last executing test programs: 19.818591595s ago: executing program 1 (id=2): r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x8800, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000000)=0x14) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000240)=0x7) ioctl$TIOCVHANGUP(r0, 0x5437, 0x0) syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r1 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0xb, 0x8, 0xc, 0x80000000, 0x1, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x100000}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r1}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x800000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x8, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x45, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000540)='kfree\x00', r2}, 0x10) mount(0x0, 0x0, 0x0, 0x0, 0x0) quotactl_fd$Q_SETQUOTA(0xffffffffffffffff, 0xffffffff80000800, 0x0, 0x0) socket$nl_rdma(0x10, 0x3, 0x14) set_mempolicy(0x4003, &(0x7f0000000200)=0x7, 0x3) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='freezer.self_freezing\x00', 0x275a, 0x0) write$binfmt_script(r3, &(0x7f0000000100), 0x208e24b) sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r4 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r4, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x3) 18.108489723s ago: executing program 1 (id=6): prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) r3 = socket$inet_sctp(0x2, 0x1, 0x84) socket$nl_generic(0x10, 0x3, 0x10) listen(r3, 0xda90) accept4(r3, 0x0, 0x0, 0x0) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r4, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000180)=ANY=[@ANYBLOB="4c0000000206030000000000aee3194a6ed1a97714000300686173683a69702c706f72742c6970000900020073797a3100000000050005000a00000005000400010000000500010007000000"], 0x4c}, 0x1, 0x0, 0x0, 0x4000090}, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f0000000200)=0x400000bce) r5 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x1) read$msr(r5, &(0x7f0000019680)=""/102392, 0x18ff8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0xf000000) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x15) 18.000303479s ago: executing program 2 (id=3): bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0xb, 0x5, 0x400, 0x9, 0x1}, 0x48) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000280)=0x8) r0 = getpid() sched_setaffinity(0x0, 0x0, 0x0) sched_setscheduler(r0, 0x2, &(0x7f0000000180)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=@framed={{0x18, 0x0, 0x0, 0x0, 0xc657}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x2}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = bpf$PROG_LOAD(0x5, &(0x7f00000005c0)={0x18, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000140)='sched_switch\x00', r3}, 0x10) socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) recvmsg(r4, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000100)=[{&(0x7f0000000400)=""/248, 0xf8}], 0x1}, 0x1f00) sendmsg$tipc(r5, &(0x7f0000000240)={0x0, 0xfffffff5, &(0x7f0000000200)=[{&(0x7f0000000140)="a2", 0xfffffdef}], 0x1}, 0x0) 16.497511856s ago: executing program 2 (id=7): prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) r3 = socket$inet_sctp(0x2, 0x1, 0x84) sendto$inet(r3, 0x0, 0x0, 0x0, &(0x7f0000004ff0)={0x2, 0x0, @rand_addr=0xfffffffffffffffe}, 0x10) listen(r3, 0xda90) accept4(r3, 0x0, 0x0, 0x0) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r4, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000180)=ANY=[@ANYBLOB="4c0000000206030000000000aee3194a6ed1a97714000300686173683a69702c706f72742c6970000900020073797a3100000000050005000a00000005000400010000000500010007000000"], 0x4c}, 0x1, 0x0, 0x0, 0x4000090}, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f0000000200)=0x400000bce) r5 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x1) read$msr(r5, &(0x7f0000019680)=""/102392, 0x18ff8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0xf000000) connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) 13.473013353s ago: executing program 4 (id=5): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0x6, &(0x7f0000000cc0)=ANY=[@ANYBLOB="050000000000000061110c00000000008510000002000000850000000500000095000000000000009500a5050000000077d8f3b423cdac8d80000000000000002be16ad10a48b243ccc42606d25dfd73a015e0ca7fc2506a0f7535f7866907dc0200000000000000ae669e17fd6587d452d6453559c3421eed73d56615fe6c54c3b3ffe1b4ce25d7c983c044c03bf3a48dfe47ec9dd6c091c30b93bfae76d9ebacd3ed3e26e7a23129d6606fd28a69989d552af6bda9df2c3af36effff9af2551ce896165127cb3f011a7d06602e2fc40848228567ffb400000000003ed38ae89d24e1cebfba2f87925bfacba83109751fe6c05405d027edd68149ee99eef6a6992308a4fc0b7c70bc677d6dd4aed4af7500d7900a820b6347184e9a217b5614cd50cbe43a1ed2526814bc0000e9e086ce48e90defb6670c3df2624f56da648d28ad0a97aec7291c25447c106a99893e10db21901eb397b2f5fd71400fa7a050fbbef9e326ea27e513e96068fd1e8a43e89f9c85c822a961546ed5363c17ff1432d08806bc376e3e49ee52b59d13182e1f24ed200ada10eb1affb87ba55b2d72078e9f40b4ae7d01000000d11cd22c35d32940000088dde499000000fdffffff00000000000f000000ef0000000000000000000000000c52f4ebd2c893bb97a068bd10734a83584898eccb26f7b789cfc4cd995fa3e11a5c74c85404e2df3ad37b729ac83b0dcb4f48f3c3356b9997fc455a17690b6f7f9ccbe4b1701941b18aba6b16455a66c3b84b138efc20a546d3d5227e23b03f2a834391ade2ff3e93ee296c4082ee73e7c353312c9d75711ce1623e9c54bdff59d2a69dcb7d84c235b23a4480c2461b405cfd1a38992f295ad3adc94cd07c850d1ce6d0b2fea02c24e9280333152fb794e4ddea02017a6c139b50101caecaf2abc0847a1ff2f7fc3c2b99a96fc4275ad107274e2934a87a4ddcdb112754ca5bdec0ead14b6c0f19a43a2f05c7f0be31491eb8c9ff68236c8600040000000000000000000066e034c81c3cab64e4fc8dc55ce0ada18dcbf31c6e82893add3bee3e10fc873d1d922b0877cbcd95b839d3059d5140a1f742f6e75741e39e5cb6a193e06a1043375b0f61b5d4e17c81baa31b924d84f224baf1221c15fa12313ffbfa7c2730309f66705b71e6205e7cbf3643561eabb9a63fcd604d5cc27e1317ad94cf438d71873e540be16b6ca205081173bd03c4754fc4674812daab482fd390a1c903b5d28a1eb247b5837d7603b92495d5c569f6433c3fca5206cb0000003fdbbd3892c52c2e7612e05de32322e980a3d69931e2c9312dd517c96f2ee90362476ed853c4c9b7d4ebf13cbaa795860e92a3d7d004f2c491db38eb769f094d5d48b262cc35c40682138cf13a49aa9f27abec00002f01ba1251aaf2385416ca719300"], &(0x7f0000000080)='GPL\x00', 0x5, 0x29e, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x6}, 0x70) bpf$MAP_CREATE(0x0, 0x0, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r3}, 0x10) socket$nl_netfilter(0x10, 0x3, 0xc) openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0) openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000), 0xc02, 0x0) 12.080187952s ago: executing program 4 (id=8): bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) getrlimit(0x5, &(0x7f0000000040)) bpf$MAP_CREATE(0x0, 0x0, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000380)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_TCP_MD5SIG(r3, 0x6, 0xe, 0x0, 0x0) sendto$inet6(r3, 0x0, 0x0, 0x20000841, 0x0, 0x0) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFULNL_MSG_CONFIG(r4, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000001c0)={0x0, 0x1c}, 0x1, 0x0, 0x0, 0x4040000}, 0x0) setsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000000100)=0x7, 0x4) r5 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x0) readv(r5, &(0x7f00000002c0)=[{&(0x7f0000001500)=""/4110, 0x100e}], 0x1) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000080), 0x8e383, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x0, 0x13, 0xffffffffffffffff, 0x0) 10.515461459s ago: executing program 4 (id=9): prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f00000001c0)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x6770c000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) 9.099580853s ago: executing program 0 (id=1): bpf$PROG_LOAD(0x5, &(0x7f0000001200)={0x11, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41100, 0xc, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x0) sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4008040) sched_setscheduler(0x0, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) semctl$IPC_INFO(0x0, 0x1, 0x3, 0x0) ioctl$AUTOFS_IOC_SETTIMEOUT(0xffffffffffffffff, 0x80049367, &(0x7f0000000040)) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f0000004c00)=""/102392, 0x18ff8) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0), 0x6a242, 0x0) poll(&(0x7f0000000000)=[{r2, 0x180}], 0x1, 0x2) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000200)=@base={0x12, 0x7, 0x4, 0x1}, 0x50) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000a80)={r3, &(0x7f0000000940), &(0x7f0000000a40)=@tcp6=r1}, 0x20) recvmmsg(r1, &(0x7f00000003c0)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, &(0x7f0000000280)=[{&(0x7f0000000180)=""/52, 0x34}], 0x1}, 0xe}], 0x2, 0x0, 0x0) r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000100)) r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) dup3(r5, r4, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000200)={0x5c, 0x0, &(0x7f0000002540)=[@request_death, @acquire, @transaction={0x40406300, {0x3, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000140)={0x30, 0x30, 0x30}}}], 0x0, 0x1000000, 0x0}) r6 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000003480)='/sys/kernel/debug/binder/transactions\x00', 0x0, 0x0) read$FUSE(r6, &(0x7f0000000480)={0x2020}, 0x2020) socket$nl_generic(0x10, 0x3, 0x10) 9.056838534s ago: executing program 3 (id=4): socket$nl_xfrm(0x10, 0x3, 0x6) socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r1, 0x0, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc)) r3 = userfaultfd(0x801) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f0000000140)={0xaa, 0x60d}) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x1}) syz_memcpy_off$IO_URING_METADATA_GENERIC(0x0, 0x0, &(0x7f0000000100), 0xc06620, 0x4) 7.620205456s ago: executing program 2 (id=10): r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x8800, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000000)=0x14) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000240)=0x7) ioctl$TIOCVHANGUP(r0, 0x5437, 0x0) syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r1 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0xb, 0x8, 0xc, 0x80000000, 0x1, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x100000}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r1}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x800000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x8, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x45, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000540)='kfree\x00', r2}, 0x10) mount(0x0, 0x0, 0x0, 0x0, 0x0) quotactl_fd$Q_SETQUOTA(0xffffffffffffffff, 0xffffffff80000800, 0x0, 0x0) socket$nl_rdma(0x10, 0x3, 0x14) set_mempolicy(0x4003, &(0x7f0000000200)=0x7, 0x3) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='freezer.self_freezing\x00', 0x275a, 0x0) write$binfmt_script(r3, &(0x7f0000000100), 0x208e24b) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r3, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r4 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r4, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x15) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x3) 7.231212949s ago: executing program 0 (id=11): ioctl$TIOCSETD(0xffffffffffffffff, 0x5423, &(0x7f00000000c0)=0xf) ioctl$TCFLSH(0xffffffffffffffff, 0x400455c8, 0x4) mount$afs(0x0, 0x0, &(0x7f0000000200), 0x4080, &(0x7f0000000340)={[{@dyn}, {@flock_openafs}]}) r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x18, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="18010000000000000000000000000000850000"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='sched_switch\x00', r0}, 0x10) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x102}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) sendmsg$NFC_CMD_LLC_SDREQ(0xffffffffffffffff, 0x0, 0x480c0) socket$nl_generic(0x10, 0x3, 0x10) r4 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000040)='/proc/stat\x00', 0x0, 0x0) pread64(r4, &(0x7f00000024c0)=""/209, 0xfd36, 0x698) bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f0000000240), 0x4) r5 = socket$nl_route(0x10, 0x3, 0x0) r6 = socket$nl_route(0x10, 0x3, 0x0) r7 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r7, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="200000006800e97800000000000000000a0000000000000008000500", @ANYRES8=r5], 0x20}}, 0x0) sendmsg$nl_route(r6, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="240000001800090400000000000000000a000000000000030000000008001e0001"], 0x24}}, 0x0) 6.857747229s ago: executing program 1 (id=12): epoll_create1(0x0) openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0) sendmmsg$unix(0xffffffffffffffff, 0x0, 0x0, 0x0) socket$vsock_stream(0x28, 0x1, 0x0) syz_usb_connect$hid(0x6, 0x36, 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = syz_io_uring_setup(0xbdc, &(0x7f0000000640)={0x0, 0xec25, 0x400, 0x1, 0x40000333}, &(0x7f00000006c0)=0x0, &(0x7f00000001c0)) syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4) io_uring_enter(r0, 0x847ba, 0x0, 0xe, 0x0, 0x0) 5.737435289s ago: executing program 0 (id=13): r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x8800, 0x0) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000000)=0x14) ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000240)=0x7) ioctl$TIOCVHANGUP(r0, 0x5437, 0x0) syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r1 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0xb, 0x8, 0xc, 0x80000000, 0x1, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x100000}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=@framed={{0x18, 0x0, 0x0, 0x0, 0x7}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r1}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x800000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x8, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x45, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000540)='kfree\x00', r2}, 0x10) mount(0x0, 0x0, 0x0, 0x0, 0x0) quotactl_fd$Q_SETQUOTA(0xffffffffffffffff, 0xffffffff80000800, 0x0, 0x0) socket$nl_rdma(0x10, 0x3, 0x14) set_mempolicy(0x4003, &(0x7f0000000200)=0x7, 0x3) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='freezer.self_freezing\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r3, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) r4 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102) writev(r4, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x3) 3.869956838s ago: executing program 4 (id=14): mkdir(&(0x7f0000000040)='./file0\x00', 0x80) mkdir(&(0x7f0000000040)='./file1\x00', 0x0) ioprio_set$pid(0x2, 0x0, 0x4007) mkdir(&(0x7f0000000000)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x80, &(0x7f0000000380)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}]}) chdir(0x0) r0 = open(&(0x7f0000000580)='./file1\x00', 0x80242, 0x1df2a23c5997fa5f) sendfile(r0, r0, 0x0, 0x7f03) 3.589087762s ago: executing program 2 (id=15): socket$inet6_sctp(0xa, 0x1, 0x84) sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() bpf$BPF_PROG_TEST_RUN(0xa, 0x0, 0x0) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0) recvmmsg(r1, 0x0, 0x0, 0x2, 0x0) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.cpu/syz0\x00', 0x1ff) r3 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r4 = openat$cgroup_procs(r3, &(0x7f0000000100)='tasks\x00', 0x2, 0x0) write$cgroup_pid(r4, &(0x7f00000000c0), 0x12) 3.500975899s ago: executing program 4 (id=16): bpf$TOKEN_CREATE(0x24, &(0x7f0000000040), 0x8) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000002c0)={0x18, 0x3, &(0x7f0000000080)=@framed={{0x18, 0x0, 0x0, 0x0, 0x3}}, &(0x7f0000000000)='syzkaller\x00'}, 0x94) openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0) setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, &(0x7f0000000140)={0x0, 0x9002}, 0x4) setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, &(0x7f0000000080)={0x2, 0x4}, 0x4) bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x20008b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000640)=0x3) sched_setaffinity(0x0, 0x8, &(0x7f0000000280)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f000001aa40)=""/102400, 0x19000) ioctl$SG_IO(0xffffffffffffffff, 0x2285, 0x0) writev(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f00000002c0)="02dfe59a4319e5cb8c7425016cef40efcf5013d513586f1923306447aabc", 0x1e}, {&(0x7f0000000040)}], 0x2) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000180), 0x40400, 0x0) setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x84, 0x24, &(0x7f0000000040), 0x4) 2.977601031s ago: executing program 1 (id=17): openat$uinput(0xffffffffffffff9c, &(0x7f0000000340), 0x802, 0x0) prlimit64(0x0, 0xe, &(0x7f00000001c0)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000640)=0x3) sched_setaffinity(0x0, 0x8, &(0x7f0000000280)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f0000001a40)=""/102392, 0x18ff8) prctl$PR_SET_PDEATHSIG(0x21, 0x1) r1 = socket$alg(0x26, 0x5, 0x0) bind$alg(r1, &(0x7f0000000200)={0x26, 'rng\x00', 0x0, 0x0, 'ansi_cprng\x00'}, 0x58) setsockopt$ALG_SET_KEY(r1, 0x117, 0x1, 0x0, 0x0) setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, &(0x7f0000000000)={0x8, 0x0, 0x2}, 0x10) sendmsg$IPSET_CMD_FLUSH(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000040)={0x1c, 0x4, 0x6, 0x201, 0x0, 0x0, {0x0, 0x0, 0x1}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000020}, 0x800) 2.324159024s ago: executing program 0 (id=18): r0 = socket$inet_mptcp(0x2, 0x1, 0x106) sendmmsg$inet(r0, &(0x7f0000000480), 0x0, 0x4048815) setsockopt$sock_int(r0, 0x1, 0x9, &(0x7f0000000140)=0xffff0000, 0x4) r1 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000400), 0x202) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) syz_emit_ethernet(0x36, &(0x7f0000000880)=ANY=[@ANYBLOB="0180c200001050a2457346e00800450000280020000080ff9078ffffff03ad1414a211e09078000302000000000000000000ffffff7f511106bf5b64fc89ca907976f2b9678d334e9f8916c40037804a83c9f44780edde951b7dc0a197f9bd72d3489a3ad724d8836400004bfb60a30a4e6397509cff6176499fc0ef4a16240be51e785a7397d52f64e83847bbb0fa65be2bc8785e393c7bab7bf34de44bcbab8b46299a78d432ebf8e842721fb43e55cad53b835e461ea84dc201ebdf252408ffa80af42bc4af89544b551500000067df9fc87a38efdf064995aca4039f7b37f1b934eef1178f3b9e3a79ab0f2bd8965864a0bc1aaa4ab1e45d7751680844498387a0f412b97726f9407933eb89de577ddc20e489eaef9941c7452f451f63f5cb9e0b1e04165ce6a157f477790544ef2ea35b671a2ab711ed7a9ddbe926d4111170821ccffe5cc0902e751b1ff3a56ac93508b65701fbf605606d85cb20a2bbeaffaf79593e11dc2091147fbbe6a80016654307f4b3c74469a6308492a251cbc9d1a5979e0175"], 0x0) openat$cgroup_netprio_ifpriomap(0xffffffffffffffff, 0x0, 0x2, 0x0) r4 = syz_io_uring_setup(0x88f, &(0x7f0000000140)={0x0, 0xaee2, 0x0, 0x2, 0xbfdffffc}, &(0x7f0000000000)=0x0, &(0x7f0000000280)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r5, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r5, r6, &(0x7f00000002c0)=@IORING_OP_POLL_ADD={0x6, 0x0, 0x0, @fd_index=0x3, 0x0, 0x0, 0x0, {0x216}}) r7 = socket$inet6(0xa, 0x80002, 0x0) connect$inet6(r7, &(0x7f0000000000)={0xa, 0x0, 0x0, @loopback={0xff00000000000000}, 0x400}, 0x1c) sendmmsg$inet6(r7, &(0x7f0000003cc0)=[{{0x0, 0x0, &(0x7f0000003980), 0x171}}], 0x400000000000172, 0x4000000) io_uring_enter(r4, 0x47f6, 0xcd81, 0x4, 0x0, 0x0) r8 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0) ioctl$TIOCSETD(r8, 0x5423, &(0x7f0000000040)=0xd) write$uinput_user_dev(0xffffffffffffffff, &(0x7f0000000400)={'syz0\x00', {0x3, 0x2, 0x6, 0xfffa}, 0x8, [0x8000, 0xc959, 0xd, 0x8, 0x3, 0x2, 0x3, 0x7f, 0x20000006, 0x4d, 0x6, 0x5f, 0x9, 0x5, 0xffff2d37, 0xffffff01, 0x4, 0x3, 0x0, 0x5, 0x4, 0x0, 0x7, 0x3c5b, 0x1, 0x24, 0xd, 0x1, 0x0, 0xffffffff, 0xe661, 0x4, 0x7, 0x3, 0x8, 0x4c74, 0x80000000, 0x242, 0x3, 0xe, 0x0, 0x80008071, 0x7, 0x17, 0x1, 0x7, 0x7, 0x3e, 0x8f, 0x6, 0x6, 0xffffffff, 0x5, 0x4, 0x8, 0x3ff, 0x5, 0x0, 0x5, 0x6, 0x8, 0x4, 0x1, 0x40], [0x10000007, 0x9, 0x8000012f, 0x8004, 0x5, 0x5, 0x129432e6, 0x2, 0xf9, 0xe, 0x2bf, 0x6c7, 0x9, 0xfffffffc, 0x3, 0x0, 0x0, 0x5, 0x33, 0xe, 0x312, 0x7b, 0xea4, 0x0, 0x4, 0x7, 0x7fff, 0x6, 0x400, 0x401, 0x6, 0x1, 0xff, 0x5, 0x1000005, 0x5f31, 0x40000d, 0x4e0, 0x2, 0x4, 0xb, 0x4, 0x9, 0x8, 0x9, 0x6, 0x47, 0x8000, 0x1, 0xfe000000, 0xffff, 0x2, 0x4, 0x9, 0x7f, 0x3, 0x9, 0x1, 0x3, 0x403, 0xbc45, 0x48c93690, 0x42, 0x3], [0x7, 0x408, 0x4, 0x5, 0xfffffffe, 0x100, 0x8d2, 0x9, 0x5, 0x7fff, 0x0, 0x5, 0xb, 0x4, 0x5, 0x5, 0x0, 0x1ef, 0x5, 0x8, 0x86, 0x3, 0x303c, 0x3e7, 0xb, 0x5, 0x2, 0x2, 0x3, 0x20000008, 0x4, 0x6d01, 0x6, 0x200038, 0x800003, 0x200, 0x80, 0x3, 0x1, 0x4, 0x1000, 0xa2, 0x7, 0xa9, 0x5, 0x6, 0xac8, 0xbf, 0x2, 0x2244, 0x7ff, 0x12b, 0x4, 0x1, 0x9, 0x0, 0xffffff7f, 0x1c, 0x120000, 0x3, 0x2006, 0x80a2ed, 0x4, 0x25], [0x9, 0xbb33, 0x7, 0xb, 0x5, 0x938, 0x6, 0x6, 0x0, 0xb9, 0xce7, 0x1ff, 0x5, 0x57, 0x5, 0x3, 0x101, 0x10000, 0x4, 0x7fff, 0xffff, 0x7, 0x1, 0x5, 0x1, 0x2, 0x14c, 0x60a7, 0x6, 0x16, 0xffffffff, 0x80000000, 0x5, 0x4, 0x40c8, 0x1, 0xfffff000, 0x110000, 0x3, 0x7e, 0x100, 0x3, 0x7, 0xaf, 0x8, 0x6, 0x226, 0x5, 0x5, 0x8, 0x30b1d693, 0xa1f, 0xf40, 0x7, 0x1, 0x6c1b, 0x0, 0x2, 0x8, 0xb1e, 0xd7, 0x200, 0xffff343e, 0xfff]}, 0x45c) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200448c5, &(0x7f0000000200)={0x2, 0x4e21, @multicast2}, 0xc) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_INFO(r1, 0xc08c5334, &(0x7f00000004c0)={0x6, 0x2, 0x1, 'queue1\x00', 0x1}) 1.957560854s ago: executing program 2 (id=19): bpf$PROG_LOAD(0x5, &(0x7f0000001200)={0x11, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41100, 0xc, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x0) sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4008040) prlimit64(0x0, 0xe, 0x0, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x1) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) semctl$IPC_INFO(0x0, 0x1, 0x3, 0x0) ioctl$AUTOFS_IOC_SETTIMEOUT(0xffffffffffffffff, 0x80049367, &(0x7f0000000040)) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f0000004c00)=""/102392, 0x18ff8) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0), 0x6a242, 0x0) poll(&(0x7f0000000000)=[{r2, 0x180}], 0x1, 0x2) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000200)=@base={0x12, 0x7, 0x4, 0x1}, 0x50) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000a80)={r3, &(0x7f0000000940), 0x0}, 0x20) recvmmsg(r1, 0x0, 0x0, 0x0, 0x0) r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000100)) r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) dup3(r5, r4, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000200)={0x5c, 0x0, &(0x7f0000002540)=[@request_death, @acquire, @transaction={0x40406300, {0x3, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000140)={0x30, 0x30, 0x30}}}], 0x0, 0x1000000, 0x0}) r6 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000003480)='/sys/kernel/debug/binder/transactions\x00', 0x0, 0x0) read$FUSE(r6, &(0x7f0000000480)={0x2020}, 0x2020) socket$nl_generic(0x10, 0x3, 0x10) socket$nl_generic(0x10, 0x3, 0x10) 1.325496151s ago: executing program 1 (id=20): r0 = socket$inet_mptcp(0x2, 0x1, 0x106) openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x26e1, 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[], 0x50) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_FASTOPEN_KEY(0xffffffffffffffff, 0x6, 0x21, &(0x7f0000000040)="5766b1b827f600333b09d3748ee7d700", 0x10) r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="1b0000000000000000000000000004"], 0x48) r2 = socket$inet(0x2b, 0x801, 0x0) socket$inet6_sctp(0xa, 0x5, 0x84) ioctl$int_in(r2, 0x5452, &(0x7f0000000280)=0x8) r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000b00)={0x11, 0xf, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf0900000000000055090100000000009500000800000000bf91000000000000b702000043e7b5538500000085000000b70000000000000095"], &(0x7f0000000080)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000140)='kmem_cache_free\x00', r3}, 0x10) ppoll(&(0x7f0000000500)=[{r1}], 0x1, 0x0, 0x0, 0x0) pselect6(0x40, &(0x7f00000001c0)={0x1, 0x0, 0x3, 0x0, 0x0, 0x0, 0x4}, 0x0, &(0x7f00000002c0)={0x3ff, 0x0, 0x5f8, 0x0, 0x0, 0x0, 0x7fffffff}, 0x0, 0x0) shutdown(r0, 0x1) 837.110764ms ago: executing program 4 (id=21): bpf$PROG_LOAD(0x5, &(0x7f0000001200)={0x11, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41100, 0xc, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x0) sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4008040) sched_setscheduler(0x0, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) semctl$IPC_INFO(0x0, 0x1, 0x3, 0x0) ioctl$AUTOFS_IOC_SETTIMEOUT(0xffffffffffffffff, 0x80049367, &(0x7f0000000040)) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f0000004c00)=""/102392, 0x18ff8) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = openat$userio(0xffffffffffffff9c, &(0x7f00000001c0), 0x6a242, 0x0) poll(&(0x7f0000000000)=[{r2, 0x180}], 0x1, 0x2) r3 = bpf$MAP_CREATE(0x0, &(0x7f0000000200)=@base={0x12, 0x7, 0x4, 0x1}, 0x50) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000a80)={r3, &(0x7f0000000940), &(0x7f0000000a40)=@tcp6=r1}, 0x20) recvmmsg(r1, &(0x7f00000003c0)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, &(0x7f0000000280)=[{&(0x7f0000000180)=""/52, 0x34}], 0x1}, 0xe}], 0x2, 0x0, 0x0) r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000100)) r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) dup3(r5, r4, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000200)={0x5c, 0x0, &(0x7f0000002540)=[@request_death, @acquire, @transaction={0x40406300, {0x3, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000140)={0x30, 0x30, 0x30}}}], 0x0, 0x1000000, 0x0}) r6 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000003480)='/sys/kernel/debug/binder/transactions\x00', 0x0, 0x0) read$FUSE(r6, &(0x7f0000000480)={0x2020}, 0x2020) socket$nl_generic(0x10, 0x3, 0x10) 139.337767ms ago: executing program 1 (id=22): socket$inet_tcp(0x2, 0x1, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f0000000300)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sendmsg(r1, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_PR_SUPPORTED(r2, 0x84, 0x71, 0x0, 0x0) fchmod(0xffffffffffffffff, 0x32) setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r2, 0x84, 0x7c, &(0x7f0000000280)={0x0, 0x100, 0xd9}, 0x8) r3 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x401) ioctl$BLKTRACESETUP(r3, 0xc0481273, &(0x7f0000000b40)={'\x00', 0x8, 0x530, 0xc, 0xfffffffffffffffd, 0x59c}) ioctl$SG_BLKTRACETEARDOWN(r3, 0x1276, 0x20000000) ioctl$FS_IOC_MEASURE_VERITY(r2, 0xc0046686, &(0x7f0000000380)={0x0, 0xd5, "7b0005143dc5397033fbb9bd9139a2c4522d593f365d0edd03cdd3dda7d9d868af45b6244ede7c290783b7e3efb33481a13da0565eb673c39038342203dc5d7bbdc28a2232a91200342257b764f6d35dd652c684b5acc9cabdcde33eb3b03f8b185a0f9a78641e3b797d89daa9b1006543440474cf31eda07fda13dafad0bacd7a686a95ea446bcad673043134afaf38bba4e401e4fa1a5053b9826bed3a141adb04c6882463079aba7a69ae62820f31c5430142e82bbc7204d5d63cf006af35834c132574b30653b8440ea4f26cbeb220e7101535"}) add_key(&(0x7f0000000100)='rxrpc\x00', 0x0, 0x0, 0x0, 0xffffffffffffffff) r4 = openat$kvm(0xffffffffffffff9c, 0x0, 0x400000, 0x0) write$proc_mixer(0xffffffffffffffff, &(0x7f0000000100)=ANY=[@ANYBLOB="4241537620274b4420436170747d7265272030303030303030303030060000003030303030300a4c494e45494e0a5048594e454f55540a00"/65], 0x41) ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) syz_open_procfs$pagemap(0xffffffffffffffff, &(0x7f00000000c0)) madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e) r5 = socket$nl_netfilter(0x10, 0x3, 0xc) r6 = syz_io_uring_setup(0x107, &(0x7f0000000140)={0x0, 0x747f, 0x0, 0x4, 0xae}, &(0x7f00000003c0)=0x0, &(0x7f0000000340)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r7, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r7, r8, &(0x7f00000002c0)=@IORING_OP_OPENAT={0x12, 0x0, 0x0, 0xffffffffffffffff, 0x0, &(0x7f0000000100)='./file0\x00', 0x0, 0x29c780}) io_uring_enter(r6, 0x3518, 0xaddf, 0x2, 0x0, 0x0) sendmsg$NFT_BATCH(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000100)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a03000000000000000000070000000900010073797a30000000004c000000090a010400000000000000000700000008000a40000000000900020025797a31000000000900010073797a3000000000080005400000001c"], 0xe8}}, 0x0) madvise(&(0x7f0000000000/0x3000)=nil, 0x7fffffffffffffff, 0x15) mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil) mbind(&(0x7f00000a2000/0x4000)=nil, 0x4000, 0x4002, &(0x7f0000000200)=0x2000000000000008, 0x5, 0x3) 0s ago: executing program 3 (id=23): bpf$PROG_LOAD(0x5, 0x0, 0x0) sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4008040) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x9}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x1) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) ioctl$AUTOFS_IOC_SETTIMEOUT(0xffffffffffffffff, 0x80049367, &(0x7f0000000040)) r0 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0) read$msr(r0, &(0x7f0000004c00)=""/102392, 0x18ff8) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) listen(r1, 0xf) bpf$MAP_CREATE(0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="12000000070000000400", @ANYBLOB="5a9ce97ca6bb6fb4caaa087df785f5233879ffb86468fe6a7be85a9594369e3e1e0b090556290186a14590d6405481b7ce4844d81a03230212bf86bb6d2348ed0da06ada63bfed6c551d9ebe5cdca44afbff5473eca0f2ab5754dc75044b9faefe2ca9d7975cf76168130a21", @ANYBLOB="00ffffffe900000005000000000000000000", @ANYRES32=0x0, @ANYRES32, @ANYRESHEX=r1], 0x50) bpf$MAP_UPDATE_ELEM(0x2, 0x0, 0x0) recvmmsg(r1, &(0x7f00000003c0)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, &(0x7f0000000280)=[{&(0x7f0000000180)=""/52, 0x34}], 0x1}, 0xe}], 0x2, 0x0, 0x0) sendmsg$NL80211_CMD_AUTHENTICATE(0xffffffffffffffff, 0x0, 0x80) unshare(0x20000400) socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0) bind$bt_l2cap(r2, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) listen(r2, 0x90004) syz_emit_vhci(&(0x7f0000000100)=ANY=[@ANYBLOB="043e130100c90001"], 0x16) r3 = bpf$PROG_LOAD(0x5, 0x0, 0x0) ioctl$F2FS_IOC_MOVE_RANGE(r3, 0xc020f509, &(0x7f0000000040)={0xffffffffffffffff, 0xfffffffffffffff9, 0x0, 0xc}) ppoll(&(0x7f00000000c0)=[{0xffffffffffffffff, 0x80}, {r2, 0x60}], 0x2, 0x0, 0x0, 0x0) kernel console output (not intermixed with test programs): [ 92.883474][ T994] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.0.117' (ED25519) to the list of known hosts. [ 99.289319][ T5830] cgroup: Unknown subsys name 'net' [ 99.539999][ T5830] cgroup: Unknown subsys name 'cpuset' [ 99.633904][ T5830] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 101.827965][ T5830] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 106.371049][ T5846] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 106.389832][ T5846] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 106.390471][ T5849] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 106.392365][ T5846] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 106.394167][ T5849] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 106.395805][ T5849] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 106.405927][ T5849] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 106.406262][ T5849] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 106.409388][ T5849] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 106.449723][ T5849] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 106.451805][ T5849] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 106.453700][ T5849] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 106.458112][ T5849] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 106.463923][ T5850] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 106.465282][ T5850] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 106.466610][ T5850] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 106.468468][ T5849] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 106.471537][ T59] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 106.473584][ T5849] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 106.509078][ T5846] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 106.586042][ T5157] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 106.590073][ T5157] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 106.594016][ T5157] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 106.600639][ T5157] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 106.602460][ T5157] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 107.780016][ T5848] chnl_net:caif_netlink_parms(): no params data found [ 107.842133][ T5852] chnl_net:caif_netlink_parms(): no params data found [ 107.891258][ T5842] chnl_net:caif_netlink_parms(): no params data found [ 108.080848][ T5851] chnl_net:caif_netlink_parms(): no params data found [ 108.157617][ T5843] chnl_net:caif_netlink_parms(): no params data found [ 108.555519][ T5846] Bluetooth: hci1: command tx timeout [ 108.555523][ T59] Bluetooth: hci0: command tx timeout [ 108.555711][ T59] Bluetooth: hci2: command tx timeout [ 108.555878][ T5157] Bluetooth: hci3: command tx timeout [ 108.633285][ T5157] Bluetooth: hci4: command tx timeout [ 108.807322][ T5848] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.809898][ T5848] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.810732][ T5848] bridge_slave_0: entered allmulticast mode [ 108.820092][ T5848] bridge_slave_0: entered promiscuous mode [ 109.020309][ T5848] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.020498][ T5848] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.020894][ T5848] bridge_slave_1: entered allmulticast mode [ 109.022773][ T5848] bridge_slave_1: entered promiscuous mode [ 109.149160][ T5852] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.149317][ T5852] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.149600][ T5852] bridge_slave_0: entered allmulticast mode [ 109.152825][ T5852] bridge_slave_0: entered promiscuous mode [ 109.271928][ T5842] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.272082][ T5842] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.272367][ T5842] bridge_slave_0: entered allmulticast mode [ 109.276877][ T5842] bridge_slave_0: entered promiscuous mode [ 109.374768][ T5852] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.374923][ T5852] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.375187][ T5852] bridge_slave_1: entered allmulticast mode [ 109.377530][ T5852] bridge_slave_1: entered promiscuous mode [ 109.546663][ T5842] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.546824][ T5842] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.547068][ T5842] bridge_slave_1: entered allmulticast mode [ 109.550333][ T5842] bridge_slave_1: entered promiscuous mode [ 109.810099][ T5848] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 109.884926][ T5851] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.885085][ T5851] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.885309][ T5851] bridge_slave_0: entered allmulticast mode [ 109.888624][ T5851] bridge_slave_0: entered promiscuous mode [ 110.014933][ T5843] bridge0: port 1(bridge_slave_0) entered blocking state [ 110.015105][ T5843] bridge0: port 1(bridge_slave_0) entered disabled state [ 110.015289][ T5843] bridge_slave_0: entered allmulticast mode [ 110.017384][ T5843] bridge_slave_0: entered promiscuous mode [ 110.026209][ T5848] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 110.116281][ T5851] bridge0: port 2(bridge_slave_1) entered blocking state [ 110.116447][ T5851] bridge0: port 2(bridge_slave_1) entered disabled state [ 110.116693][ T5851] bridge_slave_1: entered allmulticast mode [ 110.119891][ T5851] bridge_slave_1: entered promiscuous mode [ 110.144705][ T5852] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 110.153531][ T5843] bridge0: port 2(bridge_slave_1) entered blocking state [ 110.153676][ T5843] bridge0: port 2(bridge_slave_1) entered disabled state [ 110.153988][ T5843] bridge_slave_1: entered allmulticast mode [ 110.157571][ T5843] bridge_slave_1: entered promiscuous mode [ 110.271426][ T5842] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 110.359576][ T5852] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 110.520260][ T5842] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 110.633499][ T5850] Bluetooth: hci0: command tx timeout [ 110.633561][ T5850] Bluetooth: hci3: command tx timeout [ 110.633585][ T5850] Bluetooth: hci2: command tx timeout [ 110.633938][ T5157] Bluetooth: hci1: command tx timeout [ 110.713578][ T5157] Bluetooth: hci4: command tx timeout [ 110.760052][ T5848] team0: Port device team_slave_0 added [ 110.843523][ T5851] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 110.961080][ T5843] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 110.967731][ T5848] team0: Port device team_slave_1 added [ 111.060011][ T5851] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 111.064324][ T5852] team0: Port device team_slave_0 added [ 111.071157][ T5843] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 111.339579][ T5842] team0: Port device team_slave_0 added [ 111.427222][ T5852] team0: Port device team_slave_1 added [ 111.586386][ T5842] team0: Port device team_slave_1 added [ 111.832574][ T5848] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 111.832591][ T5848] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 111.832611][ T5848] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 111.955088][ T5851] team0: Port device team_slave_0 added [ 112.042637][ T5843] team0: Port device team_slave_0 added [ 112.046395][ T5848] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 112.046418][ T5848] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.046452][ T5848] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 112.128706][ T5851] team0: Port device team_slave_1 added [ 112.130474][ T5852] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 112.130490][ T5852] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.130519][ T5852] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 112.135495][ T5843] team0: Port device team_slave_1 added [ 112.154529][ T5842] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 112.154553][ T5842] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.154588][ T5842] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 112.242859][ T5852] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 112.242883][ T5852] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.242906][ T5852] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 112.388777][ T5842] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 112.388798][ T5842] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.388827][ T5842] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 112.697616][ T5851] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 112.697636][ T5851] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.697667][ T5851] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 112.713315][ T59] Bluetooth: hci2: command tx timeout [ 112.713356][ T59] Bluetooth: hci3: command tx timeout [ 112.713385][ T59] Bluetooth: hci0: command tx timeout [ 112.713634][ T5157] Bluetooth: hci1: command tx timeout [ 112.793202][ T5157] Bluetooth: hci4: command tx timeout [ 112.830671][ T5843] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 112.830692][ T5843] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.830713][ T5843] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 112.856075][ T5851] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 112.856101][ T5851] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.856137][ T5851] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 112.978015][ T5843] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 112.978037][ T5843] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 112.978068][ T5843] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 113.101693][ T5848] hsr_slave_0: entered promiscuous mode [ 113.109725][ T5848] hsr_slave_1: entered promiscuous mode [ 113.404370][ T5852] hsr_slave_0: entered promiscuous mode [ 113.406001][ T5852] hsr_slave_1: entered promiscuous mode [ 113.407168][ T5852] debugfs: 'hsr0' already exists in 'hsr' [ 113.407313][ T5852] Cannot create hsr debugfs directory [ 113.422571][ T5842] hsr_slave_0: entered promiscuous mode [ 113.425492][ T5842] hsr_slave_1: entered promiscuous mode [ 113.426608][ T5842] debugfs: 'hsr0' already exists in 'hsr' [ 113.426641][ T5842] Cannot create hsr debugfs directory [ 113.886108][ T5851] hsr_slave_0: entered promiscuous mode [ 113.887654][ T5851] hsr_slave_1: entered promiscuous mode [ 113.888880][ T5851] debugfs: 'hsr0' already exists in 'hsr' [ 113.888908][ T5851] Cannot create hsr debugfs directory [ 114.276205][ T5843] hsr_slave_0: entered promiscuous mode [ 114.277283][ T5843] hsr_slave_1: entered promiscuous mode [ 114.278074][ T5843] debugfs: 'hsr0' already exists in 'hsr' [ 114.278100][ T5843] Cannot create hsr debugfs directory [ 114.803567][ T5850] Bluetooth: hci0: command tx timeout [ 114.803605][ T5850] Bluetooth: hci3: command tx timeout [ 114.803629][ T5850] Bluetooth: hci2: command tx timeout [ 114.803702][ T5157] Bluetooth: hci1: command tx timeout [ 114.873279][ T5157] Bluetooth: hci4: command tx timeout [ 115.917195][ T5848] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 115.972008][ T5848] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 116.002214][ T5848] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 116.066666][ T5848] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 116.235014][ T5842] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 116.279746][ T5842] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 116.312323][ T5842] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 116.361957][ T5842] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 116.569726][ T5852] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 116.623978][ T5852] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 116.668991][ T5852] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 116.729171][ T5852] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 116.961598][ T5851] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 117.049703][ T5851] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 117.086093][ T5851] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 117.158420][ T5851] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 117.314839][ T5848] 8021q: adding VLAN 0 to HW filter on device bond0 [ 117.379652][ T5843] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 117.438481][ T5843] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 117.462693][ T5843] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 117.510921][ T5843] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 117.596711][ T5848] 8021q: adding VLAN 0 to HW filter on device team0 [ 117.629690][ T5842] 8021q: adding VLAN 0 to HW filter on device bond0 [ 117.667495][ T169] bridge0: port 1(bridge_slave_0) entered blocking state [ 117.669317][ T169] bridge0: port 1(bridge_slave_0) entered forwarding state [ 117.754207][ T169] bridge0: port 2(bridge_slave_1) entered blocking state [ 117.754456][ T169] bridge0: port 2(bridge_slave_1) entered forwarding state [ 117.819807][ T5842] 8021q: adding VLAN 0 to HW filter on device team0 [ 117.889422][ T67] bridge0: port 1(bridge_slave_0) entered blocking state [ 117.889725][ T67] bridge0: port 1(bridge_slave_0) entered forwarding state [ 117.952121][ T5852] 8021q: adding VLAN 0 to HW filter on device bond0 [ 117.988759][ T67] bridge0: port 2(bridge_slave_1) entered blocking state [ 117.989097][ T67] bridge0: port 2(bridge_slave_1) entered forwarding state [ 118.142467][ T5852] 8021q: adding VLAN 0 to HW filter on device team0 [ 118.213828][ T67] bridge0: port 1(bridge_slave_0) entered blocking state [ 118.214011][ T67] bridge0: port 1(bridge_slave_0) entered forwarding state [ 118.222695][ T5851] 8021q: adding VLAN 0 to HW filter on device bond0 [ 118.302280][ T202] bridge0: port 2(bridge_slave_1) entered blocking state [ 118.302437][ T202] bridge0: port 2(bridge_slave_1) entered forwarding state [ 118.479488][ T5851] 8021q: adding VLAN 0 to HW filter on device team0 [ 118.548944][ T5843] 8021q: adding VLAN 0 to HW filter on device bond0 [ 118.611382][ T4024] bridge0: port 1(bridge_slave_0) entered blocking state [ 118.611677][ T4024] bridge0: port 1(bridge_slave_0) entered forwarding state [ 118.678827][ T1174] bridge0: port 2(bridge_slave_1) entered blocking state [ 118.678993][ T1174] bridge0: port 2(bridge_slave_1) entered forwarding state [ 118.811093][ T5843] 8021q: adding VLAN 0 to HW filter on device team0 [ 118.890772][ T67] bridge0: port 1(bridge_slave_0) entered blocking state [ 118.891071][ T67] bridge0: port 1(bridge_slave_0) entered forwarding state [ 118.956785][ T67] bridge0: port 2(bridge_slave_1) entered blocking state [ 118.956950][ T67] bridge0: port 2(bridge_slave_1) entered forwarding state [ 118.991166][ T5848] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 119.335478][ T5842] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 119.560992][ T5852] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 119.584945][ T5848] veth0_vlan: entered promiscuous mode [ 119.704435][ T5848] veth1_vlan: entered promiscuous mode [ 120.013502][ T5852] veth0_vlan: entered promiscuous mode [ 120.036330][ T5848] veth0_macvtap: entered promiscuous mode [ 120.114502][ T5848] veth1_macvtap: entered promiscuous mode [ 120.129793][ T5852] veth1_vlan: entered promiscuous mode [ 120.157644][ T5851] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 120.289769][ T5848] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 120.330311][ T5848] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 120.337310][ T5843] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 120.421548][ T169] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.446276][ T169] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.452812][ T169] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.487820][ T169] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 120.491556][ T5852] veth0_macvtap: entered promiscuous mode [ 120.592826][ T5852] veth1_macvtap: entered promiscuous mode [ 120.668126][ T5842] veth0_vlan: entered promiscuous mode [ 120.730702][ T5851] veth0_vlan: entered promiscuous mode [ 120.861992][ T5842] veth1_vlan: entered promiscuous mode [ 120.907247][ T5852] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 120.940131][ T5851] veth1_vlan: entered promiscuous mode [ 121.009301][ T5852] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 121.045442][ T5843] veth0_vlan: entered promiscuous mode [ 121.065933][ T1174] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 121.065964][ T1174] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 121.111238][ T1217] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 121.129265][ T1217] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 121.156290][ T1217] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 121.195207][ T1217] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 121.225543][ T5843] veth1_vlan: entered promiscuous mode [ 121.249215][ T1217] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 121.249239][ T1217] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 121.399450][ T5842] veth0_macvtap: entered promiscuous mode [ 121.506079][ T5842] veth1_macvtap: entered promiscuous mode [ 121.552697][ T5851] veth0_macvtap: entered promiscuous mode [ 121.683829][ T5851] veth1_macvtap: entered promiscuous mode [ 121.810320][ T5842] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 121.812571][ T5843] veth0_macvtap: entered promiscuous mode [ 121.871059][ T1174] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 121.871085][ T1174] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 121.938586][ T5842] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 121.969199][ T5843] veth1_macvtap: entered promiscuous mode [ 122.300635][ T5959] sp0: Synchronizing with TNC [ 122.729525][ T44] netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 122.762417][ T5851] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 122.774573][ T44] netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 122.817013][ T44] netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 122.842600][ T44] netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 122.906422][ T202] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 122.906446][ T202] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 122.942542][ T5851] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 123.036001][ T5843] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 123.164365][ T1174] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.186213][ T5843] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 123.205855][ T1174] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.250316][ T1174] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.356470][ T1174] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.399564][ T1174] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.432130][ T1174] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.494901][ T1174] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.586706][ T1174] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.724703][ T169] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 123.724726][ T169] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 125.408924][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 125.433087][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 125.443060][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 125.453040][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 125.463047][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 125.473048][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 125.533048][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 125.754741][ T1382] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 125.754759][ T1382] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 125.793100][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 125.913260][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 126.074354][ T0] NOHZ tick-stop error: local softirq work is pending, handler #80!!! [ 127.862401][ T202] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 127.862426][ T202] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 128.062909][ T4024] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 128.062932][ T4024] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 129.538487][ T1382] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 129.538512][ T1382] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 131.205289][ T1174] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 131.205320][ T1174] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 135.168746][ T6010] sp0: Synchronizing with TNC [ 137.653527][ T6024] sp0: Synchronizing with TNC [ 139.093224][ T1326] ieee802154 phy0 wpan0: encryption failed: -22 [ 139.519441][ T1326] ieee802154 phy1 wpan1: encryption failed: -22 [ 142.098652][ T5157] sysfs: ca[ 142.098652][ T5157] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci4/hci4:201' [ 142.098715][ T5157] CPU: 0 UID: 0 PID: 5157 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 142.098742][ T5157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 [ 142.098758][ T5157] Workqueue: hci4 hci_rx_work [ 142.098815][ T5157] Call Trace: [ 142.098825][ T5157] [ 142.098835][ T5157] dump_stack_lvl+0x189/0x250 [ 142.098876][ T5157] ? __pfx_dump_stack_lvl+0x10/0x10 [ 142.098909][ T5157] ? __pfx__printk+0x10/0x10 [ 142.098940][ T5157] ? kernfs_path_from_node+0x2c/0x280 [ 142.098962][ T5157] ? kernfs_path_from_node+0x243/0x280 [ 142.098983][ T5157] ? kernfs_path_from_node+0x2c/0x280 [ 142.099010][ T5157] sysfs_create_dir_ns+0x259/0x280 [ 142.099031][ T5157] ? __pfx_rt_mutex_slowunlock+0x10/0x10 [ 142.099061][ T5157] ? __pfx_sysfs_create_dir_ns+0x10/0x10 [ 142.099085][ T5157] ? rt_spin_unlock+0x65/0x80 [ 142.099217][ T5157] kobject_add_internal+0x5a5/0xb50 [ 142.099262][ T5157] kobject_add+0x155/0x220 [ 142.099290][ T5157] ? __pfx_kobject_add+0x10/0x10 [ 142.099322][ T5157] ? get_device_parent+0x370/0x3a0 [ 142.099351][ T5157] device_add+0x408/0xb50 [ 142.099379][ T5157] hci_conn_add_sysfs+0xd5/0x1e0 [ 142.099412][ T5157] le_conn_complete_evt+0xc3a/0x1220 [ 142.099464][ T5157] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 142.099502][ T5157] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 142.099541][ T5157] ? lockdep_hardirqs_on+0x9c/0x150 [ 142.099585][ T5157] ? skb_pull_data+0xfb/0x200 [ 142.099621][ T5157] hci_le_conn_complete_evt+0x187/0x450 [ 142.099666][ T5157] hci_event_packet+0x78f/0x1200 [ 142.099702][ T5157] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 142.099740][ T5157] ? __pfx_hci_event_packet+0x10/0x10 [ 142.099767][ T5157] ? __pfx_migrate_enable+0x10/0x10 [ 142.099810][ T5157] ? hci_send_to_monitor+0xe2/0x570 [ 142.099854][ T5157] hci_rx_work+0x46a/0xe80 [ 142.099894][ T5157] ? process_scheduled_works+0x9ef/0x17b0 [ 142.099929][ T5157] process_scheduled_works+0xade/0x17b0 [ 142.100002][ T5157] ? __pfx_process_scheduled_works+0x10/0x10 [ 142.100055][ T5157] worker_thread+0x8a0/0xda0 [ 142.100202][ T5157] kthread+0x70e/0x8a0 [ 142.100253][ T5157] ? __pfx_worker_thread+0x10/0x10 [ 142.100282][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.100322][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.100370][ T5157] ret_from_fork+0x436/0x7d0 [ 142.100407][ T5157] ? __pfx_ret_from_fork+0x10/0x10 [ 142.100446][ T5157] ? __switch_to_asm+0x39/0x70 [ 142.100468][ T5157] ? __switch_to_asm+0x33/0x70 [ 142.100491][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.100530][ T5157] ret_from_fork_asm+0x1a/0x30 [ 142.100577][ T5157] [ 142.103432][ T5157] kobject: kobject_add_internal failed for hci4:201 with -EEXIST, don't try to register things with the same name in the same directory. [ 142.103496][ T5157] Bluetooth: hci4: failed to register connection device [ 142.156050][ T5157] ================================================================== [ 142.156073][ T5157] BUG: KASAN: slab-use-after-free in l2cap_connect_cfm+0x6e4/0x1040 [ 142.156209][ T5157] Read of size 8 at addr ffff888024357500 by task kworker/u9:1/5157 [ 142.156228][ T5157] [ 142.156243][ T5157] CPU: 1 UID: 0 PID: 5157 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 142.156266][ T5157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 [ 142.156281][ T5157] Workqueue: hci4 hci_rx_work [ 142.156306][ T5157] Call Trace: [ 142.156316][ T5157] [ 142.156325][ T5157] dump_stack_lvl+0x189/0x250 [ 142.156357][ T5157] ? __kasan_check_byte+0x12/0x40 [ 142.156397][ T5157] ? __pfx_dump_stack_lvl+0x10/0x10 [ 142.156425][ T5157] ? lock_release+0x4b/0x3e0 [ 142.156458][ T5157] ? __virt_addr_valid+0x4a5/0x5c0 [ 142.156482][ T5157] print_report+0xca/0x240 [ 142.156510][ T5157] ? l2cap_connect_cfm+0x6e4/0x1040 [ 142.156547][ T5157] kasan_report+0x118/0x150 [ 142.156577][ T5157] ? l2cap_connect_cfm+0x6e4/0x1040 [ 142.156626][ T5157] l2cap_connect_cfm+0x6e4/0x1040 [ 142.156670][ T5157] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 142.156707][ T5157] ? mutex_lock_nested+0x154/0x1d0 [ 142.156731][ T5157] ? hci_connect_cfm+0x2c/0x140 [ 142.156760][ T5157] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 142.156793][ T5157] hci_connect_cfm+0x92/0x140 [ 142.156822][ T5157] le_conn_complete_evt+0xcd3/0x1220 [ 142.156860][ T5157] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 142.156893][ T5157] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 142.156929][ T5157] ? lockdep_hardirqs_on+0x9c/0x150 [ 142.156966][ T5157] ? skb_pull_data+0xfb/0x200 [ 142.156994][ T5157] hci_le_conn_complete_evt+0x187/0x450 [ 142.157028][ T5157] hci_event_packet+0x78f/0x1200 [ 142.157054][ T5157] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 142.157088][ T5157] ? __pfx_hci_event_packet+0x10/0x10 [ 142.157115][ T5157] ? __pfx_migrate_enable+0x10/0x10 [ 142.157149][ T5157] ? hci_send_to_monitor+0xe2/0x570 [ 142.157185][ T5157] hci_rx_work+0x46a/0xe80 [ 142.157214][ T5157] ? process_scheduled_works+0x9ef/0x17b0 [ 142.157241][ T5157] process_scheduled_works+0xade/0x17b0 [ 142.157282][ T5157] ? __pfx_process_scheduled_works+0x10/0x10 [ 142.157318][ T5157] worker_thread+0x8a0/0xda0 [ 142.157359][ T5157] kthread+0x70e/0x8a0 [ 142.157409][ T5157] ? __pfx_worker_thread+0x10/0x10 [ 142.157437][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.157471][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.157503][ T5157] ret_from_fork+0x436/0x7d0 [ 142.157530][ T5157] ? __pfx_ret_from_fork+0x10/0x10 [ 142.157559][ T5157] ? __switch_to_asm+0x39/0x70 [ 142.157580][ T5157] ? __switch_to_asm+0x33/0x70 [ 142.157599][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.157629][ T5157] ret_from_fork_asm+0x1a/0x30 [ 142.157657][ T5157] [ 142.157664][ T5157] [ 142.157669][ T5157] Allocated by task 5157: [ 142.157679][ T5157] kasan_save_track+0x3e/0x80 [ 142.157704][ T5157] __kasan_kmalloc+0x93/0xb0 [ 142.157728][ T5157] __kmalloc_cache_noprof+0x1a8/0x320 [ 142.157756][ T5157] l2cap_chan_create+0x50/0x780 [ 142.157775][ T5157] l2cap_sock_new_connection_cb+0x182/0x2b0 [ 142.157797][ T5157] l2cap_connect_cfm+0x377/0x1040 [ 142.157827][ T5157] hci_connect_cfm+0x92/0x140 [ 142.157853][ T5157] le_conn_complete_evt+0xcd3/0x1220 [ 142.157881][ T5157] hci_le_conn_complete_evt+0x187/0x450 [ 142.157907][ T5157] hci_event_packet+0x78f/0x1200 [ 142.157927][ T5157] hci_rx_work+0x46a/0xe80 [ 142.157948][ T5157] process_scheduled_works+0xade/0x17b0 [ 142.157971][ T5157] worker_thread+0x8a0/0xda0 [ 142.157994][ T5157] kthread+0x70e/0x8a0 [ 142.158020][ T5157] ret_from_fork+0x436/0x7d0 [ 142.158042][ T5157] ret_from_fork_asm+0x1a/0x30 [ 142.158058][ T5157] [ 142.158062][ T5157] Freed by task 6069: [ 142.158070][ T5157] kasan_save_track+0x3e/0x80 [ 142.158089][ T5157] kasan_save_free_info+0x46/0x50 [ 142.158105][ T5157] __kasan_slab_free+0x5b/0x80 [ 142.158127][ T5157] kfree+0x195/0x550 [ 142.158148][ T5157] l2cap_sock_cleanup_listen+0xea/0x3e0 [ 142.158166][ T5157] l2cap_sock_release+0x6a/0x230 [ 142.158182][ T5157] sock_close+0xc3/0x240 [ 142.158216][ T5157] __fput+0x458/0xa80 [ 142.158234][ T5157] task_work_run+0x1d4/0x260 [ 142.158250][ T5157] do_exit+0x6b5/0x2300 [ 142.158265][ T5157] do_group_exit+0x21c/0x2d0 [ 142.158282][ T5157] get_signal+0x125e/0x1310 [ 142.158303][ T5157] arch_do_signal_or_restart+0x9a/0x750 [ 142.158327][ T5157] exit_to_user_mode_loop+0x75/0x110 [ 142.158352][ T5157] do_syscall_64+0x2bd/0x3b0 [ 142.158384][ T5157] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 142.158404][ T5157] [ 142.158409][ T5157] The buggy address belongs to the object at ffff888024357000 [ 142.158409][ T5157] which belongs to the cache kmalloc-2k of size 2048 [ 142.158429][ T5157] The buggy address is located 1280 bytes inside of [ 142.158429][ T5157] freed 2048-byte region [ffff888024357000, ffff888024357800) [ 142.158452][ T5157] [ 142.158458][ T5157] The buggy address belongs to the physical page: [ 142.158485][ T5157] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24350 [ 142.158510][ T5157] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 142.158529][ T5157] flags: 0x80000000000040(head|node=0|zone=1) [ 142.158555][ T5157] page_type: f5(slab) [ 142.158577][ T5157] raw: 0080000000000040 ffff888019842000 ffffea0000deba00 0000000000000002 [ 142.158596][ T5157] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 142.158617][ T5157] head: 0080000000000040 ffff888019842000 ffffea0000deba00 0000000000000002 [ 142.158635][ T5157] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 142.158656][ T5157] head: 0080000000000003 ffffea000090d401 00000000ffffffff 00000000ffffffff [ 142.158674][ T5157] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008 [ 142.158685][ T5157] page dumped because: kasan: bad access detected [ 142.158703][ T5157] page_owner tracks the page as allocated [ 142.158711][ T5157] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5843, tgid 5843 (syz-executor), ts 117952830740, free_ts 117927884991 [ 142.158750][ T5157] post_alloc_hook+0x240/0x2a0 [ 142.158782][ T5157] get_page_from_freelist+0x2119/0x21b0 [ 142.158803][ T5157] __alloc_frozen_pages_noprof+0x181/0x370 [ 142.158827][ T5157] alloc_pages_mpol+0xd1/0x380 [ 142.158856][ T5157] allocate_slab+0x8a/0x370 [ 142.158874][ T5157] ___slab_alloc+0x8d1/0xdc0 [ 142.158890][ T5157] __kmalloc_node_track_caller_noprof+0x14c/0x450 [ 142.158917][ T5157] kmalloc_reserve+0x136/0x290 [ 142.158945][ T5157] pskb_expand_head+0x18e/0x1150 [ 142.158965][ T5157] netlink_trim+0x1d5/0x2e0 [ 142.158987][ T5157] netlink_broadcast_filtered+0xd6/0x12c0 [ 142.159013][ T5157] nlmsg_notify+0xf0/0x1a0 [ 142.159039][ T5157] __dev_notify_flags+0xf4/0x2e0 [ 142.159069][ T5157] netif_change_flags+0xe8/0x1a0 [ 142.159098][ T5157] do_setlink+0xc55/0x41c0 [ 142.159130][ T5157] rtnl_newlink+0x160b/0x1c70 [ 142.159155][ T5157] page last free pid 5843 tgid 5843 stack trace: [ 142.159167][ T5157] __free_frozen_pages+0xb59/0xce0 [ 142.159197][ T5157] __slab_free+0x2db/0x390 [ 142.159215][ T5157] qlist_free_all+0x97/0x140 [ 142.159236][ T5157] kasan_quarantine_reduce+0x148/0x160 [ 142.159259][ T5157] __kasan_slab_alloc+0x22/0x80 [ 142.159283][ T5157] kmem_cache_alloc_node_noprof+0x14e/0x330 [ 142.159311][ T5157] __alloc_skb+0x112/0x2d0 [ 142.159340][ T5157] netlink_ack+0x146/0xa50 [ 142.159376][ T5157] netlink_rcv_skb+0x28c/0x470 [ 142.159406][ T5157] netlink_unicast+0x843/0xa10 [ 142.159429][ T5157] netlink_sendmsg+0x805/0xb30 [ 142.159458][ T5157] __sock_sendmsg+0x21c/0x270 [ 142.159482][ T5157] __sys_sendto+0x3c7/0x520 [ 142.159511][ T5157] __x64_sys_sendto+0xde/0x100 [ 142.159539][ T5157] do_syscall_64+0xfa/0x3b0 [ 142.159559][ T5157] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 142.159581][ T5157] [ 142.159586][ T5157] Memory state around the buggy address: [ 142.159599][ T5157] ffff888024357400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 142.159615][ T5157] ffff888024357480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 142.159631][ T5157] >ffff888024357500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 142.159642][ T5157] ^ [ 142.159653][ T5157] ffff888024357580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 142.159668][ T5157] ffff888024357600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 142.159680][ T5157] ================================================================== [ 142.159710][ T5157] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 142.159729][ T5157] CPU: 1 UID: 0 PID: 5157 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 142.159755][ T5157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 [ 142.159772][ T5157] Workqueue: hci4 hci_rx_work [ 142.159800][ T5157] Call Trace: [ 142.159810][ T5157] [ 142.159820][ T5157] dump_stack_lvl+0x99/0x250 [ 142.159856][ T5157] ? __asan_memcpy+0x40/0x70 [ 142.159880][ T5157] ? __pfx_dump_stack_lvl+0x10/0x10 [ 142.159912][ T5157] ? __pfx__printk+0x10/0x10 [ 142.159942][ T5157] vpanic+0x281/0x750 [ 142.159973][ T5157] ? __pfx_print_hex_dump+0x10/0x10 [ 142.160008][ T5157] ? __pfx_vpanic+0x10/0x10 [ 142.160048][ T5157] panic+0xb9/0xc0 [ 142.160081][ T5157] ? __pfx_panic+0x10/0x10 [ 142.160112][ T5157] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 142.160150][ T5157] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 142.160190][ T5157] ? l2cap_connect_cfm+0x6e4/0x1040 [ 142.160225][ T5157] check_panic_on_warn+0x89/0xb0 [ 142.160248][ T5157] ? l2cap_connect_cfm+0x6e4/0x1040 [ 142.160282][ T5157] end_report+0x78/0x160 [ 142.160311][ T5157] kasan_report+0x129/0x150 [ 142.160343][ T5157] ? l2cap_connect_cfm+0x6e4/0x1040 [ 142.160394][ T5157] l2cap_connect_cfm+0x6e4/0x1040 [ 142.160435][ T5157] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 142.160473][ T5157] ? mutex_lock_nested+0x154/0x1d0 [ 142.160498][ T5157] ? hci_connect_cfm+0x2c/0x140 [ 142.160528][ T5157] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 142.160565][ T5157] hci_connect_cfm+0x92/0x140 [ 142.160597][ T5157] le_conn_complete_evt+0xcd3/0x1220 [ 142.160638][ T5157] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 142.160673][ T5157] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 142.160706][ T5157] ? lockdep_hardirqs_on+0x9c/0x150 [ 142.160741][ T5157] ? skb_pull_data+0xfb/0x200 [ 142.160769][ T5157] hci_le_conn_complete_evt+0x187/0x450 [ 142.160805][ T5157] hci_event_packet+0x78f/0x1200 [ 142.160833][ T5157] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 142.160866][ T5157] ? __pfx_hci_event_packet+0x10/0x10 [ 142.160892][ T5157] ? __pfx_migrate_enable+0x10/0x10 [ 142.160923][ T5157] ? hci_send_to_monitor+0xe2/0x570 [ 142.160959][ T5157] hci_rx_work+0x46a/0xe80 [ 142.160988][ T5157] ? process_scheduled_works+0x9ef/0x17b0 [ 142.161015][ T5157] process_scheduled_works+0xade/0x17b0 [ 142.161059][ T5157] ? __pfx_process_scheduled_works+0x10/0x10 [ 142.161096][ T5157] worker_thread+0x8a0/0xda0 [ 142.161138][ T5157] kthread+0x70e/0x8a0 [ 142.161172][ T5157] ? __pfx_worker_thread+0x10/0x10 [ 142.161199][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.161236][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.161269][ T5157] ret_from_fork+0x436/0x7d0 [ 142.161299][ T5157] ? __pfx_ret_from_fork+0x10/0x10 [ 142.161330][ T5157] ? __switch_to_asm+0x39/0x70 [ 142.161351][ T5157] ? __switch_to_asm+0x33/0x70 [ 142.161387][ T5157] ? __pfx_kthread+0x10/0x10 [ 142.161421][ T5157] ret_from_fork_asm+0x1a/0x30 [ 142.161452][ T5157] [ 142.161836][ T5157] Kernel Offset: disabled