 0x10) sendto$inet(r2, 0x0, 0x0, 0x240087f9, &(0x7f0000000100)={0x2, 0x4e23, @loopback}, 0x10) splice(r0, 0x0, r1, 0x0, 0xfffd, 0x10000000000000) 2.184211187s ago: executing program 1 (id=3654): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_START_AP(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000380)={0x70, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={0x41, 0xe, {{{}, {}, @broadcast, @device_a, @from_mac=@broadcast}, 0x0, @random=0x7, 0x1, @void, @void, @void, @val={0x4, 0x6, {0xf0, 0x2, 0x7f, 0xa706}}, @val={0x6, 0x2, 0x6}, @void, @val={0x25, 0x3, {0x1, 0x8c, 0x8}}, @void, @void, @void, @val={0x72, 0x6}, @void, @void}}], @NL80211_ATTR_BEACON_INTERVAL={0x8}, @NL80211_ATTR_DTIM_PERIOD={0x8}]}, 0x70}, 0x1, 0x300, 0x0, 0x20004090}, 0x0) 1.99034887s ago: executing program 1 (id=3655): clock_gettime(0x0, &(0x7f00000000c0)={0x0, 0x0}) pselect6(0xfffffffffffffec0, 0x0, 0x0, 0x0, &(0x7f0000000080)={r0, r1+60000000}, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) r2 = syz_open_dev$evdev(0x0, 0x2, 0x862b01) ioctl$EVIOCSFF(0xffffffffffffffff, 0x40304580, &(0x7f0000000480)={0x0, 0x0, 0x0, {0x0, 0x1}, {0x3a, 0x2}}) write$char_usb(r2, &(0x7f0000000040)="e2", 0x2250) 1.989724714s ago: executing program 2 (id=3656): r0 = syz_open_dev$vim2m(&(0x7f0000000280), 0x800000000020001, 0x2) ioctl$vim2m_VIDIOC_REQBUFS(r0, 0xc0145608, &(0x7f00000000c0)={0xcc93, 0x0, 0x3, 0x0, 0x1}) ioctl$vim2m_VIDIOC_STREAMOFF(r0, 0x40045612, &(0x7f0000000000)=0x1) close(r0) (async) close(r0) syz_usb_connect(0x0, 0x6b, &(0x7f0000000c80)=ANY=[@ANYBLOB="1201000385352608f20446b76e8e01020301090259000104e9000909049300000e0100ff0a240102000502010209240703040001a5301124060604050800040005000600f4ff040924030506030501f909240702020005cbad0924030601010303de0924040003030306"], &(0x7f0000001240)={0x0, 0x0, 0x0, 0x0}) mount(&(0x7f00000001c0)=@rnullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000240)='udf\x00', 0x0, 0x0) (async) mount(&(0x7f00000001c0)=@rnullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000240)='udf\x00', 0x0, 0x0) r1 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f0000000140)={0xc, 0x0, 0x0}) syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) (async) r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$netlbl_cipso(&(0x7f00000002c0), r3) sendmsg$NLBL_CIPSOV4_C_ADD(r3, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000003c0)=ANY=[@ANYBLOB="3800000014d6035798858526f932535ab29a8157a145279b2ecc67b50d0fd18656b72e93d08b3de568c0bfa9e36c48d748a59ce21ff3c58db003682e267a5497a0c91d8917033a2924fb704b356259198ae57dc6485e1c6ef6f512c5012c0a6f915ea2b1f46e973ed9105383cb0e3aed34790cf05c0fb17add7bfc3e9c1a29458030a2bc1dfcf0717587a2bab33e51b324f2e5d85e334cf93610eae6b2d66e35fb51ab6409d61e5f2ea86883770c3df16159a34a64cbb1c2d06e5533c723fa09be2a6294feac", @ANYRES16=r4, @ANYBLOB="0100feffffff0000000001000000080001000300000014000480050003000100000005000300020000000800020003000000"], 0x38}}, 0x0) ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r1, 0x3ba0, &(0x7f0000000340)={0xfffffffffffffdbd}) (async) ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r1, 0x3ba0, &(0x7f0000000340)={0xfffffffffffffdbd}) ioctl$IOMMU_IOAS_MAP$PAGES(r1, 0x3b85, &(0x7f0000000180)={0x28, 0x7, r2, 0x0, &(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x9}) (async) ioctl$IOMMU_IOAS_MAP$PAGES(r1, 0x3b85, &(0x7f0000000180)={0x28, 0x7, r2, 0x0, &(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x9}) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000000)=0x0) prctl$PR_SCHED_CORE(0x3e, 0x3, r5, 0x3, &(0x7f0000000080)) 1.945368377s ago: executing program 1 (id=3657): r0 = socket(0xb, 0xa180275649fd2239, 0x3a) sendmmsg(r0, 0x0, 0x0, 0x40810) creat(&(0x7f0000001380)='./file0\x00', 0x4) socket$inet_tcp(0x2, 0x1, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000140)='./file1\x00', 0x0) r1 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r2 = syz_usb_connect(0x0, 0x3f, &(0x7f00000002c0)=ANY=[@ANYBLOB="12010000d0918108ac051582588f0000000109022d0001000000000904"], 0x0) syz_usb_ep_write(r2, 0x8d, 0xfb, &(0x7f00000001c0)="d0be166e5e8b26a5e6b39aa93e00d43ec7e813e40b8fcad530f5176b71ef3ac478184911afdd2a979d4c5b7fccca3f0c6871b5032e4727642967374587861ca6bd95847cd7fa48e161817931a074a00f2d99471f511f07fc4bd392b89c581899e2ae79abe551ecce24444d0d91595054bea9bb0ce5ca2985043edb126c403549e7c5d36ceba659a4acb46b1361f31359c9f1c4b02f5edbe98e11edb32d0c08ce4e024fcefdee253f92ee9a9acfc0642ca6543d7ee1bab1") mount$fuse(0x0, 0x0, 0x0, 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=0x0]) mount(0x0, &(0x7f0000000240)='./file1\x00', &(0x7f0000000040)='autofs\x00', 0x0, &(0x7f0000000400)) chdir(&(0x7f0000000080)='./file1\x00') r3 = openat$autofs(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0) ioctl$AUTOFS_DEV_IOCTL_CATATONIC(r3, 0xc0189379, &(0x7f0000000200)={{0x1, 0x1, 0x18, 0xffffffffffffffff}, './file0\x00'}) mknodat$loop(r4, &(0x7f00000000c0)='./file1\x00', 0x2000, 0x1) ioctl$AUTOFS_DEV_IOCTL_PROTOSUBVER(r1, 0xc0189378, &(0x7f0000000280)={{0x1, 0x1, 0x18, r4, {0x4}}, './file0\x00'}) setsockopt$MRT6_ADD_MIF(r0, 0x29, 0xca, &(0x7f0000000040)={0x0, 0x1}, 0xc) write(r0, &(0x7f0000003300)="fc6f6f9d8bdcd93de4a662b0393a24f8cd6f899f58db44fdb68729b615dedbdcf3f5e7e7f24b2c2265a981265174c76185f5da08f8bc8c6aca343e05dfe3438691e2e97cd1ece4fc2abb83ffac813cdcc2f27765eb62fb874fe6a38303fefca4b0088ee4cb96907e1cc6c0e749caf5a5b87a2eb6462942c3c2791e712de82849b0b72629335c93c380f598e35720f1044615d7da4e2bf5d9a7da5da3398c99e0d598487206346afa54b965bbe301477b130154446f53ed91dd430d432eca0bf6", 0xc0) 1.290797122s ago: executing program 3 (id=3658): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @ipv4={'\x00', '\xff\xff', @empty}, 0xf}, 0x18) 1.188947964s ago: executing program 3 (id=3660): mount(0x0, 0x0, 0x0, 0x200010, &(0x7f00000001c0)='\x05\x00\x00\x00\x04\xb0\xfe\x98\xab\xc9\xa2IV\xb6-\xd9z\x81\x91\x8aP}I\xc6\x0e\xd9\r\x11\xa0\xd7\xd7\xb6\x9bz\x99\xaf\xfd\x87fN\xad\x90U\xb4A\xdf\xabB\xbba\x7f\xb8\x96\x1a\xe7\xc1\xab\x16\xc77\x8b') mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.cpu/syz0\x00', 0x1ff) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0xc008ae88, &(0x7f0000000000)=ANY=[@ANYBLOB="01090000000000000f478e"]) (async) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0xc008ae88, &(0x7f0000000000)=ANY=[@ANYBLOB="01090000000000000f478e"]) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000240)={0x14, 0x2b, 0x107, 0x70bd2d, 0x25dfdbfc, {0x4, 0x7c}}, 0x14}}, 0x0) openat$kvm(0xffffff9c, &(0x7f00000000c0), 0x800, 0x0) (async) r1 = openat$kvm(0xffffff9c, &(0x7f00000000c0), 0x800, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) (async) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) r4 = syz_open_dev$vim2m(&(0x7f0000000040), 0x4000000000000102, 0x2) ioctl$vim2m_VIDIOC_REQBUFS(r4, 0xc0145608, &(0x7f00000001c0)={0x20, 0x2, 0x4}) ioctl$vim2m_VIDIOC_S_FMT(r4, 0xc0d05605, &(0x7f0000000300)={0x2, @pix_mp={0x0, 0xfffffffc, 0x0, 0x0, 0x0, [{}, {}, {}, {0x7}, {}, {}, {0x3}], 0x0, 0x0, 0x0, 0x0, 0x4}}) ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x2, 0x9, 0xfffffffffffffffd, 0x0, 0x10000, 0x0, 0x4002004c4, 0x1000, 0x0, 0x0, 0x2, 0x5, 0x0, 0x9, 0x0, 0x7], 0xeeee8000, 0x2113c0}) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) syz_open_dev$evdev(&(0x7f0000000100), 0x2, 0x8000) (async) r5 = syz_open_dev$evdev(&(0x7f0000000100), 0x2, 0x8000) ioctl$EVIOCGMASK(r5, 0x80104592, &(0x7f0000000140)={0x12, 0xf1, &(0x7f0000000340)="1df5b6cc1048551b8a25522d5ce3b0d90789ed304dbc21494bafb8335a1542825e0ff3435750f53054a3133925a60869b0a07aedb0acd8bc522d3336d69bc30977783e151d71be1d3e8f795c71db2b8bac4f2f6fdc13951b323473c1560a4d903722c12692f111fa3dff1ecbf4fc610e2832f8c7b6f4b7c2709a665cf0b8957d3e0cdd66d2bfc329f926d474727bf585df5bbaef5528144a8f8a073b61b0d94c91a24f75d0d97717b4a9fca6b27412850f0dc87cd7769aee4741caccd388ea48b96bd0ee0bcf4fad4626786338c7d562a892b2a9d64d4bed09751cccb026455a03562e64fed850d6ef3db23186c636f759"}) r6 = syz_open_dev$cec(&(0x7f0000000080), 0x0, 0x0) socketpair(0x23, 0x5, 0x800, &(0x7f0000000000)) ioctl$CEC_DQEVENT(r6, 0xc0506107, &(0x7f00000002c0)) r7 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) getsockopt$inet6_int(r7, 0x29, 0x1d, 0x0, &(0x7f0000000080)) (async) getsockopt$inet6_int(r7, 0x29, 0x1d, 0x0, &(0x7f0000000080)) ioctl$CEC_S_MODE(r6, 0x40046109, &(0x7f00000001c0)=0xd0) (async) ioctl$CEC_S_MODE(r6, 0x40046109, &(0x7f00000001c0)=0xd0) mount(&(0x7f0000000000)=@rnullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='msdos\x00', 0x200000, 0x0) (async) mount(&(0x7f0000000000)=@rnullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='msdos\x00', 0x200000, 0x0) ioctl$FS_IOC_READ_VERITY_METADATA(r3, 0xc0286687, &(0x7f0000000180)={0x2, 0x6, 0x1000, &(0x7f0000000440)=""/4096}) (async) ioctl$FS_IOC_READ_VERITY_METADATA(r3, 0xc0286687, &(0x7f0000000180)={0x2, 0x6, 0x1000, &(0x7f0000000440)=""/4096}) 878.357972ms ago: executing program 4 (id=3662): r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$sock_ipv4_tunnel_SIOCADDTUNNEL(r0, 0x89f1, &(0x7f0000000440)={'sit0\x00', &(0x7f0000000400)={'syztnl0\x00', 0x0, 0x0, 0x0, 0x0, 0x0, {{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0xfc, 0x0, 0x0, @loopback, @empty=0xffffffff}}}}) (fail_nth: 5) 499.233295ms ago: executing program 3 (id=3663): r0 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f0000000900)=[@in={0x2, 0x4e23, @loopback}, @in6={0xa, 0x0, 0x0, @loopback, 0x7ff}], 0x2c) sendto$inet6(r0, &(0x7f0000000000)='\x00', 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback, 0x5}, 0x1c) sendto$inet6(r0, &(0x7f0000000080)="117c0ebae30099e9cfc677266e7408ce6384b25208cbed3287e8342abc4ec7c03f8e95ea3ddad0dd1977ecb751f3fbf6288b382b372efd1cd236", 0x3a, 0x0, 0x0, 0x0) setsockopt$inet_sctp6_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f0000000580)={0x41, 0x80}, 0xe) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r0, 0x660c) recvmmsg(r0, &(0x7f0000002c40)=[{{0x0, 0x0, 0x0}, 0x5}], 0x1, 0x40000040, 0x0) syz_emit_vhci(&(0x7f0000000780)=ANY=[@ANYBLOB="02cb200a0006000500011002000200"], 0xf) mount(&(0x7f0000000100)=@rnullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000240)='udf\x00', 0x200000, 0x0) 489.144669ms ago: executing program 4 (id=3664): r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$sock_ipv4_tunnel_SIOCADDTUNNEL(r0, 0x89f1, &(0x7f0000000440)={'sit0\x00', &(0x7f0000000400)={'syztnl0\x00', 0x0, 0x89, 0x0, 0x0, 0x0, {{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0xfc, 0x0, 0x0, @loopback, @empty=0xffffffff}}}}) 402.173087ms ago: executing program 1 (id=3665): clock_gettime(0x0, &(0x7f00000000c0)={0x0, 0x0}) pselect6(0xfffffffffffffec0, 0x0, 0x0, 0x0, &(0x7f0000000080)={r0, r1+60000000}, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) r2 = syz_open_dev$evdev(0x0, 0x2, 0x862b01) ioctl$EVIOCSFF(0xffffffffffffffff, 0x40304580, &(0x7f0000000480)={0x0, 0x0, 0x0, {0x0, 0x1}, {0x3a, 0x2}}) write$char_usb(r2, &(0x7f0000000040)="e2", 0x2250) 302.446789ms ago: executing program 4 (id=3666): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f00000001c0), 0xffffffffffffffff) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_JOIN_MESH(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000340)={0x28, r1, 0x1, 0x70bd29, 0x25dfdbfb, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_MESH_CONFIG={0xc, 0x23, 0x0, 0x1, [@NL80211_MESHCONF_RSSI_THRESHOLD={0x8, 0x14, 0xffffff31}]}]}, 0x28}, 0x1, 0x0, 0x0, 0x84}, 0xffffff31) 294.573493ms ago: executing program 1 (id=3667): r0 = openat$binder_debug(0xffffff9c, &(0x7f0000000300)='/sys/kernel/debug/binder/transaction_log\x00', 0x0, 0x0) ioctl$FICLONERANGE(r0, 0x4020940d, 0x0) syz_usb_connect(0x0, 0x24, &(0x7f0000000580)=ANY=[@ANYBLOB="120100009cd3bcc0323f09a50403c7046ff70f8406ff60d43007000000030109021200"/46], 0x0) r1 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]}) r2 = socket$unix(0x1, 0x5, 0x0) r3 = dup2(r2, r1) close_range(r3, 0xffffffffffffffff, 0x0) (async) ioctl$FBIOPUTCMAP(r3, 0x4605, &(0x7f00000002c0)={0x1, 0x2, &(0x7f00000001c0)=[0xa6a4, 0x7f], &(0x7f0000000200)=[0x1ff, 0x9282, 0x2, 0xfff6], &(0x7f0000000240)=[0x4, 0x10, 0x5, 0x4], &(0x7f0000000280)=[0x8000, 0x0, 0x313, 0x0]}) (async) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) munmap(&(0x7f000045e000/0x1000)=nil, 0x1000) (async, rerun: 32) mremap(&(0x7f0000dde000/0x1000)=nil, 0x1000, 0x1000, 0x3, &(0x7f0000bb3000/0x1000)=nil) (rerun: 32) mremap(&(0x7f00006bd000/0x2000)=nil, 0x2000, 0x4000, 0x3, &(0x7f0000721000/0x4000)=nil) (async) munmap(&(0x7f0000a88000/0x1000)=nil, 0x1000) (async) mlock2(&(0x7f0000d92000/0x4000)=nil, 0x4000, 0x0) (async) munmap(&(0x7f000060f000/0x4000)=nil, 0x4000) (async) madvise(&(0x7f0000586000/0x3000)=nil, 0x3000, 0x12) (async, rerun: 64) mremap(&(0x7f000061c000/0x13000)=nil, 0x13000, 0x4000, 0x3, &(0x7f0000fb0000/0x4000)=nil) (rerun: 64) ioctl$UFFDIO_ZEROPAGE(r0, 0xc020aa04, &(0x7f0000000140)={{&(0x7f0000a5e000/0x4000)=nil, 0x4000}, 0x1}) (async) mremap(&(0x7f00007b2000/0x4000)=nil, 0x4000, 0x3000, 0x3, &(0x7f0000968000/0x3000)=nil) mlock(&(0x7f0000002000/0x1000)=nil, 0x1000) (async) copy_file_range(r0, &(0x7f0000000440)=0xc, r1, 0x0, 0x7fffffffffffffff, 0x0) (async) munmap(&(0x7f00003fe000/0xc00000)=nil, 0xc00000) (async) r4 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000000c0), 0x121602, 0x0) ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000180)={{&(0x7f00009eb000/0x4000)=nil, 0x4000}, 0x4}) (async, rerun: 64) ioctl$TIOCSETD(r4, 0x5423, &(0x7f00000003c0)=0x19) (async, rerun: 64) ioctl$TIOCVHANGUP(r4, 0x5437, 0x2) (async) r5 = add_key$keyring(&(0x7f0000000340), &(0x7f0000000180)={'syz', 0x3}, 0x0, 0x0, 0xffffffffffffffff) add_key(&(0x7f0000000240)='asymmetric\x00', &(0x7f0000000480)={'syz', 0x1}, &(0x7f00000004c0)="dee7030022cf5c6c7bc31bd2599759fafa9e5e1dbac27b0426fc0299c41fb9b9761a1b44dac894f365ae68edf335abf35ec53d6751467ebd2c187491bcab2c8d34fec505fc8a14622dba33ff9b054eb7e8a5bc4ab2719cb230328931deb95ef3fcafb1ce27743a93f4715976edec860ab49c3a4f51ab0124b50c3362201a307df03000", 0x83, r5) (async) ioctl$IOMMU_VFIO_IOMMU_GET_INFO(r0, 0x3b70, &(0x7f00000000c0)={0x70, 0x0, 0x0, 0x0, {}, {{}, 0x0, 0x0, [{}, {}, {}, {}]}}) (async, rerun: 64) mount(&(0x7f0000000000)=@nbd={'/dev/nbd', 0x0}, &(0x7f0000000080)='./cgroup\x00', &(0x7f0000000040)='hpfs\x00', 0x0, 0x0) (rerun: 64) 286.522343ms ago: executing program 2 (id=3668): r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = fsopen(&(0x7f0000000040)='hugetlbfs\x00', 0x0) fsconfig$FSCONFIG_SET_STRING(r1, 0x1, &(0x7f0000001100)='iocharset', &(0x7f0000001140)='\xe0^@&&}\'\x00', 0x0) sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000300)=ANY=[@ANYRES64=r1], 0x18}, 0x1, 0x0, 0x0, 0x8000}, 0x40800) openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x200401, 0x0) r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000080), 0x4000000002a82, 0x0) r3 = dup(r2) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb34902, 0x1000006, 0x28011, r3, 0x0) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00304, 0x15) syz_open_dev$vbi(&(0x7f0000000000), 0x0, 0x2) r4 = socket$packet(0x11, 0x2, 0x300) syz_usb_connect$uac1(0x0, 0xa4, &(0x7f0000001200)=ANY=[@ANYBLOB="2a01000020000040b708000000000000030109029200030172e5000904000000010100000a24010000000201020c0d2405000005000000000000000c240000e9fffff5ffffffff092403f3", @ANYRES8=0x0, @ANYRES64=r4], 0x0) fadvise64(r2, 0x18, 0x0, 0x4) 198.426031ms ago: executing program 4 (id=3669): r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$sock_ipv4_tunnel_SIOCADDTUNNEL(r0, 0x89f1, &(0x7f0000000440)={'sit0\x00', &(0x7f0000000400)={'gre0\x00', 0x0, 0x20, 0x7800, 0x0, 0x3, {{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0xfc, 0x0, 0x0, @multicast2, @remote}}}}) 156.754736ms ago: executing program 4 (id=3670): r0 = creat(&(0x7f0000001380)='./file0\x00', 0x20) dup(r0) (async) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={0x0}}, 0x0) (async) r1 = userfaultfd(0x1) openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) (async) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f0000000180)) (async) mprotect(&(0x7f0000000000/0x2000)=nil, 0x2000, 0xc) (async) ioctl$UFFDIO_COPY(r1, 0xc028aa03, &(0x7f0000000040)={&(0x7f0000ffb000/0x4000)=nil, &(0x7f0000ffe000/0x1000)=nil, 0x4000}) (async) mount(&(0x7f0000001400)=@rnullb, &(0x7f0000001440)='./file0\x00', &(0x7f0000000000)='omfs\x00', 0x0, 0x0) 0s ago: executing program 4 (id=3671): r0 = openat$comedi(0xffffff9c, &(0x7f0000000040)='/dev/comedi3\x00', 0x2000, 0x0) ioctl$COMEDI_DEVCONFIG(r0, 0x40946400, &(0x7f0000000400)={'c6xdigio\x00', [0x0, 0x80000000, 0x4, 0xfdf9, 0xa8da, 0x8f, 0x6, 0x44, 0x2, 0x3187, 0x200, 0xfff, 0x77382cfb, 0x2002, 0x0, 0x6, 0x8, 0x6, 0x84, 0xb, 0x0, 0x20000, 0x80, 0x55, 0x5, 0xad1, 0x1ff, 0x907df, 0x8, 0x40000f3, 0x3]}) mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0/file0\x00', 0x11e) ioctl$AUTOFS_DEV_IOCTL_PROTOVER(0xffffffffffffffff, 0xc0189372, &(0x7f0000000000)={{0x1, 0x1, 0x18, r0, {0x7}}, './file0\x00'}) ioctl$KVM_CAP_VM_DISABLE_NX_HUGE_PAGES(r1, 0x4068aea3, &(0x7f0000000080)) kernel console output (not intermixed with test programs): 12719] usb 5-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 607.785782][ T9] usb usb2-port1: unable to enumerate USB device [ 607.795685][T12719] usb 5-1: config 16 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 607.825478][T12719] usb 5-1: config 16 interface 0 altsetting 0 endpoint 0x8B has invalid wMaxPacketSize 0 [ 607.843663][T12719] usb 5-1: config 16 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 0 [ 607.850168][T15627] netlink: 244 bytes leftover after parsing attributes in process `syz.3.3293'. [ 607.854071][T12719] usb 5-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 607.876132][T12719] usb 5-1: New USB device found, idVendor=ee8d, idProduct=db1e, bcdDevice=61.23 [ 607.885234][T12719] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 607.900129][T12719] usbtmc 5-1:16.0: probe with driver usbtmc failed with error -22 [ 608.055756][ T24] usb 3-1: new high-speed USB device number 10 using dummy_hcd [ 608.209569][T12719] usb 5-1: USB disconnect, device number 102 [ 608.225763][ T24] usb 3-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 608.236714][ T24] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 608.246303][ T24] usb 3-1: Product: syz [ 608.250637][ T24] usb 3-1: Manufacturer: syz [ 608.255258][ T24] usb 3-1: SerialNumber: syz [ 608.277293][ T24] usb 3-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 608.303157][ T43] usb 3-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 608.357090][T15639] iommufd_mock iommufd_mock0: Adding to iommu group 0 [ 608.688449][T15645] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 608.699748][T15645] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 608.712918][ T30] audit: type=1800 audit(1751723522.941:59): pid=15645 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.3.3302" name="SYSV00000000" dev="tmpfs" ino=0 res=0 errno=0 [ 608.741673][ T24] usb 3-1: USB disconnect, device number 10 [ 608.894756][T15648] comedi comedi0: multiq3: I/O port conflict (0x4,16) [ 609.124654][T15656] netlink: 96 bytes leftover after parsing attributes in process `syz.4.3307'. [ 609.375746][ T43] ath9k_htc 3-1:1.0: ath9k_htc: Target is unresponsive [ 609.395774][ T43] ath9k_htc: Failed to initialize the device [ 609.408770][ T5903] usb 2-1: new high-speed USB device number 20 using dummy_hcd [ 609.418319][ T24] usb 3-1: ath9k_htc: USB layer deinitialized [ 609.590133][T15669] iommufd_mock iommufd_mock0: Adding to iommu group 0 [ 609.618278][ T5903] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0xF has an invalid bInterval 0, changing to 7 [ 609.631685][ T5903] usb 2-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 8 [ 609.651546][ T5903] usb 2-1: New USB device found, idVendor=0499, idProduct=103e, bcdDevice=4e.18 [ 609.675474][ T5903] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 609.683583][ T5903] usb 2-1: Product: syz [ 609.695756][ T5903] usb 2-1: Manufacturer: syz [ 609.705551][ T5903] usb 2-1: SerialNumber: syz [ 609.756825][ T5903] usb 2-1: config 0 descriptor?? [ 609.805537][T12860] usb 5-1: new high-speed USB device number 103 using dummy_hcd [ 609.935753][T12860] usb 5-1: device descriptor read/64, error -71 [ 609.969959][ T5903] usb 2-1: Quirk or no altset; falling back to MIDI 1.0 [ 610.024583][ T5903] usb 2-1: USB disconnect, device number 20 [ 610.154932][T15680] udevd[15680]: error opening ATTR{/sys/devices/platform/dummy_hcd.1/usb2/2-1/2-1:0.0/sound/card3/controlC3/../uevent} for writing: No such file or directory [ 610.195622][T12860] usb 5-1: new high-speed USB device number 104 using dummy_hcd [ 610.267858][T15683] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 610.276810][T15683] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 610.345769][T12860] usb 5-1: device descriptor read/64, error -71 [ 610.379386][T15688] rdma_rxe: rxe_newlink: rxe creation allowed on top of a real device only [ 610.390760][T15688] /dev/rnullb0: Can't open blockdev [ 610.458923][T12860] usb usb5-port1: attempt power cycle [ 610.470634][T15690] fuseblk: Unknown parameter 'max_readrlI' [ 610.764782][T15703] tipc: New replicast peer: fe80:0000:0000:0000:0000:0000:00fe:00bb [ 610.780554][T15703] tipc: Enabled bearer , priority 10 [ 610.819965][T15702] /dev/rnullb0: Can't open blockdev [ 610.835966][T12860] usb 5-1: new high-speed USB device number 105 using dummy_hcd [ 610.877614][T12860] usb 5-1: device descriptor read/8, error -71 [ 611.125722][ T5903] usb 2-1: new high-speed USB device number 21 using dummy_hcd [ 611.133508][T12860] usb 5-1: new high-speed USB device number 106 using dummy_hcd [ 611.166178][T12860] usb 5-1: device descriptor read/8, error -71 [ 611.206696][ T43] usb 3-1: new high-speed USB device number 11 using dummy_hcd [ 611.278749][T12860] usb usb5-port1: unable to enumerate USB device [ 611.285811][ T5903] usb 2-1: Using ep0 maxpacket: 8 [ 611.298739][ T5903] usb 2-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 611.313130][ T5903] usb 2-1: config 16 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 611.333475][ T5903] usb 2-1: config 16 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 32 [ 611.362949][ T5903] usb 2-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 611.379652][ T43] usb 3-1: Using ep0 maxpacket: 8 [ 611.385817][ T5903] usb 2-1: New USB device found, idVendor=ee8d, idProduct=db1a, bcdDevice=61.23 [ 611.395084][ T5903] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 611.403864][ T43] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x8D has an invalid bInterval 42, changing to 9 [ 611.431448][ T43] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 611.452993][ T43] usb 3-1: config 0 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 611.463607][ T43] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x8B has invalid maxpacket 12592, setting to 1024 [ 611.475165][ T43] usb 3-1: config 0 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 1024 [ 611.485561][ T43] usb 3-1: New USB device found, idVendor=05ac, idProduct=8215, bcdDevice=8f.58 [ 611.494719][ T43] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 611.516562][ T43] usb 3-1: config 0 descriptor?? [ 611.522600][T15707] raw-gadget.3 gadget.2: fail, usb_ep_enable returned -22 [ 611.647364][T15705] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 611.668479][T15705] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 611.683189][ T5903] usb 2-1: GET_CAPABILITIES returned 0 [ 611.692752][ T5903] usbtmc 2-1:16.0: can't read capabilities [ 611.741104][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.750443][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.757429][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.764327][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.772619][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.779782][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.786771][ T5903] tipc: Node number set to 977433782 [ 611.793339][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.800526][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.807654][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.814536][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.821494][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.828629][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.835564][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.842477][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.849557][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.856497][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.863380][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.870303][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.877233][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.884123][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.891185][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.900535][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.907521][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.914398][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.921594][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.928681][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.935628][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.939647][T12719] usb 2-1: USB disconnect, device number 21 [ 611.942514][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.942637][ T5167] Bluetooth: hci3: Received unexpected HCI Event 0x00 [ 611.998029][ T51] Bluetooth: hci3: Opcode 0x0c03 failed: -71 [ 612.016707][T12722] usb 3-1: USB disconnect, device number 11 [ 612.323960][T15723] netlink: 96 bytes leftover after parsing attributes in process `syz.3.3334'. [ 612.392875][T15725] sit0: entered promiscuous mode [ 612.403551][T15725] netlink: 'syz.3.3335': attribute type 1 has an invalid length. [ 612.411690][T15725] netlink: 1 bytes leftover after parsing attributes in process `syz.3.3335'. [ 612.756156][T15733] /dev/rnullb0: Can't open blockdev [ 613.450365][T15751] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 613.455572][ T43] usb 2-1: new high-speed USB device number 22 using dummy_hcd [ 613.466630][T15751] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 613.479639][T15749] FAULT_INJECTION: forcing a failure. [ 613.479639][T15749] name failslab, interval 1, probability 0, space 0, times 0 [ 613.505537][T15749] CPU: 0 UID: 0 PID: 15749 Comm: syz.2.3346 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 613.505569][T15749] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 613.505584][T15749] Call Trace: [ 613.505593][T15749] [ 613.505604][T15749] dump_stack_lvl+0x189/0x250 [ 613.505643][T15749] ? __pfx____ratelimit+0x10/0x10 [ 613.505668][T15749] ? __pfx_dump_stack_lvl+0x10/0x10 [ 613.505701][T15749] ? __pfx__printk+0x10/0x10 [ 613.505740][T15749] ? __pfx___might_resched+0x10/0x10 [ 613.505770][T15749] ? fs_reclaim_acquire+0x7d/0x100 [ 613.505799][T15749] should_fail_ex+0x414/0x560 [ 613.505839][T15749] should_failslab+0xa8/0x100 [ 613.505862][T15749] __kmalloc_noprof+0xcb/0x4f0 [ 613.505894][T15749] ? kfree+0x4d/0x440 [ 613.505922][T15749] ? tomoyo_realpath_from_path+0xe3/0x5d0 [ 613.505963][T15749] tomoyo_realpath_from_path+0xe3/0x5d0 [ 613.506001][T15749] ? tomoyo_domain+0xd9/0x130 [ 613.506027][T15749] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 613.506058][T15749] tomoyo_path_number_perm+0x1e8/0x5a0 [ 613.506091][T15749] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 613.506139][T15749] ? __lock_acquire+0xab9/0xd20 [ 613.506187][T15749] ? __fget_files+0x2a/0x420 [ 613.506215][T15749] ? __fget_files+0x2a/0x420 [ 613.506239][T15749] ? __fget_files+0x3a0/0x420 [ 613.506262][T15749] ? __fget_files+0x2a/0x420 [ 613.506291][T15749] security_file_ioctl+0xcb/0x2d0 [ 613.506321][T15749] __se_sys_ioctl+0x47/0x170 [ 613.506358][T15749] do_syscall_64+0xfa/0x3b0 [ 613.506382][T15749] ? lockdep_hardirqs_on+0x9c/0x150 [ 613.506412][T15749] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 613.506435][T15749] ? clear_bhb_loop+0x60/0xb0 [ 613.506464][T15749] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 613.506486][T15749] RIP: 0033:0x7fc99ef8e929 [ 613.506507][T15749] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 613.506527][T15749] RSP: 002b:00007fc99fd4b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 613.506550][T15749] RAX: ffffffffffffffda RBX: 00007fc99f1b5fa0 RCX: 00007fc99ef8e929 [ 613.506568][T15749] RDX: 0000200000000100 RSI: 000000000000541c RDI: 0000000000000003 [ 613.506583][T15749] RBP: 00007fc99fd4b090 R08: 0000000000000000 R09: 0000000000000000 [ 613.506598][T15749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 613.506612][T15749] R13: 0000000000000000 R14: 00007fc99f1b5fa0 R15: 00007fff9bee33a8 [ 613.506646][T15749] [ 613.506666][T15749] ERROR: Out of memory at tomoyo_realpath_from_path. [ 613.552556][ T5167] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 613.781383][ T5167] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 613.806655][ T5167] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 613.814279][ T43] usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 613.830418][ T5167] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 613.839385][ T5167] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 613.846732][ T43] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 613.855352][ T43] usb 2-1: Product: syz [ 613.861649][ T43] usb 2-1: Manufacturer: syz [ 613.875242][ T43] usb 2-1: SerialNumber: syz [ 613.882075][ T51] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 613.891615][ T51] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 613.902920][ T51] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 613.912598][ T51] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 613.920831][ T51] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 613.932441][ T43] usb 2-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 613.962206][T12860] usb 2-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 614.145540][ T5903] usb 3-1: new high-speed USB device number 12 using dummy_hcd [ 614.278650][ T5903] usb 3-1: device descriptor read/64, error -71 [ 614.300774][ T73] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 614.349721][T15752] lo speed is unknown, defaulting to 1000 [ 614.498711][ T73] netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 614.518985][ T5903] usb 3-1: new high-speed USB device number 13 using dummy_hcd [ 614.540750][T15763] tipc: Enabled bearer , priority 10 [ 614.635701][T15761] tipc: Resetting bearer [ 614.665595][ T5903] usb 3-1: device descriptor read/64, error -71 [ 614.691853][ T73] netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 614.734488][T15760] tipc: Resetting bearer [ 614.777694][ T5903] usb usb3-port1: attempt power cycle [ 615.135671][ T5903] usb 3-1: new high-speed USB device number 14 using dummy_hcd [ 615.156302][ T5903] usb 3-1: device descriptor read/8, error -71 [ 615.225943][T12860] usb 2-1: Service connection timeout for: 256 [ 615.232259][T12860] ath9k_htc 2-1:1.0: ath9k_htc: Unable to initialize HTC services [ 615.265654][T12860] ath9k_htc: Failed to initialize the device [ 615.278522][T12860] usb 2-1: ath9k_htc: USB layer deinitialized [ 615.395557][ T5903] usb 3-1: new high-speed USB device number 15 using dummy_hcd [ 615.418771][ T5903] usb 3-1: device descriptor read/8, error -71 [ 615.500419][T12719] usb 2-1: USB disconnect, device number 22 [ 615.527005][ T5903] usb usb3-port1: unable to enumerate USB device [ 615.578108][T12722] tipc: Node number set to 59 [ 616.015890][ T5167] Bluetooth: hci3: command tx timeout [ 616.395578][T12722] usb 2-1: new high-speed USB device number 23 using dummy_hcd [ 616.547760][T12722] usb 2-1: New USB device found, idVendor=046d, idProduct=0870, bcdDevice=61.47 [ 616.557122][T12722] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 616.568328][T12722] usb 2-1: config 0 descriptor?? [ 616.577747][T12722] gspca_main: STV06xx-2.14.0 probing 046d:0870 [ 616.947812][T15770] /dev/rnullb0: Can't open blockdev [ 617.020229][T15772] FAULT_INJECTION: forcing a failure. [ 617.020229][T15772] name failslab, interval 1, probability 0, space 0, times 0 [ 617.037935][T15772] CPU: 0 UID: 0 PID: 15772 Comm: syz.2.3355 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 617.037966][T15772] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 617.037983][T15772] Call Trace: [ 617.037992][T15772] [ 617.038001][T15772] dump_stack_lvl+0x189/0x250 [ 617.038036][T15772] ? __pfx____ratelimit+0x10/0x10 [ 617.038059][T15772] ? __pfx_dump_stack_lvl+0x10/0x10 [ 617.038089][T15772] ? __pfx__printk+0x10/0x10 [ 617.038123][T15772] ? __pfx___might_resched+0x10/0x10 [ 617.038150][T15772] ? fs_reclaim_acquire+0x7d/0x100 [ 617.038177][T15772] should_fail_ex+0x414/0x560 [ 617.038212][T15772] should_failslab+0xa8/0x100 [ 617.038233][T15772] kmem_cache_alloc_noprof+0x73/0x3c0 [ 617.038263][T15772] ? __kernfs_new_node+0xd7/0x7e0 [ 617.038294][T15772] __kernfs_new_node+0xd7/0x7e0 [ 617.038321][T15772] ? __lock_acquire+0xab9/0xd20 [ 617.038351][T15772] ? __pfx___kernfs_new_node+0x10/0x10 [ 617.038379][T15772] ? kernfs_root+0x1c/0x230 [ 617.038411][T15772] ? kernfs_root+0x1c/0x230 [ 617.038435][T15772] ? kernfs_root+0x1c/0x230 [ 617.038458][T15772] ? kernfs_root+0x1c/0x230 [ 617.038488][T15772] kernfs_new_node+0x102/0x210 [ 617.038520][T15772] __kernfs_create_file+0x4b/0x2e0 [ 617.038543][T15772] sysfs_add_file_mode_ns+0x238/0x300 [ 617.038575][T15772] sysfs_create_file_ns+0x128/0x1a0 [ 617.038597][T15772] ? kernfs_put+0x420/0x480 [ 617.038623][T15772] ? __pfx_sysfs_create_file_ns+0x10/0x10 [ 617.038648][T15772] ? sysfs_do_create_link_sd+0xe0/0x110 [ 617.038675][T15772] ? device_create_file+0xf4/0x1c0 [ 617.038698][T15772] device_add+0x440/0xb50 [ 617.038716][T15772] ? iommufd_test+0x2b8b/0x5170 [ 617.038744][T15772] iommufd_test+0x2f95/0x5170 [ 617.038781][T15772] ? __pfx_iommufd_test+0x10/0x10 [ 617.038809][T15772] ? __lock_acquire+0xab9/0xd20 [ 617.038843][T15772] ? __might_fault+0xb0/0x130 [ 617.038906][T15772] iommufd_fops_ioctl+0x45b/0x580 [ 617.038946][T15772] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 617.038983][T15772] ? __fget_files+0x2a/0x420 [ 617.039011][T15772] ? __fget_files+0x2a/0x420 [ 617.039037][T15772] ? bpf_lsm_file_ioctl+0x9/0x20 [ 617.039065][T15772] ? __pfx_iommufd_fops_ioctl+0x10/0x10 [ 617.039097][T15772] __se_sys_ioctl+0xf9/0x170 [ 617.039129][T15772] do_syscall_64+0xfa/0x3b0 [ 617.039154][T15772] ? lockdep_hardirqs_on+0x9c/0x150 [ 617.039176][T15772] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 617.039196][T15772] ? clear_bhb_loop+0x60/0xb0 [ 617.039221][T15772] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 617.039242][T15772] RIP: 0033:0x7fc99ef8e929 [ 617.039260][T15772] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 617.039279][T15772] RSP: 002b:00007fc99fd4b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 617.039301][T15772] RAX: ffffffffffffffda RBX: 00007fc99f1b5fa0 RCX: 00007fc99ef8e929 [ 617.039316][T15772] RDX: 00002000000002c0 RSI: 0000000000003ba0 RDI: 0000000000000003 [ 617.039330][T15772] RBP: 00007fc99fd4b090 R08: 0000000000000000 R09: 0000000000000000 [ 617.039344][T15772] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 617.039356][T15772] R13: 0000000000000000 R14: 00007fc99f1b5fa0 R15: 00007fff9bee33a8 [ 617.039387][T15772] [ 617.685725][ T5903] usb 3-1: new high-speed USB device number 16 using dummy_hcd [ 617.835513][ T5903] usb 3-1: Using ep0 maxpacket: 8 [ 617.842603][ T5903] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x8D has an invalid bInterval 42, changing to 9 [ 617.854423][ T5903] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 617.864251][ T5903] usb 3-1: config 0 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 617.874023][ T5903] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x8B has invalid maxpacket 12592, setting to 1024 [ 617.885339][ T5903] usb 3-1: config 0 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 1024 [ 617.895598][ T5903] usb 3-1: New USB device found, idVendor=05ac, idProduct=8215, bcdDevice=8f.58 [ 617.904685][ T5903] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 617.920446][ T5903] usb 3-1: config 0 descriptor?? [ 617.928678][T15775] raw-gadget.1 gadget.2: fail, usb_ep_enable returned -22 [ 617.983434][T15768] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 617.993875][T15768] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 618.007802][T15768] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 618.018089][T15768] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 618.095671][ T51] Bluetooth: hci3: command tx timeout [ 618.143102][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.151843][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.159203][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.166282][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.173150][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.180211][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.187144][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.194166][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.202501][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.209505][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.216447][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.223345][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.230327][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.237263][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.244392][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.251437][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.259805][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.266752][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.273657][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.281955][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.288919][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.295890][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.302792][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.309741][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.316792][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.323652][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.331620][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.338549][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.345602][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 618.349635][ T5903] usb 3-1: USB disconnect, device number 16 [ 618.363403][ T5167] Bluetooth: hci2: Opcode 0x0c03 failed: -71 [ 618.846026][T12719] usb 2-1: USB disconnect, device number 23 [ 619.420366][T15781] /dev/rnullb0: Can't open blockdev [ 619.674380][T15788] /dev/rnullb0: Can't open blockdev [ 619.975648][T12719] usb 2-1: new high-speed USB device number 24 using dummy_hcd [ 620.105490][T12719] usb 2-1: device descriptor read/64, error -71 [ 620.175569][ T5167] Bluetooth: hci3: command tx timeout [ 620.345552][T12719] usb 2-1: new high-speed USB device number 25 using dummy_hcd [ 620.475561][T12719] usb 2-1: device descriptor read/64, error -71 [ 620.585786][T12719] usb usb2-port1: attempt power cycle [ 620.927105][T12719] usb 2-1: new high-speed USB device number 26 using dummy_hcd [ 620.956544][T12719] usb 2-1: device descriptor read/8, error -71 [ 621.195737][T12719] usb 2-1: new high-speed USB device number 27 using dummy_hcd [ 621.216392][T12719] usb 2-1: device descriptor read/8, error -71 [ 621.326868][T12719] usb usb2-port1: unable to enumerate USB device [ 622.255688][ T5167] Bluetooth: hci3: command tx timeout [ 624.195818][ T5903] usb 2-1: new high-speed USB device number 28 using dummy_hcd [ 624.345505][ T5903] usb 2-1: Using ep0 maxpacket: 8 [ 624.352185][ T5903] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x8D has an invalid bInterval 42, changing to 9 [ 624.363300][ T5903] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 624.373142][ T5903] usb 2-1: config 0 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 624.382928][ T5903] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x8B has invalid maxpacket 12592, setting to 1024 [ 624.394355][ T5903] usb 2-1: config 0 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 1024 [ 624.404586][ T5903] usb 2-1: New USB device found, idVendor=05ac, idProduct=8215, bcdDevice=8f.58 [ 624.413736][ T5903] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 624.424739][ T5903] usb 2-1: config 0 descriptor?? [ 624.431185][T15799] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 624.656110][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.663448][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.670506][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.677496][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.684399][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.691342][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.698312][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.705200][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.712138][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.719047][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.725963][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.734279][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.741239][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.748374][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.755237][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.762150][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.769061][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.775967][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.782827][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.789857][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.796750][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.803614][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.810515][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.817572][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.824480][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.831406][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.838290][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.845152][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.852084][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 624.863642][ T5903] usb 2-1: USB disconnect, device number 28 [ 624.865872][ T5167] Bluetooth: hci2: Opcode 0x0c03 failed: -71 [ 627.200645][T15760] tipc: Disabling bearer [ 627.267580][ T73] netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 627.682642][T15821] netlink: 'syz.3.3371': attribute type 11 has an invalid length. [ 627.684633][T15752] chnl_net:caif_netlink_parms(): no params data found [ 627.698095][T12719] usb 3-1: new high-speed USB device number 17 using dummy_hcd [ 627.845588][T12719] usb 3-1: device descriptor read/64, error -71 [ 627.858892][ T73] bridge_slave_1: left allmulticast mode [ 627.865903][ T73] bridge_slave_1: left promiscuous mode [ 627.871778][ T73] bridge0: port 2(bridge_slave_1) entered disabled state [ 627.898934][ T73] bridge_slave_0: left allmulticast mode [ 627.914892][ T73] bridge_slave_0: left promiscuous mode [ 627.925228][ T73] bridge0: port 1(bridge_slave_0) entered disabled state [ 628.105508][T12719] usb 3-1: new high-speed USB device number 18 using dummy_hcd [ 628.144201][T15836] binder: 15834:15836 ioctl c0306201 2000000003c0 returned -14 [ 628.162181][T15836] /dev/rnullb0: Can't open blockdev [ 628.245538][T12719] usb 3-1: device descriptor read/64, error -71 [ 628.358530][T12719] usb usb3-port1: attempt power cycle [ 628.715521][T12719] usb 3-1: new high-speed USB device number 19 using dummy_hcd [ 628.746319][T12719] usb 3-1: device descriptor read/8, error -71 [ 628.986603][T12719] usb 3-1: new high-speed USB device number 20 using dummy_hcd [ 629.006942][T12719] usb 3-1: device descriptor read/8, error -71 [ 629.040123][T15857] netlink: 8 bytes leftover after parsing attributes in process `syz.1.3382'. [ 629.119041][T12719] usb usb3-port1: unable to enumerate USB device [ 629.150754][ T73] tipc: Disabling bearer [ 629.158126][ T73] tipc: Left network mode [ 629.199911][T15752] bridge0: port 1(bridge_slave_0) entered blocking state [ 629.216653][T15752] bridge0: port 1(bridge_slave_0) entered disabled state [ 629.224537][T15752] bridge_slave_0: entered allmulticast mode [ 629.241030][T15752] bridge_slave_0: entered promiscuous mode [ 629.253689][T15752] bridge0: port 2(bridge_slave_1) entered blocking state [ 629.264934][T15752] bridge0: port 2(bridge_slave_1) entered disabled state [ 629.273944][T15752] bridge_slave_1: entered allmulticast mode [ 629.288095][T15752] bridge_slave_1: entered promiscuous mode [ 629.328006][T12860] usb 2-1: new high-speed USB device number 29 using dummy_hcd [ 629.418583][T15864] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 629.448625][T15864] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 629.466266][T15752] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 629.489086][T15752] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 629.511603][T12860] usb 2-1: New USB device found, idVendor=0bed, idProduct=1100, bcdDevice=ec.c3 [ 629.529088][T12860] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 629.548822][T12860] usb 2-1: config 0 descriptor?? [ 629.558260][T12860] cp210x 2-1:0.0: cp210x converter detected [ 629.615037][T15752] team0: Port device team_slave_0 added [ 629.626292][ T1301] ieee802154 phy0 wpan0: encryption failed: -22 [ 629.640174][T15752] team0: Port device team_slave_1 added [ 629.819953][T15752] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 629.841408][T15752] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 629.873728][T15752] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 629.892167][T15752] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 629.900153][T15752] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 629.926596][T15752] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 629.970230][T12860] cp210x 2-1:0.0: failed to get vendor val 0x000e size 3: -32 [ 630.064836][T12860] usb 2-1: cp210x converter now attached to ttyUSB0 [ 630.377591][T12722] usb 2-1: USB disconnect, device number 29 [ 630.391242][ T73] hsr_slave_0: left promiscuous mode [ 630.402826][T12722] cp210x ttyUSB0: cp210x converter now disconnected from ttyUSB0 [ 630.419090][ T73] hsr_slave_1: left promiscuous mode [ 630.425202][ T73] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 630.449238][ T73] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 630.459070][T12722] cp210x 2-1:0.0: device disconnected [ 630.496798][ T73] batman_adv: batadv0: Removing interface: virt_wifi0 [ 630.552163][ T73] veth1_macvtap: left promiscuous mode [ 630.558454][ T73] veth0_macvtap: left promiscuous mode [ 630.564096][ T73] veth1_vlan: left promiscuous mode [ 630.589783][ T73] veth0_vlan: left promiscuous mode [ 630.597846][T15883] /dev/rnullb0: Can't open blockdev [ 630.879392][T15894] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 630.891984][T15893] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 630.912369][T15893] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 631.560405][T15900] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 631.572800][T15900] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 632.569930][ T73] team0 (unregistering): Port device team_slave_1 removed [ 632.778849][ T73] team0 (unregistering): Port device team_slave_0 removed [ 634.557087][T15902] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 634.566031][T15902] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 635.238265][T15752] hsr_slave_0: entered promiscuous mode [ 635.244905][T15752] hsr_slave_1: entered promiscuous mode [ 635.308069][T15904] IPVS: sync thread started: state = MASTER, mcast_ifn = wg2, syncid = 0, id = 0 [ 635.453902][T15908] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 635.853701][ T73] IPVS: stop unused estimator thread 0... [ 636.198877][T15924] /dev/rnullb0: Can't open blockdev [ 636.303196][T15928] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 636.326760][T15928] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 636.350430][T15930] /dev/rnullb0: Can't open blockdev [ 636.599838][ T24] usb 3-1: new high-speed USB device number 21 using dummy_hcd [ 636.749382][ T24] usb 3-1: device descriptor read/64, error -71 [ 636.829746][T15752] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 636.870469][T15752] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 636.936717][T15752] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 636.964383][T15752] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 637.178320][T15952] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 637.193532][T15752] 8021q: adding VLAN 0 to HW filter on device bond0 [ 637.207156][T15952] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 637.226507][T15952] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 637.252256][ T24] usb 3-1: new high-speed USB device number 22 using dummy_hcd [ 637.256116][T15952] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 637.271062][T15752] 8021q: adding VLAN 0 to HW filter on device team0 [ 637.288865][ T73] bridge0: port 1(bridge_slave_0) entered blocking state [ 637.296081][ T73] bridge0: port 1(bridge_slave_0) entered forwarding state [ 637.324159][ T73] bridge0: port 2(bridge_slave_1) entered blocking state [ 637.331407][ T73] bridge0: port 2(bridge_slave_1) entered forwarding state [ 637.405737][ T24] usb 3-1: device descriptor read/64, error -71 [ 637.528274][ T24] usb usb3-port1: attempt power cycle [ 637.610916][T15961] netlink: 16 bytes leftover after parsing attributes in process `syz.1.3407'. [ 637.626229][T15961] netlink: 16 bytes leftover after parsing attributes in process `syz.1.3407'. [ 637.753463][T15966] FAULT_INJECTION: forcing a failure. [ 637.753463][T15966] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 637.767995][T15966] CPU: 0 UID: 0 PID: 15966 Comm: syz.1.3408 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 637.768027][T15966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 637.768042][T15966] Call Trace: [ 637.768053][T15966] [ 637.768064][T15966] dump_stack_lvl+0x189/0x250 [ 637.768102][T15966] ? __pfx____ratelimit+0x10/0x10 [ 637.768127][T15966] ? __pfx_dump_stack_lvl+0x10/0x10 [ 637.768160][T15966] ? __pfx__printk+0x10/0x10 [ 637.768193][T15966] ? __might_fault+0xb0/0x130 [ 637.768240][T15966] should_fail_ex+0x414/0x560 [ 637.768279][T15966] _copy_from_user+0x2d/0xb0 [ 637.768313][T15966] kvm_arch_vcpu_ioctl+0xcff/0x2a40 [ 637.768343][T15966] ? __lock_acquire+0xab9/0xd20 [ 637.768369][T15966] ? kvm_arch_vcpu_ioctl+0xcbf/0x2a40 [ 637.768397][T15966] ? __pfx_kvm_arch_vcpu_ioctl+0x10/0x10 [ 637.768428][T15966] ? __lock_acquire+0xab9/0xd20 [ 637.768477][T15966] ? is_bpf_text_address+0x26/0x2b0 [ 637.768510][T15966] ? is_bpf_text_address+0x292/0x2b0 [ 637.768535][T15966] ? is_bpf_text_address+0x26/0x2b0 [ 637.768565][T15966] ? kernel_text_address+0xa5/0xe0 [ 637.768589][T15966] ? __kernel_text_address+0xd/0x40 [ 637.768611][T15966] ? unwind_get_return_address+0x4d/0x90 [ 637.768642][T15966] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 637.768676][T15966] ? arch_stack_walk+0xfc/0x150 [ 637.768721][T15966] ? stack_trace_save+0x9c/0xe0 [ 637.768758][T15966] ? stack_depot_save_flags+0x40/0x900 [ 637.768804][T15966] ? kasan_save_track+0x4f/0x80 [ 637.768833][T15966] ? kasan_save_track+0x3e/0x80 [ 637.768874][T15966] ? __lock_acquire+0xab9/0xd20 [ 637.768917][T15966] ? __mutex_trylock_common+0x153/0x260 [ 637.768952][T15966] ? __pfx___mutex_trylock_common+0x10/0x10 [ 637.768990][T15966] ? rcu_is_watching+0x15/0xb0 [ 637.769021][T15966] ? trace_contention_end+0x39/0x120 [ 637.769054][T15966] ? __mutex_lock+0x330/0xe80 [ 637.769083][T15966] ? kasan_quarantine_put+0xdd/0x220 [ 637.769119][T15966] ? kvm_vcpu_ioctl+0x22e/0xe90 [ 637.769155][T15966] ? __pfx___mutex_lock+0x10/0x10 [ 637.769182][T15966] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 637.769216][T15966] ? do_vfs_ioctl+0xbe8/0x1430 [ 637.769253][T15966] ? __pfx_do_vfs_ioctl+0x10/0x10 [ 637.769289][T15966] kvm_vcpu_ioctl+0x74d/0xe90 [ 637.769330][T15966] ? __pfx_kvm_vcpu_ioctl+0x10/0x10 [ 637.769361][T15966] ? __lock_acquire+0xab9/0xd20 [ 637.769409][T15966] ? __fget_files+0x2a/0x420 [ 637.769437][T15966] ? __fget_files+0x2a/0x420 [ 637.769462][T15966] ? __fget_files+0x3a0/0x420 [ 637.769485][T15966] ? __fget_files+0x2a/0x420 [ 637.769514][T15966] ? bpf_lsm_file_ioctl+0x9/0x20 [ 637.769544][T15966] ? __pfx_kvm_vcpu_ioctl+0x10/0x10 [ 637.769578][T15966] __se_sys_ioctl+0xf9/0x170 [ 637.769615][T15966] do_syscall_64+0xfa/0x3b0 [ 637.769639][T15966] ? lockdep_hardirqs_on+0x9c/0x150 [ 637.769663][T15966] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 637.769687][T15966] ? clear_bhb_loop+0x60/0xb0 [ 637.769715][T15966] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 637.769737][T15966] RIP: 0033:0x7f542f98e929 [ 637.769758][T15966] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 637.769778][T15966] RSP: 002b:00007f543089d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 637.769803][T15966] RAX: ffffffffffffffda RBX: 00007f542fbb5fa0 RCX: 00007f542f98e929 [ 637.769820][T15966] RDX: 0000200000000040 RSI: 00000000c008ae88 RDI: 0000000000000005 [ 637.769835][T15966] RBP: 00007f543089d090 R08: 0000000000000000 R09: 0000000000000000 [ 637.769850][T15966] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 637.769864][T15966] R13: 0000000000000000 R14: 00007f542fbb5fa0 R15: 00007ffc5c8984c8 [ 637.769907][T15966] [ 638.136988][ C0] vkms_vblank_simulate: vblank timer overrun [ 638.211318][ T24] usb 3-1: new high-speed USB device number 23 using dummy_hcd [ 638.228557][T15752] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 638.262943][ T24] usb 3-1: device descriptor read/8, error -71 [ 638.520827][ T24] usb 3-1: new high-speed USB device number 24 using dummy_hcd [ 638.587423][ T24] usb 3-1: device descriptor read/8, error -71 [ 638.625591][T15983] /dev/rnullb0: Can't open blockdev [ 638.727697][ T24] usb usb3-port1: unable to enumerate USB device [ 638.815005][T15989] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 638.844112][T15989] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 639.075572][T15752] veth0_vlan: entered promiscuous mode [ 639.104198][T15752] veth1_vlan: entered promiscuous mode [ 639.208156][T15752] veth0_macvtap: entered promiscuous mode [ 639.240262][T15752] veth1_macvtap: entered promiscuous mode [ 639.354680][T15752] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 639.388732][T15752] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 639.435365][ T73] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 639.455498][ T73] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 639.519273][ T73] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 639.546653][ T73] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 639.828316][ T1003] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 639.852141][ T1003] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 639.918860][ T49] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 639.955829][T16010] /dev/rnullb0: Can't open blockdev [ 639.966239][ T49] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 640.733065][ T5903] hid-generic 0000:0000:0000.0026: unknown main item tag 0x0 [ 640.761984][ T5903] hid-generic 0000:0000:0000.0026: hidraw0: HID v0.00 Device [syz1] on syz0 [ 640.785719][ T24] usb 3-1: new high-speed USB device number 25 using dummy_hcd [ 640.806007][ T43] usb 5-1: new high-speed USB device number 107 using dummy_hcd [ 640.957904][T16035] fido_id[16035]: Failed to open report descriptor at '/sys/devices/virtual/misc/uhid/report_descriptor': No such file or directory [ 641.012074][ T24] usb 3-1: device descriptor read/64, error -71 [ 641.025611][ T43] usb 5-1: Using ep0 maxpacket: 8 [ 641.037353][ T43] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x8D has an invalid bInterval 42, changing to 9 [ 641.065479][ T43] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 641.075238][ T43] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 0 [ 641.105503][ T43] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x8B has invalid maxpacket 12592, setting to 1024 [ 641.136636][ T43] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x8B has invalid maxpacket 1024 [ 641.155701][ T43] usb 5-1: New USB device found, idVendor=05ac, idProduct=8215, bcdDevice=8f.58 [ 641.164823][ T43] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 641.199004][ T43] usb 5-1: config 0 descriptor?? [ 641.206670][T16031] raw-gadget.1 gadget.4: fail, usb_ep_enable returned -22 [ 641.265742][ T24] usb 3-1: new high-speed USB device number 26 using dummy_hcd [ 641.435563][ T24] usb 3-1: device descriptor read/64, error -71 [ 641.453510][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.461105][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.468289][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.475170][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.483668][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.493751][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.501215][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.508594][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.515523][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.522435][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.529376][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.539989][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.546925][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.553802][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.560879][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.567787][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.574667][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.581643][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.588703][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.595645][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.602938][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.609893][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.617112][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.624019][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.630934][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.638613][ T24] usb usb3-port1: attempt power cycle [ 641.645537][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.652576][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.659567][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.666460][ T51] Bluetooth: hci2: Received unexpected HCI Event 0x00 [ 641.672985][ T9] usb 5-1: USB disconnect, device number 107 [ 641.679618][ T5167] Bluetooth: hci2: Opcode 0x0c03 failed: -71 [ 642.038402][ T24] usb 3-1: new high-speed USB device number 27 using dummy_hcd [ 642.080810][ T24] usb 3-1: device descriptor read/8, error -71 [ 642.273844][T16064] /dev/rnullb0: Can't open blockdev [ 642.351405][T16068] /dev/rnullb0: Can't open blockdev [ 642.375715][ T24] usb 3-1: new high-speed USB device number 28 using dummy_hcd [ 642.391462][T16070] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 642.406736][ T24] usb 3-1: device descriptor read/8, error -71 [ 642.430230][T16070] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 642.515986][ T24] usb usb3-port1: unable to enumerate USB device [ 642.875778][ T24] usb 5-1: new full-speed USB device number 108 using dummy_hcd [ 643.040318][ T24] usb 5-1: config 0 has an invalid interface number: 251 but max is 0 [ 643.050374][ T24] usb 5-1: config 0 has no interface number 0 [ 643.062796][ T24] usb 5-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=f7.f4 [ 643.073954][ T24] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 643.082095][ T24] usb 5-1: Product: syz [ 643.087643][ T24] usb 5-1: Manufacturer: syz [ 643.092291][ T24] usb 5-1: SerialNumber: syz [ 643.100495][ T24] usb 5-1: config 0 descriptor?? [ 643.454329][T16102] netlink: 'syz.3.3432': attribute type 4 has an invalid length. [ 643.471754][T16102] netlink: 17 bytes leftover after parsing attributes in process `syz.3.3432'. [ 643.504816][T16102] netlink: 128 bytes leftover after parsing attributes in process `syz.3.3432'. [ 643.718510][T16111] netlink: 'syz.2.3433': attribute type 39 has an invalid length. [ 643.939068][ T24] asix 5-1:0.251 (unnamed net_device) (uninitialized): Failed to read reg index 0x0000: -71 [ 643.966539][ T24] asix 5-1:0.251 (unnamed net_device) (uninitialized): Error reading PHY_ID register: ffffffb9 [ 643.986198][ T24] asix 5-1:0.251: probe with driver asix failed with error -71 [ 644.011451][T16119] FAULT_INJECTION: forcing a failure. [ 644.011451][T16119] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 644.017208][ T24] usb 5-1: USB disconnect, device number 108 [ 644.029844][T16119] CPU: 0 UID: 0 PID: 16119 Comm: syz.1.3439 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 644.029880][T16119] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 644.029895][T16119] Call Trace: [ 644.029908][T16119] [ 644.029919][T16119] dump_stack_lvl+0x189/0x250 [ 644.029962][T16119] ? __pfx____ratelimit+0x10/0x10 [ 644.029991][T16119] ? __pfx_dump_stack_lvl+0x10/0x10 [ 644.030027][T16119] ? __pfx__printk+0x10/0x10 [ 644.030084][T16119] should_fail_ex+0x414/0x560 [ 644.030128][T16119] _copy_to_user+0x31/0xb0 [ 644.030168][T16119] simple_read_from_buffer+0xe1/0x170 [ 644.030201][T16119] proc_fail_nth_read+0x1df/0x250 [ 644.030239][T16119] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 644.030275][T16119] ? rw_verify_area+0x258/0x650 [ 644.030312][T16119] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 644.030347][T16119] vfs_read+0x200/0x980 [ 644.030400][T16119] ? __pfx___mutex_lock+0x10/0x10 [ 644.030430][T16119] ? __pfx_vfs_read+0x10/0x10 [ 644.030471][T16119] ? __fget_files+0x2a/0x420 [ 644.030505][T16119] ? __fget_files+0x3a0/0x420 [ 644.030530][T16119] ? __fget_files+0x2a/0x420 [ 644.030570][T16119] ksys_read+0x145/0x250 [ 644.030590][T16119] ? __fget_files+0x3a0/0x420 [ 644.030620][T16119] ? __pfx_ksys_read+0x10/0x10 [ 644.030665][T16119] ? do_syscall_64+0xbe/0x3b0 [ 644.030694][T16119] do_syscall_64+0xfa/0x3b0 [ 644.030718][T16119] ? lockdep_hardirqs_on+0x9c/0x150 [ 644.030740][T16119] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 644.030762][T16119] ? clear_bhb_loop+0x60/0xb0 [ 644.030790][T16119] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 644.030812][T16119] RIP: 0033:0x7f542f98d33c [ 644.030832][T16119] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 93 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 48 89 44 24 08 e8 ef 93 02 00 48 [ 644.030851][T16119] RSP: 002b:00007f543089d030 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 644.030874][T16119] RAX: ffffffffffffffda RBX: 00007f542fbb5fa0 RCX: 00007f542f98d33c [ 644.030890][T16119] RDX: 000000000000000f RSI: 00007f543089d0a0 RDI: 0000000000000004 [ 644.030903][T16119] RBP: 00007f543089d090 R08: 0000000000000000 R09: 0000000000000000 [ 644.030917][T16119] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 644.030930][T16119] R13: 0000000000000000 R14: 00007f542fbb5fa0 R15: 00007ffc5c8984c8 [ 644.030966][T16119] [ 644.505533][ T9] usb 2-1: new high-speed USB device number 30 using dummy_hcd [ 644.645692][ T9] usb 2-1: device descriptor read/64, error -71 [ 644.763993][T16140] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 644.776725][T16140] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 644.787198][T16140] /dev/rnullb0: Can't open blockdev [ 644.866873][T16142] netlink: 48 bytes leftover after parsing attributes in process `syz.4.3449'. [ 644.905564][ T9] usb 2-1: new high-speed USB device number 31 using dummy_hcd [ 644.949115][T16144] /dev/rnullb0: Can't open blockdev [ 645.056383][ T9] usb 2-1: device descriptor read/64, error -71 [ 645.094130][T16146] FAULT_INJECTION: forcing a failure. [ 645.094130][T16146] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 645.107838][T16146] CPU: 0 UID: 0 PID: 16146 Comm: syz.4.3451 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 645.107864][T16146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 645.107874][T16146] Call Trace: [ 645.107881][T16146] [ 645.107888][T16146] dump_stack_lvl+0x189/0x250 [ 645.107923][T16146] ? __pfx____ratelimit+0x10/0x10 [ 645.107947][T16146] ? __pfx_dump_stack_lvl+0x10/0x10 [ 645.107977][T16146] ? __pfx__printk+0x10/0x10 [ 645.108007][T16146] ? __might_fault+0xb0/0x130 [ 645.108038][T16146] should_fail_ex+0x414/0x560 [ 645.108073][T16146] _copy_from_user+0x2d/0xb0 [ 645.108107][T16146] blkdev_pr_register+0x1a1/0x290 [ 645.108137][T16146] ? __pfx_blkdev_pr_register+0x10/0x10 [ 645.108169][T16146] ? blkdev_common_ioctl+0x8ef/0xc40 [ 645.108190][T16146] blkdev_ioctl+0x4ef/0x6d0 [ 645.108212][T16146] ? __pfx_blkdev_ioctl+0x10/0x10 [ 645.108237][T16146] ? __fget_files+0x2a/0x420 [ 645.108265][T16146] ? bpf_lsm_file_ioctl+0x9/0x20 [ 645.108293][T16146] ? __pfx_blkdev_ioctl+0x10/0x10 [ 645.108317][T16146] __se_sys_ioctl+0xf9/0x170 [ 645.108342][T16146] do_syscall_64+0xfa/0x3b0 [ 645.108358][T16146] ? lockdep_hardirqs_on+0x9c/0x150 [ 645.108381][T16146] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 645.108404][T16146] ? clear_bhb_loop+0x60/0xb0 [ 645.108429][T16146] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 645.108450][T16146] RIP: 0033:0x7f4dfdf8e929 [ 645.108473][T16146] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 645.108487][T16146] RSP: 002b:00007f4dfed95038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 645.108503][T16146] RAX: ffffffffffffffda RBX: 00007f4dfe1b5fa0 RCX: 00007f4dfdf8e929 [ 645.108515][T16146] RDX: 0000000000000000 RSI: 00000000401870c8 RDI: 0000000000000004 [ 645.108530][T16146] RBP: 00007f4dfed95090 R08: 0000000000000000 R09: 0000000000000000 [ 645.108546][T16146] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 645.108560][T16146] R13: 0000000000000000 R14: 00007f4dfe1b5fa0 R15: 00007ffdd6a9c2f8 [ 645.108590][T16146] [ 645.327030][ T9] usb usb2-port1: attempt power cycle [ 645.665685][ T9] usb 2-1: new high-speed USB device number 32 using dummy_hcd [ 645.700259][ T9] usb 2-1: device descriptor read/8, error -71 [ 645.825534][T12722] usb 3-1: new high-speed USB device number 29 using dummy_hcd [ 645.945576][ T9] usb 2-1: new high-speed USB device number 33 using dummy_hcd [ 645.966218][ T9] usb 2-1: device descriptor read/8, error -71 [ 645.980458][T12722] usb 3-1: config 27 interface 0 altsetting 0 endpoint 0x8B has an invalid bInterval 0, changing to 7 [ 645.991887][T12722] usb 3-1: config 27 interface 0 altsetting 0 endpoint 0xB has invalid wMaxPacketSize 0 [ 646.002131][T12722] usb 3-1: config 27 interface 0 altsetting 0 bulk endpoint 0xB has invalid maxpacket 0 [ 646.012289][T12722] usb 3-1: New USB device found, idVendor=0582, idProduct=0014, bcdDevice=bb.9d [ 646.022425][T12722] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 646.050229][T12722] usb 3-1: Quirk or no altset; falling back to MIDI 1.0 [ 646.077720][ T9] usb usb2-port1: unable to enumerate USB device [ 646.147004][T16166] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 646.157115][T15792] udevd[15792]: error opening ATTR{/sys/devices/platform/dummy_hcd.2/usb3/3-1/3-1:27.0/sound/card3/controlC3/../uevent} for writing: No such file or directory [ 646.195884][T16166] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 646.210292][T16168] /dev/rnullb0: Can't open blockdev [ 646.212027][T12722] snd-usb-audio 3-1:27.0: probe with driver snd-usb-audio failed with error -12 [ 646.220106][T16168] /dev/rnullb0: Can't open blockdev [ 646.234079][T16168] /dev/rnullb0: Can't open blockdev [ 646.248128][T16168] /dev/rnullb0: Can't open blockdev [ 646.253403][T12722] usb 3-1: USB disconnect, device number 29 [ 646.270445][T16168] /dev/rnullb0: Can't open blockdev [ 646.293793][T16168] /dev/rnullb0: Can't open blockdev [ 646.303873][T16168] /dev/rnullb0: Can't open blockdev [ 646.314975][T16168] /dev/rnullb0: Can't open blockdev [ 646.324678][T16168] /dev/rnullb0: Can't open blockdev [ 646.339268][T16168] /dev/rnullb0: Can't open blockdev [ 646.351008][T16168] /dev/rnullb0: Can't open blockdev [ 646.357107][T16168] /dev/rnullb0: Can't open blockdev [ 646.363036][T16168] /dev/rnullb0: Can't open blockdev [ 646.372021][T16168] /dev/rnullb0: Can't open blockdev [ 646.379411][T16168] /dev/rnullb0: Can't open blockdev [ 646.385243][T16168] /dev/rnullb0: Can't open blockdev [ 646.394008][T16168] /dev/rnullb0: Can't open blockdev [ 646.401449][T16168] /dev/rnullb0: Can't open blockdev [ 646.408007][T16168] /dev/rnullb0: Can't open blockdev [ 646.414945][T16168] /dev/rnullb0: Can't open blockdev [ 646.421471][T16168] /dev/rnullb0: Can't open blockdev [ 646.427806][T16168] /dev/rnullb0: Can't open blockdev [ 646.433701][T16168] /dev/rnullb0: Can't open blockdev [ 646.456274][T16168] /dev/rnullb0: Can't open blockdev [ 646.462259][T16168] /dev/rnullb0: Can't open blockdev [ 646.472057][T16168] /dev/rnullb0: Can't open blockdev [ 646.478374][T16168] /dev/rnullb0: Can't open blockdev [ 646.484565][T16168] /dev/rnullb0: Can't open blockdev [ 646.492327][T16168] /dev/rnullb0: Can't open blockdev [ 646.501161][T16168] /dev/rnullb0: Can't open blockdev [ 646.510375][T16168] /dev/rnullb0: Can't open blockdev [ 646.519235][T16168] /dev/rnullb0: Can't open blockdev [ 646.534627][T16168] /dev/rnullb0: Can't open blockdev [ 646.631419][T16175] FAULT_INJECTION: forcing a failure. [ 646.631419][T16175] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 646.644715][T16175] CPU: 0 UID: 0 PID: 16175 Comm: syz.4.3461 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 646.644738][T16175] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 646.644748][T16175] Call Trace: [ 646.644756][T16175] [ 646.644764][T16175] dump_stack_lvl+0x189/0x250 [ 646.644803][T16175] ? __pfx____ratelimit+0x10/0x10 [ 646.644828][T16175] ? __pfx_dump_stack_lvl+0x10/0x10 [ 646.644858][T16175] ? __pfx__printk+0x10/0x10 [ 646.644895][T16175] should_fail_ex+0x414/0x560 [ 646.644923][T16175] _copy_to_user+0x31/0xb0 [ 646.644961][T16175] video_usercopy+0xeb2/0x14f0 [ 646.644999][T16175] ? __pfx___video_do_ioctl+0x10/0x10 [ 646.645027][T16175] ? __pfx_video_usercopy+0x10/0x10 [ 646.645054][T16175] ? __fget_files+0x2a/0x420 [ 646.645075][T16175] ? __fget_files+0x2a/0x420 [ 646.645105][T16175] ? __fget_files+0x3a0/0x420 [ 646.645134][T16175] v4l2_ioctl+0x18d/0x1e0 [ 646.645160][T16175] ? __pfx_v4l2_ioctl+0x10/0x10 [ 646.645185][T16175] __se_sys_ioctl+0xf9/0x170 [ 646.645211][T16175] do_syscall_64+0xfa/0x3b0 [ 646.645229][T16175] ? lockdep_hardirqs_on+0x9c/0x150 [ 646.645253][T16175] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 646.645276][T16175] ? clear_bhb_loop+0x60/0xb0 [ 646.645302][T16175] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 646.645325][T16175] RIP: 0033:0x7f4dfdf8e929 [ 646.645341][T16175] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 646.645356][T16175] RSP: 002b:00007f4dfed95038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 646.645382][T16175] RAX: ffffffffffffffda RBX: 00007f4dfe1b5fa0 RCX: 00007f4dfdf8e929 [ 646.645398][T16175] RDX: 0000200000000100 RSI: 00000000c0d05605 RDI: 0000000000000003 [ 646.645413][T16175] RBP: 00007f4dfed95090 R08: 0000000000000000 R09: 0000000000000000 [ 646.645427][T16175] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 646.645439][T16175] R13: 0000000000000000 R14: 00007f4dfe1b5fa0 R15: 00007ffdd6a9c2f8 [ 646.645471][T16175] [ 647.008791][T16179] ./file0: Can't lookup blockdev [ 647.320354][T16184] netlink: 'syz.1.3465': attribute type 19 has an invalid length. [ 647.390389][T16190] /dev/rnullb0: Can't open blockdev [ 647.643524][T12860] usb 2-1: new high-speed USB device number 34 using dummy_hcd [ 647.786533][T12860] usb 2-1: device descriptor read/64, error -71 [ 647.803556][ T30] audit: type=1326 audit(1751723562.031:60): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16200 comm="syz.3.3472" exe="/root/syz-executor" sig=9 arch=c000003e syscall=231 compat=0 ip=0x7fe05bf8e929 code=0x0 [ 647.868826][T16203] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 647.879004][T16203] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 648.025670][ T9] usb 5-1: new high-speed USB device number 109 using dummy_hcd [ 648.055499][T12860] usb 2-1: new high-speed USB device number 35 using dummy_hcd [ 648.185559][ T9] usb 5-1: Using ep0 maxpacket: 32 [ 648.192604][ T9] usb 5-1: config 0 has an invalid interface number: 125 but max is 0 [ 648.203729][T12722] usb 3-1: new high-speed USB device number 30 using dummy_hcd [ 648.205636][T12860] usb 2-1: device descriptor read/64, error -71 [ 648.217652][ T9] usb 5-1: config 0 has no interface number 0 [ 648.217718][ T9] usb 5-1: config 0 interface 125 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 12 [ 648.242009][ T9] usb 5-1: New USB device found, idVendor=1039, idProduct=2120, bcdDevice= 2.a7 [ 648.251315][ T9] usb 5-1: New USB device strings: Mfr=249, Product=255, SerialNumber=3 [ 648.260155][ T9] usb 5-1: Product: syz [ 648.264344][ T9] usb 5-1: Manufacturer: syz [ 648.269036][ T9] usb 5-1: SerialNumber: syz [ 648.276651][ T9] usb 5-1: config 0 descriptor?? [ 648.336965][T12860] usb usb2-port1: attempt power cycle [ 648.375651][T12722] usb 3-1: device descriptor read/64, error -71 [ 648.494709][ T9] usb 5-1: [ueagle-atm] ADSL device founded vid (0X1039) pid (0X2120) Rev (0X2A7): Eagle II [ 648.635705][T12722] usb 3-1: new high-speed USB device number 31 using dummy_hcd [ 648.675582][T12860] usb 2-1: new high-speed USB device number 36 using dummy_hcd [ 648.707447][T12860] usb 2-1: device descriptor read/8, error -71 [ 648.775562][T12722] usb 3-1: device descriptor read/64, error -71 [ 648.886044][T12722] usb usb3-port1: attempt power cycle [ 648.945545][T12860] usb 2-1: new high-speed USB device number 37 using dummy_hcd [ 648.966762][T12860] usb 2-1: device descriptor read/8, error -71 [ 649.076599][T12860] usb usb2-port1: unable to enumerate USB device [ 649.125572][ T9] usb 5-1: reset high-speed USB device number 109 using dummy_hcd [ 649.225490][T12722] usb 3-1: new high-speed USB device number 32 using dummy_hcd [ 649.246300][T12722] usb 3-1: device descriptor read/8, error -71 [ 649.485609][T12722] usb 3-1: new high-speed USB device number 33 using dummy_hcd [ 649.506361][T12722] usb 3-1: device descriptor read/8, error -71 [ 649.520363][ T9] ueagle-atm 5-1:0.125: usbatm_usb_probe: bind failed: -19! [ 649.541656][ T9] usb 5-1: USB disconnect, device number 109 [ 649.615878][T12722] usb usb3-port1: unable to enumerate USB device [ 650.507858][T16220] comedi comedi3: s526: a I/O base address must be specified [ 650.521928][T16220] FAULT_INJECTION: forcing a failure. [ 650.521928][T16220] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 650.535294][T16220] CPU: 1 UID: 0 PID: 16220 Comm: syz.1.3478 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 650.535327][T16220] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 650.535341][T16220] Call Trace: [ 650.535351][T16220] [ 650.535361][T16220] dump_stack_lvl+0x189/0x250 [ 650.535402][T16220] ? __pfx____ratelimit+0x10/0x10 [ 650.535427][T16220] ? __pfx_dump_stack_lvl+0x10/0x10 [ 650.535458][T16220] ? __pfx__printk+0x10/0x10 [ 650.535505][T16220] should_fail_ex+0x414/0x560 [ 650.535546][T16220] _copy_to_user+0x31/0xb0 [ 650.535580][T16220] simple_read_from_buffer+0xe1/0x170 [ 650.535610][T16220] proc_fail_nth_read+0x1df/0x250 [ 650.535644][T16220] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 650.535672][T16220] ? rw_verify_area+0x258/0x650 [ 650.535704][T16220] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 650.535733][T16220] vfs_read+0x200/0x980 [ 650.535771][T16220] ? __pfx___mutex_lock+0x10/0x10 [ 650.535795][T16220] ? __pfx_vfs_read+0x10/0x10 [ 650.535829][T16220] ? __fget_files+0x2a/0x420 [ 650.535859][T16220] ? __fget_files+0x3a0/0x420 [ 650.535882][T16220] ? __fget_files+0x2a/0x420 [ 650.535924][T16220] ksys_read+0x145/0x250 [ 650.535949][T16220] ? __pfx_ksys_read+0x10/0x10 [ 650.535980][T16220] ? rcu_is_watching+0x15/0xb0 [ 650.536015][T16220] ? do_syscall_64+0xbe/0x3b0 [ 650.536046][T16220] do_syscall_64+0xfa/0x3b0 [ 650.536069][T16220] ? lockdep_hardirqs_on+0x9c/0x150 [ 650.536094][T16220] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 650.536116][T16220] ? clear_bhb_loop+0x60/0xb0 [ 650.536145][T16220] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 650.536167][T16220] RIP: 0033:0x7f542f98d33c [ 650.536188][T16220] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 93 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 48 89 44 24 08 e8 ef 93 02 00 48 [ 650.536208][T16220] RSP: 002b:00007f543089d030 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 650.536232][T16220] RAX: ffffffffffffffda RBX: 00007f542fbb5fa0 RCX: 00007f542f98d33c [ 650.536250][T16220] RDX: 000000000000000f RSI: 00007f543089d0a0 RDI: 0000000000000004 [ 650.536265][T16220] RBP: 00007f543089d090 R08: 0000000000000000 R09: 0000000000000000 [ 650.536280][T16220] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 650.536294][T16220] R13: 0000000000000000 R14: 00007f542fbb5fa0 R15: 00007ffc5c8984c8 [ 650.536344][T16220] [ 650.887988][T16225] FAULT_INJECTION: forcing a failure. [ 650.887988][T16225] name failslab, interval 1, probability 0, space 0, times 0 [ 650.901265][T16225] CPU: 0 UID: 0 PID: 16225 Comm: syz.1.3481 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 650.901299][T16225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 650.901315][T16225] Call Trace: [ 650.901323][T16225] [ 650.901331][T16225] dump_stack_lvl+0x189/0x250 [ 650.901363][T16225] ? __pfx____ratelimit+0x10/0x10 [ 650.901384][T16225] ? __pfx_dump_stack_lvl+0x10/0x10 [ 650.901409][T16225] ? __pfx__printk+0x10/0x10 [ 650.901444][T16225] ? __rt6_find_exception_rcu+0x127/0x4c0 [ 650.901480][T16225] should_fail_ex+0x414/0x560 [ 650.901511][T16225] should_failslab+0xa8/0x100 [ 650.901528][T16225] ? __pfx_ip6_dst_gc+0x10/0x10 [ 650.901545][T16225] kmem_cache_alloc_noprof+0x73/0x3c0 [ 650.901575][T16225] ? dst_alloc+0x105/0x170 [ 650.901603][T16225] ? __pfx_ip6_dst_gc+0x10/0x10 [ 650.901622][T16225] dst_alloc+0x105/0x170 [ 650.901652][T16225] ip6_pol_route+0xa21/0x1180 [ 650.901672][T16225] ? ip6_pol_route+0x162/0x1180 [ 650.901696][T16225] ? __pfx_ip6_pol_route+0x10/0x10 [ 650.901728][T16225] ? kasan_save_track+0x4f/0x80 [ 650.901752][T16225] ? __kasan_slab_alloc+0x6c/0x80 [ 650.901775][T16225] ? kmem_cache_alloc_noprof+0x1c1/0x3c0 [ 650.901800][T16225] ? dev_queue_xmit_nit+0x416/0xcc0 [ 650.901826][T16225] fib6_rule_lookup+0x348/0x6f0 [ 650.901851][T16225] ? __pfx_ip6_pol_route_output+0x10/0x10 [ 650.901874][T16225] ? __pfx_fib6_rule_lookup+0x10/0x10 [ 650.901896][T16225] ? ip6_route_output_flags+0x2e/0x5d0 [ 650.901919][T16225] ? ip6_route_output_flags+0x2e/0x5d0 [ 650.901941][T16225] ? __pfx___xfrm_decode_session+0x10/0x10 [ 650.901980][T16225] ip6_route_output_flags+0x364/0x5d0 [ 650.902006][T16225] ? ip6_route_output_flags+0x2e/0x5d0 [ 650.902029][T16225] vti6_tnl_xmit+0x6d9/0x1a70 [ 650.902069][T16225] ? __pfx_vti6_tnl_xmit+0x10/0x10 [ 650.902109][T16225] dev_hard_start_xmit+0x2d7/0x830 [ 650.902155][T16225] __dev_queue_xmit+0x1adf/0x3a70 [ 650.902192][T16225] ? __dev_queue_xmit+0x27e/0x3a70 [ 650.902237][T16225] ? __pfx___dev_queue_xmit+0x10/0x10 [ 650.902263][T16225] ? _copy_from_iter+0x24c/0x16f0 [ 650.902293][T16225] ? sock_alloc_send_pskb+0x875/0x990 [ 650.902327][T16225] ? packet_parse_headers+0x7ff/0xb60 [ 650.902344][T16225] ? packet_parse_headers+0x88c/0xb60 [ 650.902366][T16225] ? __pfx_sock_alloc_send_pskb+0x10/0x10 [ 650.902393][T16225] ? __pfx_packet_parse_headers+0x10/0x10 [ 650.902417][T16225] ? skb_copy_datagram_from_iter+0x60c/0x720 [ 650.902449][T16225] ? packet_xmit+0x68/0x330 [ 650.902480][T16225] packet_sendmsg+0x41d4/0x5410 [ 650.902515][T16225] ? __pfx_aa_label_sk_perm+0x10/0x10 [ 650.902563][T16225] ? __pfx___might_resched+0x10/0x10 [ 650.902587][T16225] ? __lock_acquire+0xab9/0xd20 [ 650.902620][T16225] ? __pfx_packet_sendmsg+0x10/0x10 [ 650.902642][T16225] ? aa_sk_perm+0x81e/0x950 [ 650.902671][T16225] ? tomoyo_socket_sendmsg_permission+0x1e1/0x300 [ 650.902710][T16225] ? __lock_acquire+0xab9/0xd20 [ 650.902728][T16225] ? aa_sock_msg_perm+0xf1/0x1d0 [ 650.902755][T16225] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 650.902776][T16225] ? __pfx_packet_sendmsg+0x10/0x10 [ 650.902801][T16225] __sock_sendmsg+0x219/0x270 [ 650.902825][T16225] ____sys_sendmsg+0x52d/0x830 [ 650.902858][T16225] ? __pfx_____sys_sendmsg+0x10/0x10 [ 650.902891][T16225] ? import_iovec+0x74/0xa0 [ 650.902920][T16225] ___sys_sendmsg+0x21f/0x2a0 [ 650.902953][T16225] ? __pfx____sys_sendmsg+0x10/0x10 [ 650.903017][T16225] ? __fget_files+0x2a/0x420 [ 650.903036][T16225] ? __fget_files+0x3a0/0x420 [ 650.903065][T16225] __sys_sendmmsg+0x227/0x430 [ 650.903096][T16225] ? __pfx___sys_sendmmsg+0x10/0x10 [ 650.903123][T16225] ? __mutex_unlock_slowpath+0x1cd/0x700 [ 650.903168][T16225] ? ksys_write+0x22a/0x250 [ 650.903187][T16225] ? __pfx_ksys_write+0x10/0x10 [ 650.903201][T16225] ? rcu_is_watching+0x15/0xb0 [ 650.903230][T16225] __x64_sys_sendmmsg+0xa0/0xc0 [ 650.903262][T16225] do_syscall_64+0xfa/0x3b0 [ 650.903282][T16225] ? lockdep_hardirqs_on+0x9c/0x150 [ 650.903300][T16225] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 650.903318][T16225] ? clear_bhb_loop+0x60/0xb0 [ 650.903339][T16225] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 650.903356][T16225] RIP: 0033:0x7f542f98e929 [ 650.903372][T16225] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 650.903392][T16225] RSP: 002b:00007f543089d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 650.903411][T16225] RAX: ffffffffffffffda RBX: 00007f542fbb5fa0 RCX: 00007f542f98e929 [ 650.903424][T16225] RDX: 0000000000000001 RSI: 0000200000000440 RDI: 0000000000000005 [ 650.903436][T16225] RBP: 00007f543089d090 R08: 0000000000000000 R09: 0000000000000000 [ 650.903447][T16225] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 650.903458][T16225] R13: 0000000000000000 R14: 00007f542fbb5fa0 R15: 00007ffc5c8984c8 [ 650.903485][T16225] [ 651.374483][ C0] vkms_vblank_simulate: vblank timer overrun [ 651.407812][T16227] comedi comedi3: dt2815: a I/O base address must be specified [ 651.660356][T16237] syz.1.3484: attempt to access beyond end of device [ 651.660356][T16237] loop1: rw=0, sector=2, nr_sectors = 2 limit=0 [ 651.701403][T16237] vxfs: unable to read disk superblock at 1 [ 651.889071][T16241] netlink: 8 bytes leftover after parsing attributes in process `syz.3.3486'. [ 651.897846][T16237] syz.1.3484: attempt to access beyond end of device [ 651.897846][T16237] loop1: rw=0, sector=16, nr_sectors = 2 limit=0 [ 651.955643][T16237] vxfs: unable to read disk superblock at 8 [ 651.961686][T16237] vxfs: can't find superblock. [ 652.336535][ T9] usb 5-1: new high-speed USB device number 110 using dummy_hcd [ 652.395117][T16256] /dev/rnullb0: Can't open blockdev [ 652.396568][T12719] usb 3-1: new high-speed USB device number 34 using dummy_hcd [ 652.475505][ T9] usb 5-1: device descriptor read/64, error -71 [ 652.540914][T12719] usb 3-1: device descriptor read/64, error -71 [ 652.696062][T16260] netlink: 24 bytes leftover after parsing attributes in process `syz.3.3496'. [ 652.725558][ T9] usb 5-1: new high-speed USB device number 111 using dummy_hcd [ 652.799931][T12719] usb 3-1: new high-speed USB device number 35 using dummy_hcd [ 652.865653][ T9] usb 5-1: device descriptor read/64, error -71 [ 652.903298][T16263] afs: Unknown parameter 'obj_type' [ 652.945854][T12719] usb 3-1: device descriptor read/64, error -71 [ 652.980723][T16264] /dev/rnullb0: Can't open blockdev [ 652.986989][ T9] usb usb5-port1: attempt power cycle [ 653.057210][T12719] usb usb3-port1: attempt power cycle [ 653.328420][ T9] usb 5-1: new high-speed USB device number 112 using dummy_hcd [ 653.350349][T16271] /dev/rnullb0: Can't open blockdev [ 653.359535][T16272] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 653.368703][T16271] tipc: Enabling of bearer rejected, already enabled [ 653.369200][ T9] usb 5-1: device descriptor read/8, error -71 [ 653.384895][T16272] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 653.415532][T12719] usb 3-1: new high-speed USB device number 36 using dummy_hcd [ 653.446886][T12719] usb 3-1: device descriptor read/8, error -71 [ 653.476505][T16275] /dev/rnullb0: Can't open blockdev [ 653.482482][T16275] /dev/rnullb0: Can't open blockdev [ 653.489641][T16275] /dev/rnullb0: Can't open blockdev [ 653.495567][T16275] /dev/rnullb0: Can't open blockdev [ 653.501412][T16275] /dev/rnullb0: Can't open blockdev [ 653.507364][T16275] /dev/rnullb0: Can't open blockdev [ 653.513221][T16275] /dev/rnullb0: Can't open blockdev [ 653.519187][T16275] /dev/rnullb0: Can't open blockdev [ 653.525035][T16275] /dev/rnullb0: Can't open blockdev [ 653.531002][T16275] /dev/rnullb0: Can't open blockdev [ 653.538026][T16275] /dev/rnullb0: Can't open blockdev [ 653.543892][T16275] /dev/rnullb0: Can't open blockdev [ 653.549891][T16275] /dev/rnullb0: Can't open blockdev [ 653.558779][T16275] /dev/rnullb0: Can't open blockdev [ 653.564610][T16275] /dev/rnullb0: Can't open blockdev [ 653.571554][T16275] /dev/rnullb0: Can't open blockdev [ 653.579356][T16275] /dev/rnullb0: Can't open blockdev [ 653.585198][T16275] /dev/rnullb0: Can't open blockdev [ 653.591384][T16275] /dev/rnullb0: Can't open blockdev [ 653.597233][T16275] /dev/rnullb0: Can't open blockdev [ 653.603102][T16275] /dev/rnullb0: Can't open blockdev [ 653.609102][T16275] /dev/rnullb0: Can't open blockdev [ 653.614927][T16275] /dev/rnullb0: Can't open blockdev [ 653.620360][ T9] usb 5-1: new high-speed USB device number 113 using dummy_hcd [ 653.628785][T16275] /dev/rnullb0: Can't open blockdev [ 653.634676][T16275] /dev/rnullb0: Can't open blockdev [ 653.641870][T16275] /dev/rnullb0: Can't open blockdev [ 653.648508][T16275] /dev/rnullb0: Can't open blockdev [ 653.654397][T16275] /dev/rnullb0: Can't open blockdev [ 653.660947][ T9] usb 5-1: device descriptor read/8, error -71 [ 653.667915][T16275] /dev/rnullb0: Can't open blockdev [ 653.673801][T16275] /dev/rnullb0: Can't open blockdev [ 653.680005][T16275] /dev/rnullb0: Can't open blockdev [ 653.686621][T16275] /dev/rnullb0: Can't open blockdev [ 653.693901][T16275] /dev/rnullb0: Can't open blockdev [ 653.699373][T12719] usb 3-1: new high-speed USB device number 37 using dummy_hcd [ 653.726705][T12719] usb 3-1: device descriptor read/8, error -71 [ 653.759139][T16277] netlink: 'syz.1.3503': attribute type 4 has an invalid length. [ 653.767962][T16277] netlink: 152 bytes leftover after parsing attributes in process `syz.1.3503'. [ 653.785954][ T9] usb usb5-port1: unable to enumerate USB device [ 653.836480][T12719] usb usb3-port1: unable to enumerate USB device [ 654.004917][T16283] netlink: 'syz.1.3506': attribute type 10 has an invalid length. [ 654.097434][T16289] netlink: 8 bytes leftover after parsing attributes in process `syz.1.3508'. [ 654.153174][T16291] Malformed UNC in devname [ 654.153174][T16291] [ 654.160392][T16291] CIFS: VFS: Malformed UNC in devname [ 654.845505][T12719] usb 2-1: new high-speed USB device number 38 using dummy_hcd [ 655.015451][T12719] usb 2-1: Using ep0 maxpacket: 32 [ 655.026882][T12719] usb 2-1: config 0 has an invalid interface number: 125 but max is 0 [ 655.035086][T12719] usb 2-1: config 0 has no interface number 0 [ 655.055853][T12719] usb 2-1: config 0 interface 125 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 12 [ 655.095096][T12719] usb 2-1: New USB device found, idVendor=1039, idProduct=2120, bcdDevice= 2.a7 [ 655.115450][T12719] usb 2-1: New USB device strings: Mfr=249, Product=255, SerialNumber=3 [ 655.123965][T12719] usb 2-1: Product: syz [ 655.139756][T12719] usb 2-1: Manufacturer: syz [ 655.144416][T12719] usb 2-1: SerialNumber: syz [ 655.176552][T12719] usb 2-1: config 0 descriptor?? [ 655.313002][T16302] FAULT_INJECTION: forcing a failure. [ 655.313002][T16302] name failslab, interval 1, probability 0, space 0, times 0 [ 655.355637][T16302] CPU: 0 UID: 0 PID: 16302 Comm: syz.2.3514 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 655.355674][T16302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 655.355688][T16302] Call Trace: [ 655.355698][T16302] [ 655.355708][T16302] dump_stack_lvl+0x189/0x250 [ 655.355746][T16302] ? __pfx____ratelimit+0x10/0x10 [ 655.355772][T16302] ? __pfx_dump_stack_lvl+0x10/0x10 [ 655.355805][T16302] ? __pfx__printk+0x10/0x10 [ 655.355840][T16302] ? __pfx___might_resched+0x10/0x10 [ 655.355870][T16302] ? fs_reclaim_acquire+0x7d/0x100 [ 655.355900][T16302] should_fail_ex+0x414/0x560 [ 655.355939][T16302] should_failslab+0xa8/0x100 [ 655.355963][T16302] __kmalloc_noprof+0xcb/0x4f0 [ 655.355994][T16302] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 655.356021][T16302] ? sock_kmalloc+0xd6/0x160 [ 655.356060][T16302] sock_kmalloc+0xd6/0x160 [ 655.356096][T16302] hash_sendmsg+0x666/0x11d0 [ 655.356145][T16302] ? __pfx_hash_sendmsg+0x10/0x10 [ 655.356171][T16302] __sock_sendmsg+0x219/0x270 [ 655.356198][T16302] ____sys_sendmsg+0x52d/0x830 [ 655.356237][T16302] ? __pfx_____sys_sendmsg+0x10/0x10 [ 655.356279][T16302] ? import_iovec+0x74/0xa0 [ 655.356324][T16302] ___sys_sendmsg+0x21f/0x2a0 [ 655.356360][T16302] ? __pfx____sys_sendmsg+0x10/0x10 [ 655.356432][T16302] ? __fget_files+0x2a/0x420 [ 655.356457][T16302] ? __fget_files+0x3a0/0x420 [ 655.356495][T16302] __sys_sendmmsg+0x227/0x430 [ 655.356534][T16302] ? __pfx___sys_sendmmsg+0x10/0x10 [ 655.356563][T16302] ? __mutex_unlock_slowpath+0x1cd/0x700 [ 655.356620][T16302] ? ksys_write+0x22a/0x250 [ 655.356644][T16302] ? __pfx_ksys_write+0x10/0x10 [ 655.356663][T16302] ? rcu_is_watching+0x15/0xb0 [ 655.356700][T16302] __x64_sys_sendmmsg+0xa0/0xc0 [ 655.356734][T16302] do_syscall_64+0xfa/0x3b0 [ 655.356759][T16302] ? lockdep_hardirqs_on+0x9c/0x150 [ 655.356784][T16302] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 655.356806][T16302] ? clear_bhb_loop+0x60/0xb0 [ 655.356834][T16302] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 655.356856][T16302] RIP: 0033:0x7fc99ef8e929 [ 655.356877][T16302] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 655.356897][T16302] RSP: 002b:00007fc99fd4b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 655.356922][T16302] RAX: ffffffffffffffda RBX: 00007fc99f1b5fa0 RCX: 00007fc99ef8e929 [ 655.356940][T16302] RDX: 0000000000000001 RSI: 0000200000003380 RDI: 0000000000000004 [ 655.356954][T16302] RBP: 00007fc99fd4b090 R08: 0000000000000000 R09: 0000000000000000 [ 655.356969][T16302] R10: 0000000020004000 R11: 0000000000000246 R12: 0000000000000001 [ 655.356983][T16302] R13: 0000000000000000 R14: 00007fc99f1b5fa0 R15: 00007fff9bee33a8 [ 655.357017][T16302] [ 655.636268][ C0] vkms_vblank_simulate: vblank timer overrun [ 655.736290][T12719] usb 2-1: [ueagle-atm] ADSL device founded vid (0X1039) pid (0X2120) Rev (0X2A7): Eagle II [ 655.975824][T12860] usb 5-1: new high-speed USB device number 114 using dummy_hcd [ 656.085617][T12719] usb 2-1: reset high-speed USB device number 38 using dummy_hcd [ 656.151952][T12860] usb 5-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 656.162606][T12860] usb 5-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 656.178578][T12860] usb 5-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00 [ 656.190769][T12860] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3 [ 656.200281][T12860] usb 5-1: SerialNumber: syz [ 656.421654][T16304] nfs: Unknown parameter '9'sQ647rVLд|+<&"C]}BA' [ 656.486735][T12719] ueagle-atm 2-1:0.125: usbatm_usb_probe: bind failed: -19! [ 656.511476][T12860] usb 5-1: 0:2 : does not exist [ 656.519206][T12719] usb 2-1: USB disconnect, device number 38 [ 656.525891][T12860] usb 5-1: unit 255 not found! [ 656.566964][T12860] usb 5-1: USB disconnect, device number 114 [ 656.609473][T16169] udevd[16169]: error opening ATTR{/sys/devices/platform/dummy_hcd.4/usb5/5-1/5-1:1.0/sound/card3/controlC3/../uevent} for writing: No such file or directory [ 657.068001][T12719] usb 3-1: new high-speed USB device number 38 using dummy_hcd [ 657.097651][T16323] netlink: 'syz.1.3522': attribute type 4 has an invalid length. [ 657.106092][T16323] netlink: 152 bytes leftover after parsing attributes in process `syz.1.3522'. [ 657.124595][T16323] : renamed from bond0 (while UP) [ 657.235650][T12719] usb 3-1: device descriptor read/64, error -71 [ 657.485708][T12719] usb 3-1: new high-speed USB device number 39 using dummy_hcd [ 657.635531][T12719] usb 3-1: device descriptor read/64, error -71 [ 657.745744][T12719] usb usb3-port1: attempt power cycle [ 657.845578][T12860] usb 5-1: new high-speed USB device number 115 using dummy_hcd [ 657.858370][T16341] /dev/rnullb0: Can't open blockdev [ 657.870777][T16343] overlay: filesystem on ./bus not supported as upperdir [ 657.875577][ T30] audit: type=1804 audit(1751723572.101:61): pid=16341 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=invalid_pcr cause=open_writers comm="syz.3.3530" name="/newroot/376/bus/file1" dev="overlay" ino=2007 res=1 errno=0 [ 658.010387][T12860] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 658.021227][T12860] usb 5-1: config 0 has 0 interfaces, different from the descriptor's value: 1 [ 658.033721][T12860] usb 5-1: New USB device found, idVendor=06cd, idProduct=0115, bcdDevice=d9.c3 [ 658.043598][T12860] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 658.075575][T12860] usb 5-1: Product: syz [ 658.080043][T12860] usb 5-1: Manufacturer: syz [ 658.085126][T12860] usb 5-1: SerialNumber: syz [ 658.085716][T12719] usb 3-1: new high-speed USB device number 40 using dummy_hcd [ 658.102047][T12860] usb 5-1: config 0 descriptor?? [ 658.146230][T12719] usb 3-1: device descriptor read/8, error -71 [ 658.326277][T16338] netlink: 'syz.4.3529': attribute type 10 has an invalid length. [ 658.389303][T12719] usb 3-1: new high-speed USB device number 41 using dummy_hcd [ 658.416283][T12719] usb 3-1: device descriptor read/8, error -71 [ 658.524428][T16338] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 658.541667][T12719] usb usb3-port1: unable to enumerate USB device [ 658.554556][T12719] usb 5-1: USB disconnect, device number 115 [ 659.132087][T16361] kvm: vcpu 2: requested lapic timer restore with starting count register 0x390=1812281087 (231971979136 ns) > initial count (200000 ns). Using initial count to start timer. [ 659.403158][T16367] ieee802154 phy0 wpan0: encryption failed: -22 [ 659.457345][T16367] FAULT_INJECTION: forcing a failure. [ 659.457345][T16367] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 659.487433][T16367] CPU: 0 UID: 0 PID: 16367 Comm: syz.1.3539 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 659.487466][T16367] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 659.487481][T16367] Call Trace: [ 659.487491][T16367] [ 659.487501][T16367] dump_stack_lvl+0x189/0x250 [ 659.487537][T16367] ? __pfx____ratelimit+0x10/0x10 [ 659.487562][T16367] ? __pfx_dump_stack_lvl+0x10/0x10 [ 659.487595][T16367] ? __pfx__printk+0x10/0x10 [ 659.487627][T16367] ? __might_fault+0xb0/0x130 [ 659.487674][T16367] should_fail_ex+0x414/0x560 [ 659.487712][T16367] _copy_from_user+0x2d/0xb0 [ 659.487748][T16367] ___sys_sendmsg+0x158/0x2a0 [ 659.487782][T16367] ? __pfx____sys_sendmsg+0x10/0x10 [ 659.487842][T16367] ? __might_fault+0xb0/0x130 [ 659.487872][T16367] __sys_sendmmsg+0x227/0x430 [ 659.487910][T16367] ? __pfx___sys_sendmmsg+0x10/0x10 [ 659.487938][T16367] ? __mutex_unlock_slowpath+0x1cd/0x700 [ 659.487981][T16367] ? ksys_write+0x22a/0x250 [ 659.487998][T16367] ? __pfx_ksys_write+0x10/0x10 [ 659.488010][T16367] ? rcu_is_watching+0x15/0xb0 [ 659.488045][T16367] __x64_sys_sendmmsg+0xa0/0xc0 [ 659.488079][T16367] do_syscall_64+0xfa/0x3b0 [ 659.488103][T16367] ? lockdep_hardirqs_on+0x9c/0x150 [ 659.488128][T16367] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 659.488144][T16367] ? clear_bhb_loop+0x60/0xb0 [ 659.488163][T16367] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 659.488184][T16367] RIP: 0033:0x7f542f98e929 [ 659.488205][T16367] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 659.488224][T16367] RSP: 002b:00007f543089d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 659.488247][T16367] RAX: ffffffffffffffda RBX: 00007f542fbb5fa0 RCX: 00007f542f98e929 [ 659.488264][T16367] RDX: 000000000000fdef RSI: 00002000000020c0 RDI: 0000000000000004 [ 659.488274][T16367] RBP: 00007f543089d090 R08: 0000000000000000 R09: 0000000000000000 [ 659.488284][T16367] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 659.488294][T16367] R13: 0000000000000000 R14: 00007f542fbb5fa0 R15: 00007ffc5c8984c8 [ 659.488317][T16367] [ 659.707262][ C0] vkms_vblank_simulate: vblank timer overrun [ 660.002293][T16371] vivid-003: ================= START STATUS ================= [ 660.010677][T16371] vivid-003: Radio HW Seek Mode: Bounded [ 660.025918][T16371] vivid-003: Radio Programmable HW Seek: false [ 660.051441][T16371] vivid-003: RDS Rx I/O Mode: Block I/O [ 660.077516][T16371] vivid-003: Generate RBDS Instead of RDS: false [ 660.102636][T16371] vivid-003: RDS Reception: true [ 660.125519][T16371] vivid-003: RDS Program Type: 0 inactive [ 660.131833][T16371] vivid-003: RDS PS Name: inactive [ 660.149680][T16371] vivid-003: RDS Radio Text: inactive [ 660.161416][T16371] vivid-003: RDS Traffic Announcement: false inactive [ 660.169730][T16371] vivid-003: RDS Traffic Program: false inactive [ 660.180787][T16371] vivid-003: RDS Music: false inactive [ 660.188036][T16371] vivid-003: ================== END STATUS ================== [ 660.197090][T16375] FAULT_INJECTION: forcing a failure. [ 660.197090][T16375] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 660.241877][T16375] CPU: 0 UID: 0 PID: 16375 Comm: syz.1.3540 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 660.241909][T16375] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 660.241925][T16375] Call Trace: [ 660.241935][T16375] [ 660.241945][T16375] dump_stack_lvl+0x189/0x250 [ 660.241983][T16375] ? __pfx____ratelimit+0x10/0x10 [ 660.242007][T16375] ? __pfx_dump_stack_lvl+0x10/0x10 [ 660.242034][T16375] ? __pfx__printk+0x10/0x10 [ 660.242066][T16375] should_fail_ex+0x414/0x560 [ 660.242101][T16375] _copy_to_user+0x31/0xb0 [ 660.242137][T16375] vivid_radio_rx_read+0x9e5/0xb70 [ 660.242177][T16375] ? __pfx_vivid_radio_rx_read+0x10/0x10 [ 660.242194][T16375] ? __pfx_v4l2_read+0x10/0x10 [ 660.242212][T16375] ? video_devdata+0x6b/0xd0 [ 660.242229][T16375] ? vivid_radio_read+0x7a/0xc0 [ 660.242252][T16375] v4l2_read+0x199/0x2c0 [ 660.242278][T16375] ? __pfx_v4l2_read+0x10/0x10 [ 660.242305][T16375] vfs_read+0x200/0x980 [ 660.242341][T16375] ? __pfx_vfs_read+0x10/0x10 [ 660.242367][T16375] ? __fget_files+0x2a/0x420 [ 660.242388][T16375] ? __fget_files+0x2a/0x420 [ 660.242412][T16375] ? __fget_files+0x3a0/0x420 [ 660.242435][T16375] ? __fget_files+0x2a/0x420 [ 660.242468][T16375] ksys_read+0x145/0x250 [ 660.242486][T16375] ? __pfx_ksys_read+0x10/0x10 [ 660.242515][T16375] ? do_syscall_64+0xbe/0x3b0 [ 660.242538][T16375] do_syscall_64+0xfa/0x3b0 [ 660.242566][T16375] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 660.242587][T16375] ? asm_sysvec_reschedule_ipi+0x1a/0x20 [ 660.242607][T16375] ? clear_bhb_loop+0x60/0xb0 [ 660.242631][T16375] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 660.242647][T16375] RIP: 0033:0x7f542f98e929 [ 660.242661][T16375] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 660.242674][T16375] RSP: 002b:00007f543085b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 660.242695][T16375] RAX: ffffffffffffffda RBX: 00007f542fbb6160 RCX: 00007f542f98e929 [ 660.242713][T16375] RDX: 0000000000000060 RSI: 0000200000001e80 RDI: 0000000000000004 [ 660.242728][T16375] RBP: 00007f543085b090 R08: 0000000000000000 R09: 0000000000000000 [ 660.242741][T16375] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 660.242754][T16375] R13: 0000000000000001 R14: 00007f542fbb6160 R15: 00007ffc5c8984c8 [ 660.242783][T16375] [ 660.479299][ C0] vkms_vblank_simulate: vblank timer overrun [ 660.960187][T16380] gfs2: gfs2 mount does not exist [ 661.163626][T16383] ieee802154 phy0 wpan0: encryption failed: -22 [ 661.229721][T16386] tipc: Enabling of bearer rejected, failed to enable media [ 661.605164][T16395] FAULT_INJECTION: forcing a failure. [ 661.605164][T16395] name failslab, interval 1, probability 0, space 0, times 0 [ 661.621462][T16395] CPU: 0 UID: 0 PID: 16395 Comm: syz.2.3551 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 661.621493][T16395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 661.621508][T16395] Call Trace: [ 661.621516][T16395] [ 661.621525][T16395] dump_stack_lvl+0x189/0x250 [ 661.621563][T16395] ? __pfx____ratelimit+0x10/0x10 [ 661.621589][T16395] ? __pfx_dump_stack_lvl+0x10/0x10 [ 661.621619][T16395] ? __pfx__printk+0x10/0x10 [ 661.621661][T16395] ? ref_tracker_alloc+0x318/0x460 [ 661.621679][T16395] should_fail_ex+0x414/0x560 [ 661.621716][T16395] should_failslab+0xa8/0x100 [ 661.621740][T16395] kmem_cache_alloc_noprof+0x73/0x3c0 [ 661.621771][T16395] ? skb_clone+0x212/0x3a0 [ 661.621802][T16395] skb_clone+0x212/0x3a0 [ 661.621828][T16395] __netlink_deliver_tap+0x404/0x850 [ 661.621862][T16395] ? netlink_deliver_tap+0x2e/0x1b0 [ 661.621891][T16395] netlink_deliver_tap+0x19c/0x1b0 [ 661.621918][T16395] netlink_unicast+0x72f/0x8d0 [ 661.621948][T16395] netlink_sendmsg+0x805/0xb30 [ 661.621974][T16395] ? __pfx_netlink_sendmsg+0x10/0x10 [ 661.621997][T16395] ? aa_sock_msg_perm+0xf1/0x1d0 [ 661.622033][T16395] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 661.622058][T16395] ? __pfx_netlink_sendmsg+0x10/0x10 [ 661.622085][T16395] __sock_sendmsg+0x219/0x270 [ 661.622104][T16395] ____sys_sendmsg+0x505/0x830 [ 661.622131][T16395] ? __pfx_____sys_sendmsg+0x10/0x10 [ 661.622180][T16395] ? import_iovec+0x74/0xa0 [ 661.622216][T16395] ___sys_sendmsg+0x21f/0x2a0 [ 661.622247][T16395] ? __pfx____sys_sendmsg+0x10/0x10 [ 661.622294][T16395] ? __fget_files+0x2a/0x420 [ 661.622314][T16395] ? __fget_files+0x3a0/0x420 [ 661.622350][T16395] __x64_sys_sendmsg+0x19b/0x260 [ 661.622381][T16395] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 661.622414][T16395] ? __pfx_ksys_write+0x10/0x10 [ 661.622426][T16395] ? rcu_is_watching+0x15/0xb0 [ 661.622450][T16395] ? do_syscall_64+0xbe/0x3b0 [ 661.622479][T16395] do_syscall_64+0xfa/0x3b0 [ 661.622502][T16395] ? lockdep_hardirqs_on+0x9c/0x150 [ 661.622523][T16395] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 661.622559][T16395] ? clear_bhb_loop+0x60/0xb0 [ 661.622578][T16395] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 661.622594][T16395] RIP: 0033:0x7fc99ef8e929 [ 661.622612][T16395] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 661.622632][T16395] RSP: 002b:00007fc99fd4b038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 661.622661][T16395] RAX: ffffffffffffffda RBX: 00007fc99f1b5fa0 RCX: 00007fc99ef8e929 [ 661.622677][T16395] RDX: 0000000000000000 RSI: 00002000000001c0 RDI: 0000000000000003 [ 661.622691][T16395] RBP: 00007fc99fd4b090 R08: 0000000000000000 R09: 0000000000000000 [ 661.622702][T16395] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 661.622712][T16395] R13: 0000000000000000 R14: 00007fc99f1b5fa0 R15: 00007fff9bee33a8 [ 661.622735][T16395] [ 661.965507][T12719] usb 2-1: new high-speed USB device number 39 using dummy_hcd [ 662.095764][T12719] usb 2-1: device descriptor read/64, error -71 [ 662.284150][T16404] /dev/rnullb0: Can't open blockdev [ 662.346029][T12719] usb 2-1: new high-speed USB device number 40 using dummy_hcd [ 662.485540][T12719] usb 2-1: device descriptor read/64, error -71 [ 662.497755][T16408] /dev/rnullb0: Can't open blockdev [ 662.513403][T16410] iommufd_mock iommufd_mock0: Adding to iommu group 0 [ 662.575846][ T5889] usb 5-1: new high-speed USB device number 116 using dummy_hcd [ 662.597759][T12719] usb usb2-port1: attempt power cycle [ 662.627370][T16413] netlink: 16 bytes leftover after parsing attributes in process `syz.2.3559'. [ 662.739396][ T5889] usb 5-1: config 17 interface 0 altsetting 0 has an endpoint descriptor with address 0xFF, changing to 0x8F [ 662.751448][ T5889] usb 5-1: config 17 interface 0 altsetting 0 endpoint 0x8F has an invalid bInterval 0, changing to 7 [ 662.762614][ T5889] usb 5-1: config 17 interface 0 altsetting 0 endpoint 0x8F has invalid maxpacket 59391, setting to 1024 [ 662.774222][ T5889] usb 5-1: New USB device found, idVendor=0458, idProduct=5003, bcdDevice= 0.00 [ 662.783379][ T5889] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 662.795300][T16404] raw-gadget.1 gadget.4: fail, usb_ep_enable returned -22 [ 662.955560][T12719] usb 2-1: new high-speed USB device number 41 using dummy_hcd [ 662.959742][T12860] usb 3-1: new high-speed USB device number 42 using dummy_hcd [ 662.986161][T12719] usb 2-1: device descriptor read/8, error -71 [ 663.137200][T12860] usb 3-1: Using ep0 maxpacket: 32 [ 663.145207][T12860] usb 3-1: config 0 has an invalid interface number: 85 but max is 0 [ 663.165494][T12860] usb 3-1: config 0 has no interface number 0 [ 663.171706][T12860] usb 3-1: config 0 interface 85 altsetting 7 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 663.182993][T12860] usb 3-1: config 0 interface 85 has no altsetting 0 [ 663.192648][T12860] usb 3-1: New USB device found, idVendor=05ac, idProduct=0219, bcdDevice=f0.72 [ 663.203699][T12860] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 663.225580][T12719] usb 2-1: new high-speed USB device number 42 using dummy_hcd [ 663.225645][T12860] usb 3-1: Product: syz [ 663.245450][T12860] usb 3-1: Manufacturer: syz [ 663.247429][T12719] usb 2-1: device descriptor read/8, error -71 [ 663.250276][T12860] usb 3-1: SerialNumber: syz [ 663.269552][T12860] usb 3-1: config 0 descriptor?? [ 663.281938][T16425] netlink: 156 bytes leftover after parsing attributes in process `syz.3.3565'. [ 663.365871][T12719] usb usb2-port1: unable to enumerate USB device [ 663.425224][T16429] netlink: 244 bytes leftover after parsing attributes in process `syz.3.3567'. [ 664.038474][T12860] appletouch 3-1:0.85: Geyser mode initialized. [ 664.047591][T12860] input: appletouch as /devices/platform/dummy_hcd.2/usb3/3-1/3-1:0.85/input/input32 [ 664.061639][ C1] appletouch 3-1:0.85: appletouch: OVERFLOW with data length 64, actual length is 64 [ 664.243939][T16440] netlink: 156 bytes leftover after parsing attributes in process `syz.2.3561'. [ 664.273228][T12860] usb 3-1: USB disconnect, device number 42 [ 664.273306][ C0] appletouch 3-1:0.85: atp_complete: usb_submit_urb failed with result -19 [ 664.377472][T12860] appletouch 3-1:0.85: input: appletouch disconnected [ 664.463917][T16443] vivid-002: ================= START STATUS ================= [ 664.471735][T16443] vivid-002: Radio HW Seek Mode: Bounded [ 664.488615][T16443] vivid-002: Radio Programmable HW Seek: false [ 664.494916][T16443] vivid-002: RDS Rx I/O Mode: Block I/O [ 664.501213][T16443] vivid-002: Generate RBDS Instead of RDS: false [ 664.507970][T16443] vivid-002: RDS Reception: true [ 664.513049][T16443] vivid-002: RDS Program Type: 0 inactive [ 664.520614][T16443] vivid-002: RDS PS Name: inactive [ 664.527469][T16443] vivid-002: RDS Radio Text: inactive [ 664.533082][T16443] vivid-002: RDS Traffic Announcement: false inactive [ 664.547632][T16443] vivid-002: RDS Traffic Program: false inactive [ 664.547710][T16445] comedi comedi3: c6xdigio: a I/O base address must be specified [ 664.554068][T16443] vivid-002: RDS Music: false inactive [ 664.554106][T16443] vivid-002: ================== END STATUS ================== [ 664.657220][T16449] netlink: 8 bytes leftover after parsing attributes in process `syz.1.3572'. [ 664.666478][T16449] netlink: 33 bytes leftover after parsing attributes in process `syz.1.3572'. [ 664.676420][T16449] netlink: 33 bytes leftover after parsing attributes in process `syz.1.3572'. [ 665.092392][T16464] loop6: detected capacity change from 0 to 63 [ 665.103835][T16462] buffer_io_error: 7 callbacks suppressed [ 665.103855][T16462] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.117993][T16462] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.127132][T16462] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.135190][T16169] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.143946][T16462] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.152740][T16169] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.161962][T16462] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.170836][T16169] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.181897][T16462] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.191913][T16169] Buffer I/O error on dev loop6, logical block 0, async page read [ 665.528015][ T24] usb 2-1: new high-speed USB device number 43 using dummy_hcd [ 665.651221][T16472] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 665.661835][T16472] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 665.669765][ T24] usb 2-1: device descriptor read/64, error -71 [ 665.683153][T12860] hid-generic 0000:0000:0000.0027: unknown main item tag 0x0 [ 665.692348][T16472] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 665.707161][T16472] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 665.715684][T12860] hid-generic 0000:0000:0000.0027: hidraw0: HID v0.00 Device [syz1] on syz0 [ 665.915545][ T24] usb 2-1: new high-speed USB device number 44 using dummy_hcd [ 665.997212][T16475] netlink: 244 bytes leftover after parsing attributes in process `syz.2.3581'. [ 666.065898][ T24] usb 2-1: device descriptor read/64, error -71 [ 666.176727][ T24] usb usb2-port1: attempt power cycle [ 666.363504][T16485] netlink: 'syz.3.3586': attribute type 12 has an invalid length. [ 666.523356][ T24] usb 2-1: new high-speed USB device number 45 using dummy_hcd [ 666.535698][ T9] usb 3-1: new high-speed USB device number 43 using dummy_hcd [ 666.546205][ T24] usb 2-1: device descriptor read/8, error -71 [ 666.685598][ T9] usb 3-1: Using ep0 maxpacket: 32 [ 666.692999][ T9] usb 3-1: config 1 has an invalid interface number: 166 but max is 0 [ 666.705071][ T9] usb 3-1: config 1 has no interface number 0 [ 666.711317][ T9] usb 3-1: config 1 interface 166 altsetting 2 has an endpoint descriptor with address 0xDA, changing to 0x8A [ 666.729353][ T9] usb 3-1: config 1 interface 166 altsetting 2 bulk endpoint 0x8 has invalid maxpacket 8 [ 666.741716][ T9] usb 3-1: config 1 interface 166 has no altsetting 0 [ 666.751498][ T9] usb 3-1: New USB device found, idVendor=06cd, idProduct=010c, bcdDevice=35.62 [ 666.760885][ T9] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 666.769187][ T9] usb 3-1: Product: syz [ 666.773536][ T9] usb 3-1: Manufacturer: syz [ 666.778357][ T9] usb 3-1: SerialNumber: syz [ 666.790131][ T24] usb 2-1: new high-speed USB device number 46 using dummy_hcd [ 666.808706][ T5889] aiptek 5-1:17.0: Aiptek using 400 ms programming speed [ 666.832731][ T24] usb 2-1: device descriptor read/8, error -71 [ 666.838571][ T5889] input: Aiptek as /devices/platform/dummy_hcd.4/usb5/5-1/5-1:17.0/input/input31 [ 666.908595][ C0] aiptek 5-1:17.0: aiptek_irq - usb_submit_urb failed with result -19 [ 666.917038][ T5889] usb 5-1: USB disconnect, device number 116 [ 666.966325][ T24] usb usb2-port1: unable to enumerate USB device [ 667.039093][T16483] /dev/rnullb0: Can't open blockdev [ 667.063195][T16494] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 667.084142][T16494] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 667.153319][ T9] keyspan 3-1:1.166: Keyspan 1 port adapter converter detected [ 667.161981][ T9] keyspan 3-1:1.166: found no endpoint descriptor for endpoint 84 [ 667.167340][T16497] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 667.178079][ T9] keyspan 3-1:1.166: found no endpoint descriptor for endpoint 81 [ 667.189934][ T9] keyspan 3-1:1.166: found no endpoint descriptor for endpoint 82 [ 667.198660][ T9] keyspan 3-1:1.166: found no endpoint descriptor for endpoint 1 [ 667.199434][T16497] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 667.210596][ T9] keyspan 3-1:1.166: found no endpoint descriptor for endpoint 2 [ 667.237535][ T9] keyspan 3-1:1.166: found no endpoint descriptor for endpoint 83 [ 667.241880][T16497] FAULT_INJECTION: forcing a failure. [ 667.241880][T16497] name failslab, interval 1, probability 0, space 0, times 0 [ 667.246859][ T9] keyspan 3-1:1.166: found no endpoint descriptor for endpoint 3 [ 667.280358][T16497] CPU: 1 UID: 0 PID: 16497 Comm: syz.3.3590 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 667.280393][T16497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 667.280408][T16497] Call Trace: [ 667.280427][T16497] [ 667.280440][T16497] dump_stack_lvl+0x189/0x250 [ 667.280478][T16497] ? __pfx____ratelimit+0x10/0x10 [ 667.280503][T16497] ? __pfx_dump_stack_lvl+0x10/0x10 [ 667.280535][T16497] ? __pfx__printk+0x10/0x10 [ 667.280574][T16497] ? __pfx___might_resched+0x10/0x10 [ 667.280602][T16497] ? fs_reclaim_acquire+0x7d/0x100 [ 667.280631][T16497] should_fail_ex+0x414/0x560 [ 667.280670][T16497] should_failslab+0xa8/0x100 [ 667.280693][T16497] kmem_cache_alloc_noprof+0x73/0x3c0 [ 667.280725][T16497] ? alloc_empty_file+0x55/0x1d0 [ 667.280758][T16497] alloc_empty_file+0x55/0x1d0 [ 667.280787][T16497] path_openat+0x107/0x3830 [ 667.280818][T16497] ? arch_stack_walk+0xfc/0x150 [ 667.280880][T16497] ? kasan_save_track+0x4f/0x80 [ 667.280909][T16497] ? kasan_save_track+0x3e/0x80 [ 667.280936][T16497] ? __kasan_slab_alloc+0x6c/0x80 [ 667.280967][T16497] ? getname_flags+0xb8/0x540 [ 667.280992][T16497] ? __pfx_path_openat+0x10/0x10 [ 667.281022][T16497] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.281066][T16497] do_filp_open+0x1fa/0x410 [ 667.281096][T16497] ? __lock_acquire+0xab9/0xd20 [ 667.281123][T16497] ? __pfx_do_filp_open+0x10/0x10 [ 667.281177][T16497] ? _raw_spin_unlock+0x28/0x50 [ 667.281209][T16497] ? alloc_fd+0x64c/0x6c0 [ 667.281245][T16497] do_sys_openat2+0x121/0x1c0 [ 667.281276][T16497] ? __pfx_do_sys_openat2+0x10/0x10 [ 667.281306][T16497] ? ksys_write+0x22a/0x250 [ 667.281328][T16497] ? __pfx_ksys_write+0x10/0x10 [ 667.281345][T16497] ? rcu_is_watching+0x15/0xb0 [ 667.281377][T16497] __x64_sys_openat+0x138/0x170 [ 667.281411][T16497] do_syscall_64+0xfa/0x3b0 [ 667.281442][T16497] ? lockdep_hardirqs_on+0x9c/0x150 [ 667.281465][T16497] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.281487][T16497] ? clear_bhb_loop+0x60/0xb0 [ 667.281513][T16497] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.281534][T16497] RIP: 0033:0x7fe05bf8d290 [ 667.281554][T16497] Code: 48 89 44 24 20 75 93 44 89 54 24 0c e8 49 94 02 00 44 8b 54 24 0c 89 da 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 38 44 89 c7 89 44 24 0c e8 9c 94 02 00 8b 44 [ 667.281573][T16497] RSP: 002b:00007fe05ce27b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 [ 667.281598][T16497] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fe05bf8d290 [ 667.281614][T16497] RDX: 0000000000000002 RSI: 00007fe05ce27c10 RDI: 00000000ffffff9c [ 667.281630][T16497] RBP: 00007fe05ce27c10 R08: 0000000000000000 R09: 00007fe05ce27987 [ 667.281646][T16497] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 667.281660][T16497] R13: 0000000000000000 R14: 00007fe05c1b5fa0 R15: 00007fff9aa2e518 [ 667.281694][T16497] [ 667.586662][T16497] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 667.597930][T16497] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 667.615902][ T9] usb 3-1: Keyspan 1 port adapter converter now attached to ttyUSB0 [ 667.667731][ T9] usb 3-1: USB disconnect, device number 43 [ 667.683706][ T9] keyspan_1 ttyUSB0: Keyspan 1 port adapter converter now disconnected from ttyUSB0 [ 667.698775][ T9] keyspan 3-1:1.166: device disconnected [ 668.232370][ T30] audit: type=1326 audit(1751723582.461:62): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=16517 comm="syz.4.3596" exe="/root/syz-executor" sig=9 arch=c000003e syscall=231 compat=0 ip=0x7f4dfdf8e929 code=0x0 [ 668.287243][T16521] /dev/rnullb0: Can't open blockdev [ 668.304461][T16520] /dev/rnullb0: Can't open blockdev [ 668.323300][T16520] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 668.335206][T16520] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 668.755658][ T43] usb 2-1: new high-speed USB device number 47 using dummy_hcd [ 668.922099][ T43] usb 2-1: config 1 interface 0 altsetting 0 endpoint 0x1 has invalid maxpacket 25657, setting to 1024 [ 668.933360][ T43] usb 2-1: config 1 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 1024 [ 668.948342][ T43] usb 2-1: config 1 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 2 [ 668.969578][ T43] usb 2-1: New USB device found, idVendor=0525, idProduct=a4a8, bcdDevice= 0.40 [ 668.970575][T16535] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 668.981000][ T43] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 668.989946][T16535] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 669.001138][ T43] usb 2-1: Product: syz [ 669.007967][ T43] usb 2-1: Manufacturer: syz [ 669.012969][ T43] usb 2-1: SerialNumber: syz [ 669.021654][T16525] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 669.035813][ T43] hub 2-1:1.0: bad descriptor, ignoring hub [ 669.041942][ T43] hub 2-1:1.0: probe with driver hub failed with error -5 [ 669.209647][T16535] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 669.227883][T16535] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 669.242115][ T43] usblp 2-1:1.0: usblp0: USB Unidirectional printer dev 47 if 0 alt 0 proto 1 vid 0x0525 pid 0xA4A8 [ 669.365546][ T24] usb 5-1: new high-speed USB device number 117 using dummy_hcd [ 669.525912][ T24] usb 5-1: Using ep0 maxpacket: 32 [ 669.640552][ T24] usb 5-1: unable to get BOS descriptor or descriptor too short [ 669.649808][ T24] usb 5-1: unable to read config index 0 descriptor/start: -71 [ 669.657981][ T24] usb 5-1: can't read configurations, error -71 [ 669.781003][T16540] MTD: Attempt to mount non-MTD device "/dev/rnullb0" [ 669.788470][T16540] /dev/rnullb0: Can't open blockdev [ 669.897397][T16548] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 669.909654][T16548] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 669.924158][T16546] 9pnet_fd: Insufficient options for proto=fd [ 670.125747][T16525] usb 2-1: reset high-speed USB device number 47 using dummy_hcd [ 670.225506][T12719] usb 3-1: new high-speed USB device number 44 using dummy_hcd [ 670.293560][T16538] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 670.380822][T12719] usb 3-1: New USB device found, idVendor=055f, idProduct=c230, bcdDevice=b6.ac [ 670.394908][T12719] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 670.404591][T12719] usb 3-1: Product: syz [ 670.410545][T12719] usb 3-1: Manufacturer: syz [ 670.415268][T12719] usb 3-1: SerialNumber: syz [ 670.422921][T12719] usb 3-1: config 0 descriptor?? [ 670.432156][T12719] gspca_main: sunplus-2.14.0 probing 055f:c230 [ 670.516061][ T5889] usb 2-1: USB disconnect, device number 47 [ 670.540096][ T5889] usblp0: removed [ 670.670537][T16563] iommufd_mock iommufd_mock0: Adding to iommu group 0 [ 670.756523][T16565] /dev/rnullb0: Can't open blockdev [ 671.058554][T12719] gspca_sunplus: reg_r err -71 [ 671.065340][T12719] sunplus 3-1:0.0: probe with driver sunplus failed with error -71 [ 671.089092][T12719] usb 3-1: USB disconnect, device number 44 [ 671.098457][T16169] udevd[16169]: setting owner of /dev/bus/usb/003/044 to uid=0, gid=0 failed: No such file or directory [ 671.236638][T16577] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 671.251183][T16577] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 671.323156][T16580] netlink: 60 bytes leftover after parsing attributes in process `syz.1.3622'. [ 671.333595][T16581] netlink: 60 bytes leftover after parsing attributes in process `syz.1.3622'. [ 671.347748][T16580] netlink: 60 bytes leftover after parsing attributes in process `syz.1.3622'. [ 671.742502][T16598] tipc: Enabling of bearer rejected, failed to enable media [ 671.827588][T16600] FAULT_INJECTION: forcing a failure. [ 671.827588][T16600] name fail_usercopy, interval 1, probability 0, space 0, times 0 [ 671.847693][T16600] CPU: 0 UID: 0 PID: 16600 Comm: syz.4.3630 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 671.847726][T16600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 671.847740][T16600] Call Trace: [ 671.847749][T16600] [ 671.847759][T16600] dump_stack_lvl+0x189/0x250 [ 671.847795][T16600] ? __pfx____ratelimit+0x10/0x10 [ 671.847820][T16600] ? __pfx_dump_stack_lvl+0x10/0x10 [ 671.847851][T16600] ? __pfx__printk+0x10/0x10 [ 671.847896][T16600] should_fail_ex+0x414/0x560 [ 671.847933][T16600] _copy_to_user+0x31/0xb0 [ 671.847975][T16600] simple_read_from_buffer+0xe1/0x170 [ 671.848003][T16600] proc_fail_nth_read+0x1df/0x250 [ 671.848036][T16600] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 671.848068][T16600] ? rw_verify_area+0x258/0x650 [ 671.848100][T16600] ? __pfx_proc_fail_nth_read+0x10/0x10 [ 671.848131][T16600] vfs_read+0x200/0x980 [ 671.848170][T16600] ? __pfx___mutex_lock+0x10/0x10 [ 671.848195][T16600] ? __pfx_vfs_read+0x10/0x10 [ 671.848229][T16600] ? __fget_files+0x2a/0x420 [ 671.848258][T16600] ? __fget_files+0x3a0/0x420 [ 671.848280][T16600] ? __fget_files+0x2a/0x420 [ 671.848314][T16600] ksys_read+0x145/0x250 [ 671.848335][T16600] ? __pfx_ksys_read+0x10/0x10 [ 671.848365][T16600] ? rcu_is_watching+0x15/0xb0 [ 671.848400][T16600] ? do_syscall_64+0xbe/0x3b0 [ 671.848429][T16600] do_syscall_64+0xfa/0x3b0 [ 671.848452][T16600] ? lockdep_hardirqs_on+0x9c/0x150 [ 671.848475][T16600] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 671.848496][T16600] ? clear_bhb_loop+0x60/0xb0 [ 671.848524][T16600] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 671.848545][T16600] RIP: 0033:0x7f4dfdf8d33c [ 671.848565][T16600] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 93 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 48 89 44 24 08 e8 ef 93 02 00 48 [ 671.848584][T16600] RSP: 002b:00007f4dfed95030 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 671.848607][T16600] RAX: ffffffffffffffda RBX: 00007f4dfe1b5fa0 RCX: 00007f4dfdf8d33c [ 671.848624][T16600] RDX: 000000000000000f RSI: 00007f4dfed950a0 RDI: 0000000000000006 [ 671.848637][T16600] RBP: 00007f4dfed95090 R08: 0000000000000000 R09: 0000000000000000 [ 671.848651][T16600] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 671.848664][T16600] R13: 0000000000000000 R14: 00007f4dfe1b5fa0 R15: 00007ffdd6a9c2f8 [ 671.848698][T16600] [ 672.085775][ C0] vkms_vblank_simulate: vblank timer overrun [ 672.122689][T16602] lo speed is unknown, defaulting to 1000 [ 672.145554][ T24] usb 3-1: new high-speed USB device number 45 using dummy_hcd [ 672.170444][T16604] netlink: 'syz.1.3631': attribute type 10 has an invalid length. [ 672.178515][T16604] netlink: 40 bytes leftover after parsing attributes in process `syz.1.3631'. [ 672.190134][T16604] batman_adv: batadv0: Adding interface: virt_wifi0 [ 672.196924][T16604] batman_adv: batadv0: Interface activated: virt_wifi0 [ 672.318583][ T24] usb 3-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xFF, changing to 0x8F [ 672.364781][ T24] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x8F has an invalid bInterval 0, changing to 7 [ 672.388221][ T24] usb 3-1: config 0 interface 0 altsetting 0 endpoint 0x8F has invalid wMaxPacketSize 0 [ 672.401528][ T24] usb 3-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 21 [ 672.406676][T16609] netlink: 16 bytes leftover after parsing attributes in process `syz.4.3633'. [ 672.419897][ T24] usb 3-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 672.443193][ T24] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 672.462943][ T24] usb 3-1: config 0 descriptor?? [ 672.745775][ T24] usbhid 3-1:0.0: can't add hid device: -71 [ 672.751904][ T24] usbhid 3-1:0.0: probe with driver usbhid failed with error -71 [ 672.809417][ T24] usb 3-1: USB disconnect, device number 45 [ 672.837910][T16616] /dev/rnullb0: Can't open blockdev [ 672.986595][T16621] netlink: 244 bytes leftover after parsing attributes in process `syz.4.3637'. [ 673.236538][T16625] syz.3.3638: attempt to access beyond end of device [ 673.236538][T16625] nbd3: rw=6144, sector=128, nr_sectors = 8 limit=0 [ 673.281761][T16625] gfs2: error -5 reading superblock [ 673.705511][T12719] usb 5-1: new high-speed USB device number 119 using dummy_hcd [ 673.777898][ T5889] usb 2-1: new high-speed USB device number 48 using dummy_hcd [ 673.866224][T12719] usb 5-1: Using ep0 maxpacket: 8 [ 673.873624][T12719] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 673.884605][T12719] usb 5-1: New USB device found, idVendor=05ac, idProduct=8215, bcdDevice=8f.58 [ 673.893872][T12719] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 673.918733][T12719] usb 5-1: config 0 descriptor?? [ 673.948231][ T5889] usb 2-1: config 0 interface 0 altsetting 15 endpoint 0x81 has invalid wMaxPacketSize 0 [ 673.978775][ T5889] usb 2-1: config 0 interface 0 altsetting 15 has 1 endpoint descriptor, different from the interface descriptor's value: 5 [ 673.996293][ T5889] usb 2-1: config 0 interface 0 has no altsetting 0 [ 674.003150][ T5889] usb 2-1: New USB device found, idVendor=05ac, idProduct=025b, bcdDevice= 0.00 [ 674.023143][ T5889] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 674.044548][ T5889] usb 2-1: config 0 descriptor?? [ 674.101035][T16642] /dev/rnullb0: Can't open blockdev [ 674.139031][T12719] usb 5-1: USB disconnect, device number 119 [ 674.180528][ T1070] hid-generic 00A0:0006:0003.0028: unknown main item tag 0x3 [ 674.190531][T16642] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 674.204098][ T1070] hid-generic 00A0:0006:0003.0028: unknown main item tag 0x0 [ 674.214665][ T1070] hid-generic 00A0:0006:0003.0028: unknown main item tag 0x0 [ 674.220751][T16642] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 674.222201][ T1070] hid-generic 00A0:0006:0003.0028: unknown main item tag 0x0 [ 674.237915][ T1070] hid-generic 00A0:0006:0003.0028: unknown main item tag 0x0 [ 674.245594][ T1070] hid-generic 00A0:0006:0003.0028: unknown main item tag 0x0 [ 674.253194][ T1070] hid-generic 00A0:0006:0003.0028: unknown main item tag 0x0 [ 674.261582][ T1070] hid-generic 00A0:0006:0003.0028: unknown main item tag 0x0 [ 674.269933][T16646] netlink: 4 bytes leftover after parsing attributes in process `syz.2.3647'. [ 674.288924][ T1070] hid-generic 00A0:0006:0003.0028: hidraw0: HID v0.05 Device [syz1] on syz0 [ 674.303533][T16641] rtc_cmos 00:00: Alarms can be up to one day in the future [ 674.398767][T16648] fido_id[16648]: Failed to open report descriptor at '/sys/devices/virtual/misc/uhid/report_descriptor': No such file or directory [ 674.543811][T16646] bond0: (slave bond_slave_0): Releasing backup interface [ 674.594650][ T5889] usb 2-1: string descriptor 0 read error: -71 [ 674.612285][ T5889] input: bcm5974 as /devices/platform/dummy_hcd.1/usb2/2-1/2-1:0.0/input/input35 [ 674.634126][ T5202] bcm5974 2-1:0.0: could not read from device [ 674.641051][ T24] rtc_cmos 00:00: Alarms can be up to one day in the future [ 674.641479][ T24] rtc_cmos 00:00: Alarms can be up to one day in the future [ 674.697361][ T24] rtc_cmos 00:00: Alarms can be up to one day in the future [ 674.734380][ T24] rtc_cmos 00:00: Alarms can be up to one day in the future [ 674.743376][ T24] rtc rtc0: __rtc_set_alarm: err=-22 [ 674.774534][T15800] bcm5974 2-1:0.0: could not read from device [ 674.776883][ T5889] usb 2-1: USB disconnect, device number 48 [ 674.825900][ T5202] bcm5974 2-1:0.0: could not read from device [ 674.926124][T15800] udevd[15800]: Error opening device "/dev/input/event5": No such device [ 674.937495][T15800] udevd[15800]: Unable to EVIOCGABS device "/dev/input/event5" [ 674.946198][T15800] udevd[15800]: Unable to EVIOCGABS device "/dev/input/event5" [ 674.973631][T15800] udevd[15800]: Unable to EVIOCGABS device "/dev/input/event5" [ 674.997677][T15800] udevd[15800]: Unable to EVIOCGABS device "/dev/input/event5" [ 675.063437][T16657] FAULT_INJECTION: forcing a failure. [ 675.063437][T16657] name failslab, interval 1, probability 0, space 0, times 0 [ 675.077895][T16657] CPU: 0 UID: 0 PID: 16657 Comm: syz.3.3651 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 675.077928][T16657] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 675.077944][T16657] Call Trace: [ 675.077954][T16657] [ 675.077965][T16657] dump_stack_lvl+0x189/0x250 [ 675.078003][T16657] ? __pfx____ratelimit+0x10/0x10 [ 675.078029][T16657] ? __pfx_dump_stack_lvl+0x10/0x10 [ 675.078061][T16657] ? __pfx__printk+0x10/0x10 [ 675.078100][T16657] ? __pfx___might_resched+0x10/0x10 [ 675.078137][T16657] should_fail_ex+0x414/0x560 [ 675.078176][T16657] ? seq_read_iter+0x1fd/0xe10 [ 675.078207][T16657] should_failslab+0xa8/0x100 [ 675.078231][T16657] __kvmalloc_node_noprof+0x161/0x5f0 [ 675.078267][T16657] ? seq_read_iter+0x1fd/0xe10 [ 675.078298][T16657] ? __mutex_trylock_common+0x153/0x260 [ 675.078335][T16657] seq_read_iter+0x1fd/0xe10 [ 675.078378][T16657] ? kernfs_fop_read_iter+0x13f/0x640 [ 675.078410][T16657] vfs_read+0x4cd/0x980 [ 675.078454][T16657] ? __pfx_vfs_read+0x10/0x10 [ 675.078500][T16657] ? __fget_files+0x2a/0x420 [ 675.078535][T16657] ksys_read+0x145/0x250 [ 675.078570][T16657] ? __pfx_ksys_read+0x10/0x10 [ 675.078602][T16657] ? rcu_is_watching+0x15/0xb0 [ 675.078651][T16657] ? do_syscall_64+0xbe/0x3b0 [ 675.078683][T16657] do_syscall_64+0xfa/0x3b0 [ 675.078707][T16657] ? lockdep_hardirqs_on+0x9c/0x150 [ 675.078731][T16657] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 675.078754][T16657] ? clear_bhb_loop+0x60/0xb0 [ 675.078782][T16657] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 675.078805][T16657] RIP: 0033:0x7fe05bf8e929 [ 675.078825][T16657] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 675.078845][T16657] RSP: 002b:00007fe05ce28038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 675.078870][T16657] RAX: ffffffffffffffda RBX: 00007fe05c1b5fa0 RCX: 00007fe05bf8e929 [ 675.078888][T16657] RDX: 0000000000002020 RSI: 0000200000002240 RDI: 0000000000000005 [ 675.078902][T16657] RBP: 00007fe05ce28090 R08: 0000000000000000 R09: 0000000000000000 [ 675.078917][T16657] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 675.078930][T16657] R13: 0000000000000000 R14: 00007fe05c1b5fa0 R15: 00007fff9aa2e518 [ 675.078966][T16657] [ 675.311458][ C0] vkms_vblank_simulate: vblank timer overrun [ 675.367393][ T1070] usb 5-1: new high-speed USB device number 120 using dummy_hcd [ 675.423812][T16659] /dev/rnullb0: Can't open blockdev [ 675.525467][ T1070] usb 5-1: Using ep0 maxpacket: 32 [ 675.532408][ T1070] usb 5-1: config 64 has an invalid interface number: 184 but max is 0 [ 675.541364][ T1070] usb 5-1: config 64 has no interface number 0 [ 675.547843][ T1070] usb 5-1: config 64 interface 184 has no altsetting 0 [ 675.557673][ T1070] usb 5-1: New USB device found, idVendor=2c7c, idProduct=0801, bcdDevice=dd.60 [ 675.567071][ T1070] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 675.575171][ T1070] usb 5-1: Product: syz [ 675.579497][ T1070] usb 5-1: Manufacturer: syz [ 675.584388][ T1070] usb 5-1: SerialNumber: syz [ 675.804439][ T1070] qmi_wwan 5-1:64.184: probe with driver qmi_wwan failed with error -22 [ 675.823726][ T1070] usb 5-1: USB disconnect, device number 120 [ 675.915530][ T9] usb 3-1: new high-speed USB device number 46 using dummy_hcd [ 675.975511][ T5889] usb 2-1: new high-speed USB device number 49 using dummy_hcd [ 676.075469][ T9] usb 3-1: Using ep0 maxpacket: 8 [ 676.082801][ T9] usb 3-1: unable to get BOS descriptor or descriptor too short [ 676.094806][ T9] usb 3-1: config 4 has an invalid interface number: 147 but max is 0 [ 676.103131][ T9] usb 3-1: config 4 contains an unexpected descriptor of type 0x2, skipping [ 676.112244][ T9] usb 3-1: config 4 has no interface number 0 [ 676.121655][ T9] usb 3-1: New USB device found, idVendor=04f2, idProduct=b746, bcdDevice=8e.6e [ 676.130879][ T9] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 676.139033][ T5889] usb 2-1: Using ep0 maxpacket: 8 [ 676.144199][ T9] usb 3-1: Product: syz [ 676.148651][ T9] usb 3-1: Manufacturer: syz [ 676.153352][ T9] usb 3-1: SerialNumber: syz [ 676.162159][ T5889] usb 2-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 676.180748][ T5889] usb 2-1: New USB device found, idVendor=05ac, idProduct=8215, bcdDevice=8f.58 [ 676.189914][ T5889] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 676.201855][ T5889] usb 2-1: config 0 descriptor?? [ 676.393103][T16667] /dev/rnullb0: Can't open blockdev [ 676.420762][T16668] /dev/rnullb0: Can't open blockdev [ 676.453265][ T5889] usb 2-1: USB disconnect, device number 49 [ 676.505600][ T9] usb 3-1: Found UVC 0.02 device syz (04f2:b746) [ 676.532688][ T9] usb 3-1: No valid video chain found. [ 676.560473][ T9] usb 3-1: USB disconnect, device number 46 [ 676.636601][T16678] /dev/rnullb0: Can't open blockdev [ 676.656358][T16676] /dev/rnullb0: Can't open blockdev [ 676.682396][T16684] netlink: 244 bytes leftover after parsing attributes in process `syz.4.3661'. [ 676.787158][T16686] FAULT_INJECTION: forcing a failure. [ 676.787158][T16686] name failslab, interval 1, probability 0, space 0, times 0 [ 676.802421][T16686] CPU: 1 UID: 0 PID: 16686 Comm: syz.4.3662 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 676.802445][T16686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 676.802455][T16686] Call Trace: [ 676.802462][T16686] [ 676.802470][T16686] dump_stack_lvl+0x189/0x250 [ 676.802505][T16686] ? __pfx____ratelimit+0x10/0x10 [ 676.802526][T16686] ? __pfx_dump_stack_lvl+0x10/0x10 [ 676.802548][T16686] ? __pfx__printk+0x10/0x10 [ 676.802576][T16686] ? __pfx___might_resched+0x10/0x10 [ 676.802600][T16686] should_fail_ex+0x414/0x560 [ 676.802627][T16686] ? alloc_netdev_mqs+0xa3/0x1170 [ 676.802651][T16686] should_failslab+0xa8/0x100 [ 676.802668][T16686] __kvmalloc_node_noprof+0x161/0x5f0 [ 676.802693][T16686] ? alloc_netdev_mqs+0xa3/0x1170 [ 676.802722][T16686] alloc_netdev_mqs+0xa3/0x1170 [ 676.802745][T16686] ? __pfx_ipip6_tunnel_setup+0x10/0x10 [ 676.802773][T16686] ipip6_tunnel_locate+0x4c4/0x770 [ 676.802802][T16686] ? __pfx_ipip6_tunnel_locate+0x10/0x10 [ 676.802834][T16686] ipip6_tunnel_ctl+0x6b0/0x9e0 [ 676.802860][T16686] ip_tunnel_siocdevprivate+0xf2/0x180 [ 676.802879][T16686] ? __pfx_ip_tunnel_siocdevprivate+0x10/0x10 [ 676.802900][T16686] ? __lock_acquire+0xab9/0xd20 [ 676.802924][T16686] ipip6_tunnel_siocdevprivate+0x24e/0x1580 [ 676.802950][T16686] ? __pfx___mutex_trylock_common+0x10/0x10 [ 676.802974][T16686] ? __pfx_ipip6_tunnel_siocdevprivate+0x10/0x10 [ 676.803001][T16686] ? rcu_is_watching+0x15/0xb0 [ 676.803031][T16686] ? trace_contention_end+0x39/0x120 [ 676.803062][T16686] ? __mutex_lock+0x330/0xe80 [ 676.803083][T16686] ? __lock_acquire+0xab9/0xd20 [ 676.803103][T16686] ? dev_ioctl+0x83c/0x1150 [ 676.803120][T16686] ? full_name_hash+0x92/0xe0 [ 676.803143][T16686] ? netdev_name_node_lookup+0xdf/0x120 [ 676.803171][T16686] dev_ifsioc+0xb57/0xf00 [ 676.803195][T16686] dev_ioctl+0x84c/0x1150 [ 676.803216][T16686] sock_ioctl+0x719/0x790 [ 676.803232][T16686] ? __pfx_sock_ioctl+0x10/0x10 [ 676.803259][T16686] ? __fget_files+0x3a0/0x420 [ 676.803292][T16686] ? __fget_files+0x2a/0x420 [ 676.803312][T16686] ? bpf_lsm_file_ioctl+0x9/0x20 [ 676.803334][T16686] ? __pfx_sock_ioctl+0x10/0x10 [ 676.803359][T16686] __se_sys_ioctl+0xf9/0x170 [ 676.803384][T16686] do_syscall_64+0xfa/0x3b0 [ 676.803402][T16686] ? lockdep_hardirqs_on+0x9c/0x150 [ 676.803418][T16686] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 676.803435][T16686] ? clear_bhb_loop+0x60/0xb0 [ 676.803454][T16686] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 676.803469][T16686] RIP: 0033:0x7f4dfdf8e929 [ 676.803484][T16686] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 676.803502][T16686] RSP: 002b:00007f4dfed95038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 676.803525][T16686] RAX: ffffffffffffffda RBX: 00007f4dfe1b5fa0 RCX: 00007f4dfdf8e929 [ 676.803537][T16686] RDX: 0000200000000440 RSI: 00000000000089f1 RDI: 0000000000000003 [ 676.803548][T16686] RBP: 00007f4dfed95090 R08: 0000000000000000 R09: 0000000000000000 [ 676.803558][T16686] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 676.803568][T16686] R13: 0000000000000000 R14: 00007f4dfe1b5fa0 R15: 00007ffdd6a9c2f8 [ 676.803592][T16686] [ 677.276374][T16692] /dev/rnullb0: Can't open blockdev [ 677.695653][ T5889] usb 2-1: new high-speed USB device number 50 using dummy_hcd [ 677.719282][T16708] comedi comedi3: c6xdigio: a I/O base address must be specified [ 677.729823][T16708] ================================================================== [ 677.737936][T16708] BUG: KASAN: slab-use-after-free in sysfs_remove_file_ns+0x3d/0x70 [ 677.745955][T16708] Read of size 8 at addr ffff888031bbae30 by task syz.4.3671/16708 [ 677.753878][T16708] [ 677.756232][T16708] CPU: 0 UID: 0 PID: 16708 Comm: syz.4.3671 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 677.756265][T16708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 677.756281][T16708] Call Trace: [ 677.756291][T16708] [ 677.756302][T16708] dump_stack_lvl+0x189/0x250 [ 677.756340][T16708] ? __kasan_check_byte+0x12/0x40 [ 677.756378][T16708] ? __pfx_dump_stack_lvl+0x10/0x10 [ 677.756416][T16708] ? lock_release+0x4b/0x3e0 [ 677.756446][T16708] ? __virt_addr_valid+0x4a5/0x5c0 [ 677.756483][T16708] print_report+0xd2/0x2b0 [ 677.756507][T16708] ? sysfs_remove_file_ns+0x3d/0x70 [ 677.756531][T16708] kasan_report+0x118/0x150 [ 677.756569][T16708] ? sysfs_remove_file_ns+0x3d/0x70 [ 677.756599][T16708] sysfs_remove_file_ns+0x3d/0x70 [ 677.756626][T16708] bus_remove_driver+0x198/0x2f0 [ 677.756662][T16708] comedi_device_detach+0x134/0x720 [ 677.756701][T16708] ? comedi_request_region+0x11a/0x180 [ 677.756727][T16708] comedi_device_attach+0x568/0x670 [ 677.756754][T16708] comedi_unlocked_ioctl+0x686/0xf40 [ 677.756791][T16708] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 677.756833][T16708] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 677.756861][T16708] ? __lock_acquire+0xab9/0xd20 [ 677.756897][T16708] ? __fget_files+0x2a/0x420 [ 677.756924][T16708] ? __fget_files+0x2a/0x420 [ 677.756948][T16708] ? __fget_files+0x3a0/0x420 [ 677.756972][T16708] ? __fget_files+0x2a/0x420 [ 677.757000][T16708] ? bpf_lsm_file_ioctl+0x9/0x20 [ 677.757030][T16708] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 677.757061][T16708] __se_sys_ioctl+0xf9/0x170 [ 677.757096][T16708] do_syscall_64+0xfa/0x3b0 [ 677.757134][T16708] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 677.757157][T16708] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 677.757182][T16708] ? clear_bhb_loop+0x60/0xb0 [ 677.757208][T16708] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 677.757232][T16708] RIP: 0033:0x7f4dfdf8e929 [ 677.757254][T16708] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 677.757277][T16708] RSP: 002b:00007f4dfed95038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 677.757303][T16708] RAX: ffffffffffffffda RBX: 00007f4dfe1b5fa0 RCX: 00007f4dfdf8e929 [ 677.757322][T16708] RDX: 0000200000000400 RSI: 0000000040946400 RDI: 0000000000000003 [ 677.757339][T16708] RBP: 00007f4dfe010b39 R08: 0000000000000000 R09: 0000000000000000 [ 677.757355][T16708] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 677.757370][T16708] R13: 0000000000000000 R14: 00007f4dfe1b5fa0 R15: 00007ffdd6a9c2f8 [ 677.757396][T16708] [ 677.757405][T16708] [ 677.885639][ T24] usb 3-1: new high-speed USB device number 47 using dummy_hcd [ 677.886152][T16708] Allocated by task 8457: [ 678.027619][T16708] kasan_save_track+0x3e/0x80 [ 678.032332][T16708] __kasan_kmalloc+0x93/0xb0 [ 678.036960][T16708] __kmalloc_cache_noprof+0x230/0x3d0 [ 678.042372][T16708] bus_add_driver+0x162/0x640 [ 678.047083][T16708] driver_register+0x23a/0x320 [ 678.051867][T16708] c6xdigio_attach+0x94/0x890 [ 678.056574][T16708] comedi_device_attach+0x520/0x670 [ 678.061793][T16708] comedi_unlocked_ioctl+0x686/0xf40 [ 678.067121][T16708] __se_sys_ioctl+0xf9/0x170 [ 678.071743][T16708] do_syscall_64+0xfa/0x3b0 [ 678.076274][T16708] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 678.082199][T16708] [ 678.084533][T16708] Freed by task 16445: [ 678.088609][T16708] kasan_save_track+0x3e/0x80 [ 678.093328][T16708] kasan_save_free_info+0x46/0x50 [ 678.098385][T16708] __kasan_slab_free+0x62/0x70 [ 678.103188][T16708] kfree+0x18e/0x440 [ 678.107110][T16708] kobject_put+0x22b/0x480 [ 678.111562][T16708] bus_remove_driver+0x245/0x2f0 [ 678.116532][T16708] comedi_device_detach+0x134/0x720 [ 678.121763][T16708] comedi_device_attach+0x568/0x670 [ 678.126979][T16708] comedi_unlocked_ioctl+0x686/0xf40 [ 678.132289][T16708] __se_sys_ioctl+0xf9/0x170 [ 678.136917][T16708] do_syscall_64+0xfa/0x3b0 [ 678.141454][T16708] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 678.147366][T16708] [ 678.149700][T16708] The buggy address belongs to the object at ffff888031bbae00 [ 678.149700][T16708] which belongs to the cache kmalloc-256 of size 256 [ 678.163772][T16708] The buggy address is located 48 bytes inside of [ 678.163772][T16708] freed 256-byte region [ffff888031bbae00, ffff888031bbaf00) [ 678.177506][T16708] [ 678.179852][T16708] The buggy address belongs to the physical page: [ 678.186295][T16708] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031bbb200 pfn:0x31bba [ 678.196386][T16708] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 678.204902][T16708] flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff) [ 678.213411][T16708] page_type: f5(slab) [ 678.217423][T16708] raw: 00fff00000000240 ffff88801a841b40 ffffea0000a52290 ffffea0001da7890 [ 678.226015][T16708] raw: ffff888031bbb200 0000000000100007 00000000f5000000 0000000000000000 [ 678.234616][T16708] head: 00fff00000000240 ffff88801a841b40 ffffea0000a52290 ffffea0001da7890 [ 678.243309][T16708] head: ffff888031bbb200 0000000000100007 00000000f5000000 0000000000000000 [ 678.252004][T16708] head: 00fff00000000001 ffffea0000c6ee81 00000000ffffffff 00000000ffffffff [ 678.260686][T16708] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 678.269379][T16708] page dumped because: kasan: bad access detected [ 678.275815][T16708] page_owner tracks the page as allocated [ 678.281564][T16708] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5845, tgid 5845 (syz-executor), ts 88694351445, free_ts 88627347746 [ 678.302936][T16708] post_alloc_hook+0x240/0x2a0 [ 678.307728][T16708] get_page_from_freelist+0x21e4/0x22c0 [ 678.313294][T16708] __alloc_frozen_pages_noprof+0x181/0x370 [ 678.319123][T16708] alloc_pages_mpol+0x232/0x4a0 [ 678.323999][T16708] allocate_slab+0x8a/0x370 [ 678.328521][T16708] ___slab_alloc+0xbeb/0x1410 [ 678.333206][T16708] __kmalloc_noprof+0x305/0x4f0 [ 678.338092][T16708] fib_create_info+0x1728/0x3210 [ 678.343048][T16708] fib_table_insert+0xc6/0x1b50 [ 678.347940][T16708] fib_magic+0x2c4/0x390 [ 678.352204][T16708] fib_add_ifaddr+0x38d/0x5f0 [ 678.356916][T16708] fib_netdev_event+0x382/0x490 [ 678.361776][T16708] notifier_call_chain+0x1b3/0x3e0 [ 678.366927][T16708] __dev_notify_flags+0x18d/0x2e0 [ 678.371973][T16708] netif_change_flags+0xe8/0x1a0 [ 678.376920][T16708] do_setlink+0xc55/0x41c0 [ 678.381351][T16708] page last free pid 5852 tgid 5852 stack trace: [ 678.387696][T16708] __free_frozen_pages+0xb80/0xd80 [ 678.392820][T16708] __slab_free+0x303/0x3c0 [ 678.397257][T16708] qlist_free_all+0x97/0x140 [ 678.401878][T16708] kasan_quarantine_reduce+0x148/0x160 [ 678.407364][T16708] __kasan_slab_alloc+0x22/0x80 [ 678.412241][T16708] kmem_cache_alloc_noprof+0x1c1/0x3c0 [ 678.417904][T16708] getname_flags+0xb8/0x540 [ 678.422430][T16708] do_sys_openat2+0xbc/0x1c0 [ 678.427036][T16708] __x64_sys_openat+0x138/0x170 [ 678.431905][T16708] do_syscall_64+0xfa/0x3b0 [ 678.436435][T16708] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 678.442358][T16708] [ 678.444700][T16708] Memory state around the buggy address: [ 678.450344][T16708] ffff888031bbad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 678.458422][T16708] ffff888031bbad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 678.466587][T16708] >ffff888031bbae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 678.474737][T16708] ^ [ 678.480386][T16708] ffff888031bbae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 678.488457][T16708] ffff888031bbaf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 678.488735][ T24] usb 3-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 678.496531][T16708] ================================================================== [ 678.527828][ T24] usb 3-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 678.538827][ T24] usb 3-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00 [ 678.548689][ T24] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3 [ 678.557183][ T24] usb 3-1: SerialNumber: syz [ 678.565092][T16708] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 678.572339][T16708] CPU: 0 UID: 0 PID: 16708 Comm: syz.4.3671 Not tainted 6.16.0-rc4-next-20250704-syzkaller #0 PREEMPT(full) [ 678.583910][T16708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 678.593997][T16708] Call Trace: [ 678.597291][T16708] [ 678.600241][T16708] dump_stack_lvl+0x99/0x250 [ 678.604864][T16708] ? __asan_memcpy+0x40/0x70 [ 678.609485][T16708] ? __pfx_dump_stack_lvl+0x10/0x10 [ 678.614715][T16708] ? __pfx__printk+0x10/0x10 [ 678.619376][T16708] panic+0x2db/0x790 [ 678.623293][T16708] ? __pfx_preempt_schedule+0x10/0x10 [ 678.628681][T16708] ? __pfx_panic+0x10/0x10 [ 678.633131][T16708] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 678.639046][T16708] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 678.645401][T16708] ? sysfs_remove_file_ns+0x3d/0x70 [ 678.650630][T16708] check_panic_on_warn+0x89/0xb0 [ 678.655581][T16708] ? sysfs_remove_file_ns+0x3d/0x70 [ 678.660805][T16708] end_report+0x78/0x160 [ 678.665086][T16708] kasan_report+0x129/0x150 [ 678.669631][T16708] ? sysfs_remove_file_ns+0x3d/0x70 [ 678.674854][T16708] sysfs_remove_file_ns+0x3d/0x70 [ 678.679908][T16708] bus_remove_driver+0x198/0x2f0 [ 678.684864][T16708] comedi_device_detach+0x134/0x720 [ 678.690096][T16708] ? comedi_request_region+0x11a/0x180 [ 678.695695][T16708] comedi_device_attach+0x568/0x670 [ 678.700914][T16708] comedi_unlocked_ioctl+0x686/0xf40 [ 678.706227][T16708] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 678.712093][T16708] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 678.718014][T16708] ? __lock_acquire+0xab9/0xd20 [ 678.722902][T16708] ? __fget_files+0x2a/0x420 [ 678.727608][T16708] ? __fget_files+0x2a/0x420 [ 678.732221][T16708] ? __fget_files+0x3a0/0x420 [ 678.737010][T16708] ? __fget_files+0x2a/0x420 [ 678.741637][T16708] ? bpf_lsm_file_ioctl+0x9/0x20 [ 678.746599][T16708] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 678.752447][T16708] __se_sys_ioctl+0xf9/0x170 [ 678.757081][T16708] do_syscall_64+0xfa/0x3b0 [ 678.761616][T16708] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 678.767710][T16708] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 678.773887][T16708] ? clear_bhb_loop+0x60/0xb0 [ 678.778586][T16708] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 678.784506][T16708] RIP: 0033:0x7f4dfdf8e929 [ 678.788943][T16708] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 678.808570][T16708] RSP: 002b:00007f4dfed95038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 678.817004][T16708] RAX: ffffffffffffffda RBX: 00007f4dfe1b5fa0 RCX: 00007f4dfdf8e929 [ 678.824996][T16708] RDX: 0000200000000400 RSI: 0000000040946400 RDI: 0000000000000003 [ 678.833006][T16708] RBP: 00007f4dfe010b39 R08: 0000000000000000 R09: 0000000000000000 [ 678.840992][T16708] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 678.848981][T16708] R13: 0000000000000000 R14: 00007f4dfe1b5fa0 R15: 00007ffdd6a9c2f8 [ 678.856969][T16708] [ 678.860269][T16708] Kernel Offset: disabled [ 678.864605][T16708] Rebooting in 86400 seconds..