last executing test programs:

687.634336ms ago: executing program 2 (id=3):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000100), 0x76, 0x101b01)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x6)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440), 0x141800, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
ioctl$KVM_CAP_SPLIT_IRQCHIP(r3, 0x4068aea3, &(0x7f0000000040)={0x79, 0x0, 0x5})
r4 = eventfd2(0x0, 0x1)
ioctl$KVM_IRQFD(r3, 0x4020ae76, &(0x7f0000000000)={r4})
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000100)='net_prio.prioidx\x00', 0x275a, 0x0)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r5, 0x0)
ioctl$USBDEVFS_SETINTERFACE(r1, 0x80085504, 0x0)
unshare(0x62040200)
r6 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000c40)='net/xfrm_stat\x00')
syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000140)={[0x8, 0x8, 0xffffffff80000001, 0x3, 0x8000000000000001, 0x35f23d4, 0x6, 0x5, 0x9, 0x9, 0xffffffff, 0x100000000, 0x100000001, 0x8000000000000001, 0xff, 0xd3], 0x6000, 0x400c6})
close_range(r0, 0xffffffffffffffff, 0x0)

600.097123ms ago: executing program 3 (id=4):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f0000000140)={0x73622a85, 0x7cab6ced6415608, 0x3})
r1 = socket$unix(0x1, 0x1, 0x0)
io_setup(0x66eb, &(0x7f0000000080))
eventfd(0x5a21)
ioctl$FS_IOC_MEASURE_VERITY(r1, 0xc0046686, &(0x7f0000000880)={0x3, 0xc4, "4fa6a6b248131955481fd5802c7d63f8cf528b8927f969f165424725ebb71af040cf1607e490484c3b9f5901bbf7607b5cb641491351eb455f254552cc23520ebc272e7dc1136ee0f59f2c3123752bf8df5c6b62c6221b08ddb5a259684f1e7ed384b68c560182824cca3b88e61c62ee846c831387c8d760d002879cd2a610b80fe3086d6cd7d8f6357bd226b06f18e3dae9f0ed083f0d3411f3c1c32eb2a3497a7c855d5c60066d2208660380e7a53b93b639e9f4ee7879ecc6542a9347cabb0bdc4166"})
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
r3 = socket$inet(0x2, 0x4000000000000001, 0xfffffff4)
setsockopt$inet_tcp_int(r3, 0x6, 0x80000000000002, &(0x7f00000004c0)=0x79, 0x4)
bind$inet(r3, &(0x7f0000000080)={0x2, 0x4e23, @local}, 0x10)
setsockopt$SO_ATTACH_FILTER(r3, 0x1, 0x1a, &(0x7f0000000140)={0x1, &(0x7f00000001c0)=[{0x6, 0x0, 0xfc, 0xe4}]}, 0x10)
sendto$inet(r3, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='cpuacct.usage_sys\x00', 0x275a, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19)
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
fsopen(&(0x7f00000000c0)='cramfs\x00', 0x0)
madvise(&(0x7f0000000000/0x2000)=nil, 0x8000000, 0x19)
setsockopt$inet_tcp_TCP_CONGESTION(r3, 0x6, 0xd, &(0x7f0000000100)='bbr\x00', 0x4)
sendmmsg$inet(r3, &(0x7f0000000000)=[{{0x0, 0x0, &(0x7f0000000240)=[{&(0x7f00000006c0)="0d18687da3e7f33aed145cf8ff2d1e5a18c0d5f9856f4824f41040f6987d0b531da10713ed151bc4867681f28e033aef683334d03864ed30590dd4ea64a20ecbbc1346c9f42510d91eec0632885b7da95ca85f4b1435c5c1e993a85257df5f19bdfc5e038a16e6a8aef907e347081fdb93cee93217e11f19cde423e6138bd1b79ee615527ccaf8049959ac6e32af46d777ccb8c26ca925f69590df13a81aee3213e80ba5cacf1f930b3cc49093d11594ef13325790b55efbdc2dd99ed1", 0xbd}, {&(0x7f00000002c0)="9c811ff500139d7d", 0x8}], 0x2}}, {{0x0, 0x0, &(0x7f0000000e40)=[{&(0x7f00000007c0)="353a35d6094e4ee7d764b6993f65136c5d6b84d9b1324a0b25e094700c9a66f9181738098f32e3e48859c3878d53a9752474da0d6af299d849d48f2fa2c8c807d7a1521da940585790ff1e6f9da83e32b751d1af9cfac640c1361f5ae8b99c187dafe9ea854120f6eaab11e7fdeb3f2152ebdbc21520ca01f64bb821576deef4ed6696cdddc1768b5b4fbd68a687cb6ba52ecf5cc6f8f05062f26de19d6aaaeb6cbca00e46685f77d2b3e8dd9d0d099e799cd5a76c67ab283f790366f7f744508edc9e48fa101b89215bd330c4e706c1f09d781a5a50aef5e424a7a88b3241a338ca7411cda28aa167b5628b79e8a7d588efb69636181b9c54f6d296386c95f8a08e27d5792dcb20fa3b5b4f60c71f310b31bb1ab4a825c2dc10fac150a17d92bb51849d9eea53c78d427d8d1036dc906084046fcae09499c220ef50c2c7c475f392bc288eb5efb8032d1ade92e88e50a05a95dd5c6cbbdfb086fa53bca14d40c8c3f7149b39b16b7c7370978389366174db5fbc99dbe958f8c1690cd695dfbe6c384162a412c8d3cfd7cf223f9df4c67b92514111891f53d4e19826797302e1a87e7a627c52740bb3bd311771a68d349c0a68ef6f2a765f8220323add67b2b6695ca41adcda387a4264bcd94c8578a9ccca3b55ebcda45369b56068cfeec34abc2cbd94b9b12d057fa9d4328d57073f40e5ae64443e4a10ed400575bbd1168a170a0134b9ad28735dbd9603a9e417cce864f2141a92f57e1fdfcff4776f94a794d6db8d3e9e0ecc783956c7ab15a8d5639d3df1ac9da6057af913a563bd55b657f37cbf4cae2919aea6ff8a7490b4c036361b8866cc062bbad019f43d02b0c38bd6309f2baa53924466203ab8d00daaac4c9da846e645d64c10e47c32e9824e79ade4eeee7cbf71b1bb48f760800b04334745ab553dea12a85f0671eb07a4cc67ceaffa8269e0b052f25136cfb8a6b9327a2d165c42933642d3171ad00ebf0be485f5ed319021600a94072f251c8905a2451eba3ba7db2ec5fb8613463a796610629719166259ffa3261e06f09b5a", 0x2ef}], 0x1}}], 0x2, 0x0)
setsockopt$sock_int(r3, 0x1, 0x8, &(0x7f0000000600)=0xdfa, 0x4)
sendto$inet(r3, &(0x7f0000000580)="17", 0x59a, 0x10008095, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
ioctl$KVM_CREATE_IRQCHIP(r4, 0xae60)
ioctl$KVM_CREATE_PIT2(r4, 0x4040ae77, &(0x7f0000000040))
ioctl$KVM_REINJECT_CONTROL(r4, 0xae71, &(0x7f0000000580)={0xe9})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000240)={0x4, 0x0, &(0x7f0000000200)=[@enter_looper], 0x50, 0x0, &(0x7f0000000580)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70"})
mmap$binder(&(0x7f00004c8000/0x3000)=nil, 0x3000, 0x1, 0x11, r0, 0x1)
r5 = socket(0x10, 0x803, 0x0)
sendto(r5, &(0x7f0000000740)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0)
recvmmsg(r5, &(0x7f0000000440)=[{{0x0, 0x0, 0x0}, 0x4}, {{0x0, 0x0, 0x0}, 0xfffffff9}, {{0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000880)=""/4098, 0x1002}, {&(0x7f00000007c0)=""/186, 0xba}, {&(0x7f0000000180)=""/21, 0x15}, {&(0x7f00000032c0)=""/232, 0xe8}, {&(0x7f0000000080)=""/231, 0xe7}, {&(0x7f00000034c0)=""/197, 0xc5}], 0x6}, 0xffffffff}, {{0x0, 0x0, 0x0}, 0x8}, {{0x0, 0x0, 0x0}, 0x5}, {{0x0, 0x0, 0x0}, 0x5}, {{0x0, 0x0, 0x0}, 0x3ff}], 0x7, 0x2100, 0x0)

581.142904ms ago: executing program 1 (id=2):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1002, 0x0)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$SIOCSIFHWADDR(r1, 0x8932, &(0x7f0000000040)={'sit0\x00', @local})
r2 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r2, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4)
madvise(&(0x7f00003cd000/0x4000)=nil, 0x4000, 0x2)
r3 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000100)=ANY=[@ANYBLOB="12013f00000000407f04ffff000000000001090224000100000000090400001503000000092140000001220f000905", @ANYRES16], 0x0)
syz_usb_control_io$hid(r3, 0x0, 0x0)
syz_usb_control_io$hid(r3, &(0x7f0000001540)={0x24, 0x0, 0x0, &(0x7f00000001c0)=ANY=[@ANYBLOB="00220f0000005b574e69622bf85eda07b3"], 0x0}, 0x0)
r4 = syz_open_dev$hiddev(&(0x7f0000000540), 0x0, 0x0)
ioctl$HIDIOCGUCODE(r4, 0xc018480d, &(0x7f00000011c0)={0x3, 0x100, 0x0, 0x5, 0x590f, 0x2})
socket$inet6(0xa, 0x80002, 0x0)
r5 = syz_open_procfs(0x0, &(0x7f0000000040)='smaps\x00')
read$FUSE(r5, &(0x7f0000000640)={0x2020}, 0x2020)
ioctl$KVM_CREATE_DEVICE(r5, 0xc00caee0, &(0x7f0000000000)={0x2, 0xffffffffffffffff, 0x1})
socket$inet6(0xa, 0x1, 0x0)
ioctl$TIOCSWINSZ(0xffffffffffffffff, 0x5414, 0x0)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r6, &(0x7f0000000000)=ANY=[], 0x32600)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r6, 0x0)
setsockopt$packet_rx_ring(r2, 0x107, 0x5, &(0x7f0000000180)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x3}, 0x1c)
close_range(r0, 0xffffffffffffffff, 0x0)

548.345657ms ago: executing program 0 (id=1):
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_generic(r0, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000005c0)=ANY=[@ANYBLOB="280000001e00210000000000000000000a00000005000000000000000a0005"], 0x28}}, 0x0)
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040)={0x200000, 0x200000, 0x0, 0x0, 0x0, 0xffffffff})
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x8031, 0xffffffffffffffff, 0x4000)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFQNL_MSG_CONFIG(r1, &(0x7f00000002c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000006c0)=ANY=[@ANYBLOB="38000000020301020000000000000000000000000900020000000001000000000800"], 0x38}, 0x1, 0x0, 0x0, 0x40050}, 0x0)
futex_waitv(&(0x7f0000000180)=[{0x0, &(0x7f0000000000), 0x2}, {0x3, &(0x7f0000000040)=0x3, 0x2}], 0x2, 0x0, 0x0, 0x0)
futex(&(0x7f0000000140), 0x5, 0x0, 0x0, 0x0, 0x0)
r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000080), 0x20400, 0x0)
ioctl$RTC_IRQP_SET(r2, 0x4008700c, 0x2ae)
r3 = syz_usb_connect(0x0, 0x36, &(0x7f0000000080)=ANY=[@ANYBLOB="12010000a1121710950b2a17f4f7010203010902240001000000000904fb00026c5d650009050402100000fa000905820240"], 0x0)
r4 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000500)='status\x00')
read$FUSE(r4, &(0x7f0000003240)={0x2020}, 0x2020)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r5 = syz_open_procfs(0x0, &(0x7f0000000100)='net/tcp\x00')
ftruncate(r5, 0x2)
syz_usb_control_io$printer(r3, 0x0, &(0x7f0000000540)={0x34, &(0x7f0000000600)=ANY=[@ANYBLOB="4013b9000000e7"], 0x0, 0x0, 0x0, 0x0, 0x0})
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r6 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000240), 0xc0802, 0x0)
ioctl$PPPIOCNEWUNIT(r6, 0xc004743e, &(0x7f00000000c0))
ioctl$PPPIOCSMAXCID(r6, 0x40047451, &(0x7f0000000080)=0x4)
bind$vsock_stream(r4, &(0x7f00000001c0)={0x28, 0x0, 0x0, @my=0x0}, 0x10)
r7 = syz_open_dev$loop(&(0x7f0000000240), 0x7, 0x180862)
r8 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/power/sync_on_suspend', 0x40000, 0x2d)
ioctl$LOOP_CHANGE_FD(r7, 0x4c06, r8)

449.258314ms ago: executing program 2 (id=5):
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000100)='mountinfo\x00')
r1 = socket(0x11, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000340)={'vlan0\x00', <r2=>0x0})
bind$packet(r1, &(0x7f0000000080)={0x11, 0x0, r2, 0x1, 0x0, 0x6, @link_local}, 0x14)
sendto$packet(r1, &(0x7f00000002c0)="fb57975e267951722b395d37bac8", 0xe, 0x0, 0x0, 0x0)
mkdir(&(0x7f0000000040)='./file0\x00', 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0)
mkdir(&(0x7f0000000300)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x1000000, &(0x7f0000000140)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}, {@default_permissions}]})
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)

413.916677ms ago: executing program 2 (id=6):
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000080), 0x8002, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x2000000000000000)
r1 = socket(0x10, 0x3, 0x0)
bind$netlink(r1, &(0x7f0000000040)={0x10, 0x0, 0x1, 0x8000000}, 0xc)
write(r1, &(0x7f0000000000)="2600000022004701050000070000000000000020002b1f000a4a51f1ee839cd53400b017ca5b", 0x26)
r2 = socket$pppl2tp(0x18, 0x1, 0x1)
r3 = fsopen(&(0x7f0000000040)='securityfs\x00', 0x0)
r4 = fcntl$dupfd(r2, 0x406, r3)
setsockopt$inet_mtu(r4, 0x111, 0xa, &(0x7f0000000000), 0x4)
connect$netlink(r1, &(0x7f00000014c0)=@proc={0x10, 0x0, 0x1}, 0xc)
setsockopt$sock_int(r1, 0x1, 0x8, &(0x7f0000b4bffc)=0x1, 0x4)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000005b40)=[{{0x0, 0x0, &(0x7f0000002b80)=[{&(0x7f0000002140)="6db30fc54ef3a55f7754", 0xa}, {0x0}, {0xfffffffffffffffe}], 0x3, 0x0, 0x0, 0x4000000}}], 0x1, 0x4)
r5 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x41, 0x0)
write$binfmt_aout(r5, &(0x7f0000000100)=ANY=[], 0xff5f)
ioctl$TCSETS(r5, 0x40045431, &(0x7f0000000dc0)={0x0, 0x0, 0x4, 0x0, 0x10, "0062ba7d82e7ff00000000000000f7ffffff00"})
r6 = syz_open_pts(r5, 0x20000)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000200), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_FEATURES_SET(r7, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000480)=ANY=[@ANYBLOB="ac010000", @ANYRES16=r8, @ANYBLOB="0d7e2cbd7000ffdbdf250c000000200001801400020076657468315f746f5f68737200000000080003000000000078010380740103804400cb"], 0x1ac}, 0x1, 0x0, 0x0, 0x81c}, 0x20000004)
ioctl$FIONREAD(r6, 0x541b, &(0x7f00000000c0))
write(r1, &(0x7f0000000980)="a9", 0x1)
r9 = inotify_init()
inotify_add_watch(r9, &(0x7f0000000280)='.\x00', 0x25000001)
mknod(&(0x7f0000000040)='./file0\x00', 0x8001420, 0x0)
open$dir(&(0x7f0000000480)='./file0\x00', 0x103680, 0x20)
r10 = open$dir(&(0x7f0000000140)='./file0\x00', 0x1, 0x0)
r11 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
ftruncate(r11, 0x2000009)
sendfile(r10, r11, 0x0, 0x6)
mknod(&(0x7f0000000080)='./bus\x00', 0x1000, 0x0)

126.95631ms ago: executing program 3 (id=7):
openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x240, 0x0)
r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000000), 0x6082, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000180)={0x1, 0x8}, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x1d0)
mount$bind(&(0x7f0000000000)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0)
mount$bind(0x0, &(0x7f00000005c0)='./file0\x00', 0x0, 0x100000, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = fcntl$dupfd(r1, 0x0, r1)
r3 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000dc0), r1)
r4 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000001100)='/sys/power/pm_print_times', 0x200, 0x0)
read$FUSE(r4, &(0x7f0000001140)={0x2020}, 0x2020)
sendmsg$TIPC_NL_BEARER_GET(r2, &(0x7f0000001b40)={0x0, 0x0, &(0x7f0000001b00)={&(0x7f00000017c0)={0x18, r3, 0x21, 0x70bd2c, 0x25dfdbfb, {}, [@TIPC_NLA_BEARER={0x4}]}, 0x18}, 0x1, 0x0, 0x0, 0x10}, 0x4050)
mount$bind(&(0x7f0000000440)='./file0/../file0\x00', &(0x7f00000000c0)='./file0/file0\x00', 0x0, 0x8b101a, 0x0)
mount$bind(0x0, &(0x7f00000003c0)='./file0/file0\x00', 0x0, 0x80000, 0x0)
r5 = open_tree(0xffffffffffffff9c, &(0x7f0000000500)='./file0/../file0\x00', 0x1)
move_mount(r5, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0)
mount$incfs(&(0x7f0000000580)='./file0\x00', &(0x7f0000000140)='./file0\x00', &(0x7f00000005c0), 0x0, 0x0)
mount$9p_unix(&(0x7f0000000100)='./file0/file0\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x12d7498, 0x0)
openat$ttynull(0xffffffffffffff9c, &(0x7f00000008c0), 0x40000, 0x0)
r6 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r6, 0x4018620d, &(0x7f0000000200)={0x73622a85, 0x7cab6ced6415608, 0x3})
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r6, 0x0)
r7 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r8 = mmap$binder(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x1, 0x11, r7, 0x0)
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000000280)={0x50, 0x0, &(0x7f0000000400)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x31, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, @free_buffer={0x40086303, r8}], 0x0, 0x0, 0x0})
syz_io_uring_setup(0x3b48, &(0x7f0000000280)={0x0, 0xc5ba, 0x1, 0x1, 0xc3}, 0x0, 0x0)
sendfile(r0, r0, 0x0, 0x7ffff000)

0s ago: executing program 3 (id=8):
r0 = syz_open_dev$usbfs(&(0x7f00000000c0), 0x204, 0x2)
ioctl$USBDEVFS_SUBMITURB(r0, 0x8038550a, &(0x7f0000000180)=@urb_type_control={0x2, {}, 0x2000000b, 0xe0, &(0x7f0000000000)={0x2, 0x0, 0xfffc, 0xff81}, 0x8, 0x6, 0xc, 0x0, 0xffffff7d, 0x101, 0x0}) (async, rerun: 64)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0xa00, 0x0) (rerun: 64)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x12, r1, 0x99b33000) (async)
capset(&(0x7f0000004240)={0x20080522}, 0x0)

kernel console output (not intermixed with test programs):



syzkaller
syzkaller login: [   14.251105][   T36] kauditd_printk_skb: 31 callbacks suppressed
[   14.251124][   T36] audit: type=1400 audit(1756283549.290:59): avc:  denied  { transition } for  pid=228 comm="sshd-session" path="/bin/sh" dev="sda1" ino=90 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   14.256152][   T36] audit: type=1400 audit(1756283549.290:60): avc:  denied  { noatsecure } for  pid=228 comm="sshd-session" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   14.259254][   T36] audit: type=1400 audit(1756283549.300:61): avc:  denied  { write } for  pid=228 comm="sh" path="pipe:[2702]" dev="pipefs" ino=2702 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
[   14.262637][   T36] audit: type=1400 audit(1756283549.300:62): avc:  denied  { rlimitinh } for  pid=228 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   14.265886][   T36] audit: type=1400 audit(1756283549.300:63): avc:  denied  { siginh } for  pid=228 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '10.128.1.52' (ED25519) to the list of known hosts.
[   22.232525][   T36] audit: type=1400 audit(1756283557.270:64): avc:  denied  { mounton } for  pid=276 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   22.233947][  T276] cgroup: Unknown subsys name 'net'
[   22.255420][   T36] audit: type=1400 audit(1756283557.270:65): avc:  denied  { mount } for  pid=276 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   22.282823][   T36] audit: type=1400 audit(1756283557.300:66): avc:  denied  { unmount } for  pid=276 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   22.283338][  T276] cgroup: Unknown subsys name 'devices'
[   22.407334][  T276] cgroup: Unknown subsys name 'hugetlb'
[   22.412963][  T276] cgroup: Unknown subsys name 'rlimit'
[   22.527222][   T36] audit: type=1400 audit(1756283557.570:67): avc:  denied  { setattr } for  pid=276 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   22.550497][   T36] audit: type=1400 audit(1756283557.570:68): avc:  denied  { mounton } for  pid=276 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   22.575235][   T36] audit: type=1400 audit(1756283557.570:69): avc:  denied  { mount } for  pid=276 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[   22.581477][  T283] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
Setting up swapspace version 1, size = 127995904 bytes
[   22.607448][   T36] audit: type=1400 audit(1756283557.650:70): avc:  denied  { relabelto } for  pid=283 comm="mkswap" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   22.632897][   T36] audit: type=1400 audit(1756283557.650:71): avc:  denied  { write } for  pid=283 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   22.649436][  T276] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   22.658873][   T36] audit: type=1400 audit(1756283557.690:72): avc:  denied  { read } for  pid=276 comm="syz-executor" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   22.692797][   T36] audit: type=1400 audit(1756283557.690:73): avc:  denied  { open } for  pid=276 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   23.533849][  T290] bridge0: port 1(bridge_slave_0) entered blocking state
[   23.540987][  T290] bridge0: port 1(bridge_slave_0) entered disabled state
[   23.548162][  T290] bridge_slave_0: entered allmulticast mode
[   23.554624][  T290] bridge_slave_0: entered promiscuous mode
[   23.562300][  T290] bridge0: port 2(bridge_slave_1) entered blocking state
[   23.569490][  T290] bridge0: port 2(bridge_slave_1) entered disabled state
[   23.576619][  T290] bridge_slave_1: entered allmulticast mode
[   23.582976][  T290] bridge_slave_1: entered promiscuous mode
[   23.610818][  T291] bridge0: port 1(bridge_slave_0) entered blocking state
[   23.618044][  T291] bridge0: port 1(bridge_slave_0) entered disabled state
[   23.625214][  T291] bridge_slave_0: entered allmulticast mode
[   23.631463][  T291] bridge_slave_0: entered promiscuous mode
[   23.645787][  T291] bridge0: port 2(bridge_slave_1) entered blocking state
[   23.652851][  T291] bridge0: port 2(bridge_slave_1) entered disabled state
[   23.659967][  T291] bridge_slave_1: entered allmulticast mode
[   23.666414][  T291] bridge_slave_1: entered promiscuous mode
[   23.695795][  T288] bridge0: port 1(bridge_slave_0) entered blocking state
[   23.702854][  T288] bridge0: port 1(bridge_slave_0) entered disabled state
[   23.710031][  T288] bridge_slave_0: entered allmulticast mode
[   23.716421][  T288] bridge_slave_0: entered promiscuous mode
[   23.729949][  T288] bridge0: port 2(bridge_slave_1) entered blocking state
[   23.737202][  T288] bridge0: port 2(bridge_slave_1) entered disabled state
[   23.744258][  T288] bridge_slave_1: entered allmulticast mode
[   23.750689][  T288] bridge_slave_1: entered promiscuous mode
[   23.796534][  T289] bridge0: port 1(bridge_slave_0) entered blocking state
[   23.803635][  T289] bridge0: port 1(bridge_slave_0) entered disabled state
[   23.810782][  T289] bridge_slave_0: entered allmulticast mode
[   23.817063][  T289] bridge_slave_0: entered promiscuous mode
[   23.830318][  T289] bridge0: port 2(bridge_slave_1) entered blocking state
[   23.837407][  T289] bridge0: port 2(bridge_slave_1) entered disabled state
[   23.844509][  T289] bridge_slave_1: entered allmulticast mode
[   23.850750][  T289] bridge_slave_1: entered promiscuous mode
[   23.966201][  T290] bridge0: port 2(bridge_slave_1) entered blocking state
[   23.973280][  T290] bridge0: port 2(bridge_slave_1) entered forwarding state
[   23.980608][  T290] bridge0: port 1(bridge_slave_0) entered blocking state
[   23.987662][  T290] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.021971][  T291] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.029069][  T291] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.036475][  T291] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.043679][  T291] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.067070][   T13] bridge0: port 1(bridge_slave_0) entered disabled state
[   24.074612][   T13] bridge0: port 2(bridge_slave_1) entered disabled state
[   24.081849][   T13] bridge0: port 1(bridge_slave_0) entered disabled state
[   24.089374][   T13] bridge0: port 2(bridge_slave_1) entered disabled state
[   24.103538][   T12] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.110698][   T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.121913][   T12] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.129007][   T12] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.181253][   T13] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.188352][   T13] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.210106][   T12] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.217215][   T12] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.225636][  T290] veth0_vlan: entered promiscuous mode
[   24.248798][   T13] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.255881][   T13] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.263446][   T13] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.270534][   T13] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.278304][   T13] bridge0: port 1(bridge_slave_0) entered blocking state
[   24.285396][   T13] bridge0: port 1(bridge_slave_0) entered forwarding state
[   24.306342][   T13] bridge0: port 2(bridge_slave_1) entered blocking state
[   24.313402][   T13] bridge0: port 2(bridge_slave_1) entered forwarding state
[   24.338988][  T290] veth1_macvtap: entered promiscuous mode
[   24.348716][  T291] veth0_vlan: entered promiscuous mode
[   24.378841][  T288] veth0_vlan: entered promiscuous mode
[   24.390982][  T290] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   24.397419][  T291] veth1_macvtap: entered promiscuous mode
[   24.420506][  T289] veth0_vlan: entered promiscuous mode
[   24.427440][  T288] veth1_macvtap: entered promiscuous mode
[   24.455141][  T289] veth1_macvtap: entered promiscuous mode
[   24.455249][  T333] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
[   24.580643][  T340] netlink: 'syz.0.1': attribute type 5 has an invalid length.
[   24.592845][  T340] capability: warning: `syz.0.1' uses deprecated v2 capabilities in a way that may be insecure
[   24.814450][   T10] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[   24.965583][   T10] usb 2-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xFF, changing to 0x8F
[   24.977412][   T10] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x8F has an invalid bInterval 0, changing to 7
[   24.989401][   T10] usb 2-1: config 0 interface 0 altsetting 0 endpoint 0x8F has invalid wMaxPacketSize 0
[   25.000030][   T10] usb 2-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 21
[   25.004691][   T31] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   25.013508][   T10] usb 2-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00
[   25.030247][   T10] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   25.039864][   T10] usb 2-1: config 0 descriptor??
[   25.075530][  T291] ------------[ cut here ]------------
[   25.081040][  T291] WARNING: CPU: 1 PID: 291 at fs/inode.c:340 drop_nlink+0xce/0x110
[   25.089073][  T291] Modules linked in:
[   25.093226][  T291] CPU: 1 UID: 0 PID: 291 Comm: syz-executor Not tainted syzkaller #0 a29bcd2d578c4b9493db917853c72486663e8fa1
[   25.104984][  T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   25.115206][  T291] RIP: 0010:drop_nlink+0xce/0x110
[   25.120303][  T291] Code: 04 00 00 be 08 00 00 00 e8 6f 48 ee ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 d2 1c 98 ff <0f> 0b eb 81 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 59 ff ff ff 4c
[   25.140138][  T291] RSP: 0018:ffffc9000b62fc60 EFLAGS: 00010293
[   25.146306][  T291] RAX: ffffffff81edc76e RBX: ffff88810e3f8f50 RCX: ffff888103305f00
[   25.154390][  T291] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   25.162399][  T291] RBP: ffffc9000b62fc88 R08: 0000000000000003 R09: 0000000000000004
[   25.170470][  T291] R10: dffffc0000000000 R11: fffff520016c5f7c R12: dffffc0000000000
[   25.178505][  T291] R13: 1ffff11021c7f1f3 R14: ffff88810e3f8f98 R15: 0000000000000000
[   25.186550][  T291] FS:  000055556ebc0500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
[   25.196096][  T291] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   25.202714][  T291] CR2: 000055556ebe34e8 CR3: 000000010333e000 CR4: 00000000003526b0
[   25.210863][  T291] Call Trace:
[   25.214168][  T291]  <TASK>
[   25.217232][  T291]  shmem_rmdir+0x5f/0x90
[   25.221526][  T291]  vfs_rmdir+0x3e0/0x560
[   25.225869][  T291]  incfs_kill_sb+0x109/0x230
[   25.230512][  T291]  deactivate_locked_super+0xd5/0x2a0
[   25.235971][  T291]  deactivate_super+0xb8/0xe0
[   25.240687][  T291]  cleanup_mnt+0x3f1/0x480
[   25.245183][  T291]  __cleanup_mnt+0x1d/0x40
[   25.249651][  T291]  task_work_run+0x1e3/0x250
[   25.254284][  T291]  ? __cfi_task_work_run+0x10/0x10
[   25.259477][  T291]  ? __x64_sys_umount+0x126/0x170
[   25.264581][  T291]  ? __cfi___x64_sys_umount+0x10/0x10
[   25.269992][  T291]  resume_user_mode_work+0x36/0x50
[   25.275170][  T291]  syscall_exit_to_user_mode+0x64/0xb0
[   25.280654][  T291]  do_syscall_64+0x64/0xf0
[   25.285159][  T291]  ? clear_bhb_loop+0x50/0xa0
[   25.289872][  T291]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   25.295928][  T291] RIP: 0033:0x7fb526f8ff17
[   25.300380][  T291] Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
[   25.320069][  T291] RSP: 002b:00007ffe53541938 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
[   25.328631][  T291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fb526f8ff17
[   25.336665][  T291] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe535419f0
[   25.344705][  T291] RBP: 00007ffe535419f0 R08: 0000000000000000 R09: 0000000000000000
[   25.352714][  T291] R10: 00000000ffffffff R11: 0000000000000202 R12: 00007ffe53542a80
[   25.360750][  T291] R13: 00007fb527011c05 R14: 00000000000061e1 R15: 00007ffe53542ac0
[   25.368795][  T291]  </TASK>
[   25.371847][  T291] ---[ end trace 0000000000000000 ]---
[   25.378533][  T291] ==================================================================
[   25.386647][  T291] BUG: KASAN: null-ptr-deref in ihold+0x24/0x70
[   25.393159][  T291] Write of size 4 at addr 0000000000000168 by task syz-executor/291
[   25.401135][  T291] 
[   25.403489][  T291] CPU: 0 UID: 0 PID: 291 Comm: syz-executor Tainted: G        W          syzkaller #0 a29bcd2d578c4b9493db917853c72486663e8fa1
[   25.403521][  T291] Tainted: [W]=WARN
[   25.403526][  T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   25.403536][  T291] Call Trace:
[   25.403543][  T291]  <TASK>
[   25.403550][  T291]  __dump_stack+0x21/0x30
[   25.403575][  T291]  dump_stack_lvl+0x10c/0x190
[   25.403596][  T291]  ? __cfi_dump_stack_lvl+0x10/0x10
[   25.403629][  T291]  print_report+0x3d/0x70
[   25.403665][  T291]  kasan_report+0x163/0x1a0
[   25.403690][  T291]  ? ihold+0x24/0x70
[   25.403706][  T291]  ? _raw_spin_unlock+0x45/0x60
[   25.403745][  T291]  ? ihold+0x24/0x70
[   25.403761][  T291]  kasan_check_range+0x299/0x2a0
[   25.403794][  T291]  __kasan_check_write+0x18/0x20
[   25.403815][  T291]  ihold+0x24/0x70
[   25.403831][  T291]  vfs_rmdir+0x26a/0x560
[   25.403851][  T291]  incfs_kill_sb+0x109/0x230
[   25.403875][  T291]  deactivate_locked_super+0xd5/0x2a0
[   25.403896][  T291]  deactivate_super+0xb8/0xe0
[   25.403915][  T291]  cleanup_mnt+0x3f1/0x480
[   25.403932][  T291]  __cleanup_mnt+0x1d/0x40
[   25.403948][  T291]  task_work_run+0x1e3/0x250
[   25.403966][  T291]  ? __cfi_task_work_run+0x10/0x10
[   25.403984][  T291]  ? __x64_sys_umount+0x126/0x170
[   25.404005][  T291]  ? __cfi___x64_sys_umount+0x10/0x10
[   25.404028][  T291]  resume_user_mode_work+0x36/0x50
[   25.404046][  T291]  syscall_exit_to_user_mode+0x64/0xb0
[   25.404063][  T291]  do_syscall_64+0x64/0xf0
[   25.404082][  T291]  ? clear_bhb_loop+0x50/0xa0
[   25.404098][  T291]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   25.404122][  T291] RIP: 0033:0x7fb526f8ff17
[   25.404136][  T291] Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
[   25.404149][  T291] RSP: 002b:00007ffe53541938 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
[   25.404166][  T291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fb526f8ff17
[   25.404176][  T291] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe535419f0
[   25.404187][  T291] RBP: 00007ffe535419f0 R08: 0000000000000000 R09: 0000000000000000
[   25.404197][  T291] R10: 00000000ffffffff R11: 0000000000000202 R12: 00007ffe53542a80
[   25.404208][  T291] R13: 00007fb527011c05 R14: 00000000000061e1 R15: 00007ffe53542ac0
[   25.404221][  T291]  </TASK>
[   25.404227][  T291] ==================================================================
[   25.459554][   T31] usb 1-1: Using ep0 maxpacket: 16
[   25.464099][  T291] Disabling lock debugging due to kernel taint
[   25.469126][   T31] usb 1-1: config 0 has an invalid interface number: 251 but max is 0
[   25.470408][   T10] plantronics 0003:047F:FFFF.0001: ignoring exceeding usage max
[   25.473102][   T31] usb 1-1: config 0 has no interface number 0
[   25.473133][   T31] usb 1-1: config 0 interface 251 altsetting 0 bulk endpoint 0x4 has invalid maxpacket 16
[   25.480770][  T291] BUG: kernel NULL pointer dereference, address: 0000000000000168
[   25.483140][   T31] usb 1-1: config 0 interface 251 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 64
[   25.486735][  T291] #PF: supervisor write access in kernel mode
[   25.486749][  T291] #PF: error_code(0x0002) - not-present page
[   25.486762][  T291] PGD 8000000131492067 P4D 8000000131492067 PUD 0 
[   25.486793][  T291] Oops: Oops: 0002 [#1] PREEMPT SMP KASAN PTI
[   25.493581][   T31] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=f7.f4
[   25.495613][  T291] CPU: 0 UID: 0 PID: 291 Comm: syz-executor Tainted: G    B   W          syzkaller #0 a29bcd2d578c4b9493db917853c72486663e8fa1
[   25.495651][  T291] Tainted: [B]=BAD_PAGE, [W]=WARN
[   25.495660][  T291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
[   25.501328][   T31] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   25.505700][  T291] RIP: 0010:ihold+0x2a/0x70
[   25.505732][  T291] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 bd 13 98 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 2c 3f ee ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 cd
[   25.510225][   T31] usb 1-1: Product: syz
[   25.514556][  T291] RSP: 0018:ffffc9000b62fca0 EFLAGS: 00010246
[   25.514580][  T291] RAX: ffff888103305f00 RBX: 0000000000000000 RCX: ffff888103305f00
[   25.514598][  T291] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   25.519260][   T31] usb 1-1: Manufacturer: syz
[   25.524305][  T291] RBP: ffffc9000b62fcb0 R08: ffffffff8896a947 R09: 1ffffffff112d528
[   25.524325][  T291] R10: dffffc0000000000 R11: fffffbfff112d529 R12: ffff88810e3f8f5c
[   25.524342][  T291] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
[   25.529555][   T31] usb 1-1: SerialNumber: syz
[   25.534722][  T291] FS:  000055556ebc0500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[   25.534745][  T291] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   25.534761][  T291] CR2: 0000000000000168 CR3: 000000010333e000 CR4: 00000000003526b0
[   25.534780][  T291] Call Trace:
[   25.534787][  T291]  <TASK>
[   25.534797][  T291]  vfs_rmdir+0x26a/0x560
[   25.534829][  T291]  incfs_kill_sb+0x109/0x230
[   25.545202][   T31] usb 1-1: config 0 descriptor??
[   25.545590][  T291]  deactivate_locked_super+0xd5/0x2a0
[   25.550361][  T350] raw-gadget.1 gadget.0: fail, usb_ep_enable returned -22
[   25.554707][  T291]  deactivate_super+0xb8/0xe0
[   25.562289][  T350] raw-gadget.1 gadget.0: fail, usb_ep_enable returned -22
[   25.565030][  T291]  cleanup_mnt+0x3f1/0x480
[   25.794614][  T350] raw-gadget.1 gadget.0: fail, usb_ep_enable returned -22
[   25.799492][  T291]  __cleanup_mnt+0x1d/0x40
[   25.803909][  T350] raw-gadget.1 gadget.0: fail, usb_ep_enable returned -22
[   25.809925][  T291]  task_work_run+0x1e3/0x250
[   25.954815][  T291]  ? __cfi_task_work_run+0x10/0x10
[   25.960042][  T291]  ? __x64_sys_umount+0x126/0x170
[   25.965235][  T291]  ? __cfi___x64_sys_umount+0x10/0x10
[   25.970670][  T291]  resume_user_mode_work+0x36/0x50
[   25.975894][  T291]  syscall_exit_to_user_mode+0x64/0xb0
[   25.981389][  T291]  do_syscall_64+0x64/0xf0
[   25.985839][  T291]  ? clear_bhb_loop+0x50/0xa0
[   25.990546][  T291]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   25.996469][  T291] RIP: 0033:0x7fb526f8ff17
[   26.000918][  T291] Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
[   26.020555][  T291] RSP: 002b:00007ffe53541938 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
[   26.029007][  T291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fb526f8ff17
[   26.036997][  T291] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe535419f0
[   26.044987][  T291] RBP: 00007ffe535419f0 R08: 0000000000000000 R09: 0000000000000000
[   26.052980][  T291] R10: 00000000ffffffff R11: 0000000000000202 R12: 00007ffe53542a80
[   26.060987][  T291] R13: 00007fb527011c05 R14: 00000000000061e1 R15: 00007ffe53542ac0
[   26.068994][  T291]  </TASK>
[   26.072027][  T291] Modules linked in:
[   26.075958][  T291] CR2: 0000000000000168
[   26.080126][  T291] ---[ end trace 0000000000000000 ]---
[   26.085590][  T291] RIP: 0010:ihold+0x2a/0x70
[   26.090135][  T291] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 bd 13 98 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 2c 3f ee ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 cd
[   26.109760][  T291] RSP: 0018:ffffc9000b62fca0 EFLAGS: 00010246
[   26.115852][  T291] RAX: ffff888103305f00 RBX: 0000000000000000 RCX: ffff888103305f00
[   26.123846][  T291] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   26.131843][  T291] RBP: ffffc9000b62fcb0 R08: ffffffff8896a947 R09: 1ffffffff112d528
[   26.139843][  T291] R10: dffffc0000000000 R11: fffffbfff112d529 R12: ffff88810e3f8f5c
[   26.147831][  T291] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
[   26.155819][  T291] FS:  000055556ebc0500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[   26.164777][  T291] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   26.171467][  T291] CR2: 0000000000000168 CR3: 000000010333e000 CR4: 00000000003526b0
[   26.179453][  T291] Kernel panic - not syncing: Fatal exception
[   26.185994][  T291] Kernel Offset: disabled
[   26.190325][  T291] Rebooting in 86400 seconds..