last executing test programs: 20m23.902646594s ago: executing program 0 (id=134): mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000300), 0x2, 0x0) mount$fuse(0x0, &(0x7f00000020c0)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f00000003c0)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r0, @ANYBLOB=',rootmode=00000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0]) read$FUSE(r0, &(0x7f0000002140)={0x2020, 0x0, 0x0}, 0x2020) capset(&(0x7f0000000000)={0x20071026}, &(0x7f0000000280)={0x0, 0x2, 0x0, 0x81, 0xffffffff}) write$FUSE_INIT(r0, &(0x7f0000000440)={0x50, 0x0, r1, {0x7, 0x29, 0x0, 0x14c0348, 0x0, 0x1, 0xfffffffe, 0x0, 0x0, 0x0, 0x0, 0x7fffffff}}, 0x50) 20m19.636292687s ago: executing program 0 (id=136): r0 = socket$packet(0x11, 0x2, 0x300) setsockopt$packet_tx_ring(r0, 0x107, 0x5, &(0x7f00000000c0)=@req3={0x8000, 0x6, 0x8000, 0x6}, 0x1c) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}, 0x1, 0x0, 0x0, 0x20040051}, 0x0) sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000300)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a58000000160a03020000000000000000020000000900020073797a30000000000900010073797a30000000002c00038008000140000000000800024000000000180003801400010073797a5f74756e00000000000000000014000000110001"], 0x80}}, 0x0) syz_emit_ethernet(0x16, &(0x7f00000023c0)={@broadcast, @local, @void, {@llc={0x8864, {@snap={0xab, 0x0, '\"', "0095fa", 0x7}}}}}, 0x0) 20m15.631581506s ago: executing program 0 (id=138): socket$nl_route(0x10, 0x3, 0x0) r0 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1\x00', 0x281c2, 0x0) fcntl$setlease(r0, 0x400, 0x0) fcntl$setlease(0xffffffffffffffff, 0x8, 0x0) truncate(&(0x7f0000000040)='./file1\x00', 0x0) close(r0) 20m12.165660257s ago: executing program 0 (id=140): mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x1e) mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f00000001c0)='./file0/../file0\x00', 0x0, 0x101091, 0x0) mount$bind(0x0, &(0x7f0000000300)='./file0/../file0\x00', 0x0, 0x20000, 0x0) mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0\x00', 0x0, 0x101091, 0x0) mount$bind(&(0x7f0000000080)='./file0\x00', &(0x7f00000001c0)='./file0/file0\x00', 0x0, 0x2081c80, 0x0) open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) 20m7.853165433s ago: executing program 0 (id=142): r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x0) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff}) ioctl$NBD_SET_SOCK(r0, 0xab00, r1) ioctl$NBD_DO_IT(r0, 0xab03) r2 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0000}]}) close_range(r2, 0xffffffffffffffff, 0x0) 20m4.825799991s ago: executing program 0 (id=144): epoll_create1(0x0) openat$fb0(0xffffffffffffff9c, &(0x7f0000000180), 0x800, 0x0) r0 = syz_io_uring_setup(0xd1, &(0x7f0000000480)={0x0, 0x0, 0x100, 0x0, 0x335}, &(0x7f0000000080)=0x0, &(0x7f00000001c0)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r1, r2, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, &(0x7f0000000240)=[{&(0x7f0000001800)=""/224, 0xe0}], 0x1}) io_uring_enter(r0, 0x47ba, 0x0, 0x0, 0x0, 0x0) 19m58.325164999s ago: executing program 32 (id=144): epoll_create1(0x0) openat$fb0(0xffffffffffffff9c, &(0x7f0000000180), 0x800, 0x0) r0 = syz_io_uring_setup(0xd1, &(0x7f0000000480)={0x0, 0x0, 0x100, 0x0, 0x335}, &(0x7f0000000080)=0x0, &(0x7f00000001c0)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r1, r2, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, &(0x7f0000000240)=[{&(0x7f0000001800)=""/224, 0xe0}], 0x1}) io_uring_enter(r0, 0x47ba, 0x0, 0x0, 0x0, 0x0) 9m31.541647598s ago: executing program 1 (id=342): r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x5, 0x4, 0x8, 0x5}, 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000540)={{r0}, &(0x7f00000004c0), &(0x7f0000000500)}, 0x20) r1 = bpf$PROG_LOAD(0x5, &(0x7f00000005c0)={0x18, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={&(0x7f0000000040)='mm_page_alloc\x00', r1}, 0x10) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x6, 0x5, &(0x7f0000000700)=ANY=[@ANYBLOB="18020000fffd3fff0000000000000000850000004100000085000000d000000095"], &(0x7f0000000140)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r2, 0x11, 0x2100, 0x0, &(0x7f0000000100), 0x0, 0x500, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9}, 0x50) 9m25.904047932s ago: executing program 1 (id=344): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000500)={0xa, 0x4e22, 0x9, @ipv4={'\x00', '\xff\xff', @loopback}, 0x5}, 0x1c) setsockopt$inet6_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000280)={@in6={{0xa, 0x4e22, 0xffffffff, @remote, 0x3932}}, 0x0, 0x0, 0x21, 0x0, "0ed1f49c1be6c77a9794d96f9bf095e367c3dde4fb4b86d880c44648df9cb62c02f654fdb8bbd9dbe941d3c99bc65fe221fa8ac76ae23f3222bb9206f0475fae4a0a6af518d55f7275f412aecc8b9e15"}, 0xd8) connect$inet6(r0, &(0x7f0000000180)={0xa, 0x4e22, 0x7, @empty, 0x106}, 0x1c) r1 = fcntl$dupfd(r0, 0x0, r0) setsockopt$SO_TIMESTAMP(r1, 0x1, 0x3e, &(0x7f0000000040)=0x203, 0x4) sendmsg$RDMA_NLDEV_CMD_RES_QP_GET(r1, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000000c0)={0x0}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000) 9m20.425092657s ago: executing program 1 (id=347): seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x2, &(0x7f0000000000)=[{0x1d}, {0x6, 0x0, 0x0, 0x7ffffcb9}]}) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x2, &(0x7f0000000240)={0x1, &(0x7f0000000200)=[{0x6, 0x1, 0x5, 0x7fffffff}]}) r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) r1 = socket(0xa, 0x5, 0x0) connect$inet(r1, &(0x7f0000000080)={0x2, 0x4e20, @rand_addr=0x64010100}, 0x10) ptrace(0x10, r0) ptrace$PTRACE_SECCOMP_GET_FILTER(0x420c, r0, 0x100005, 0x0) 9m14.212901141s ago: executing program 1 (id=349): mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0) r0 = open_tree(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x89901) move_mount(r0, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0) chroot(&(0x7f0000000300)='./file0/../file0/../file0/../file0\x00') r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) move_mount(r1, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000300)='./file0\x00', 0x0) pivot_root(&(0x7f0000000240)='./file0\x00', &(0x7f00000000c0)='./file0/../file0/../file0/../file0/../file0\x00') 9m9.165773314s ago: executing program 1 (id=351): r0 = io_uring_setup(0x6ecd, &(0x7f0000000140)={0x0, 0x49fd, 0x10003, 0x20002, 0x185}) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, 0x0, &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000000c0)=ANY=[@ANYBLOB="140000001000010600000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff1b000000020000000900010073797a30000001000900030073797a320000000014000000110001"], 0x7c}}, 0x0) sendmsg$NFT_BATCH(r1, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000680)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a3c000000120a01020000000000000000020000000900020073797a310000000008000440000000000900010073797a3000000000080003400000000a14000000110001"], 0x64}}, 0x0) close_range(r0, 0xffffffffffffffff, 0x0) 9m6.384647349s ago: executing program 1 (id=353): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) listen(r0, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000540)={0x10, 0x4, &(0x7f0000000380)=ANY=[@ANYBLOB="1802000000c4400000000000e0fe1709850000000e00000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x3}, 0x94) r2 = bpf$MAP_CREATE(0x0, &(0x7f00000023c0)=@base={0x12, 0x4, 0x8, 0xb}, 0x48) bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000140)=ANY=[@ANYRES32=r2, @ANYRES32=r1, @ANYBLOB='\a'], 0x10) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000500)={r2, &(0x7f0000000240), &(0x7f00000004c0)=@tcp6=r0}, 0x20) sendmmsg$inet6(r0, &(0x7f0000000480)=[{{0x0, 0x0, &(0x7f0000000440)=[{&(0x7f0000000200)="bd", 0xf4240}], 0x1}}], 0x1, 0x41) 9m0.477930007s ago: executing program 33 (id=353): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) listen(r0, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000540)={0x10, 0x4, &(0x7f0000000380)=ANY=[@ANYBLOB="1802000000c4400000000000e0fe1709850000000e00000095"], &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x3}, 0x94) r2 = bpf$MAP_CREATE(0x0, &(0x7f00000023c0)=@base={0x12, 0x4, 0x8, 0xb}, 0x48) bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000140)=ANY=[@ANYRES32=r2, @ANYRES32=r1, @ANYBLOB='\a'], 0x10) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000500)={r2, &(0x7f0000000240), &(0x7f00000004c0)=@tcp6=r0}, 0x20) sendmmsg$inet6(r0, &(0x7f0000000480)=[{{0x0, 0x0, &(0x7f0000000440)=[{&(0x7f0000000200)="bd", 0xf4240}], 0x1}}], 0x1, 0x41) 3m18.824340626s ago: executing program 3 (id=429): setresuid(0xffffffffffffffff, 0xffffffffffffffff, 0xee01) r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='task\x00') fchdir(r1) mount(0x0, &(0x7f0000000080)='.\x00', &(0x7f0000000000)='proc\x00', 0x0, 0x0) r2 = syz_open_procfs(r0, &(0x7f0000000000)='map_files\x00') getdents64(r2, 0x0, 0x0) 3m11.203312893s ago: executing program 3 (id=431): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000100)) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000200)={0x20, 0x0, &(0x7f0000000000)=[@request_death, @clear_death], 0x0, 0x1000000, 0x0}) r2 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/binder/transactions\x00', 0x0, 0x0) read$FUSE(r2, &(0x7f0000000480)={0x2020}, 0x2020) 3m7.2321715s ago: executing program 3 (id=432): sendmsg$netlink(0xffffffffffffffff, &(0x7f0000000880)={0x0, 0x0, &(0x7f0000000840)=[{&(0x7f0000000b80)=ANY=[@ANYBLOB="1c0000001000ff05000000000000000009003c8004c937b184"], 0x1c}], 0x1}, 0x0) r0 = socket(0x40000000015, 0x5, 0x0) connect$inet(r0, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10) bind$inet(r0, &(0x7f0000000340)={0x2, 0x0, @loopback}, 0x57) sendmsg$xdp(r0, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000811}, 0x0) recvmmsg(r0, &(0x7f0000000b40)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000000280)=""/11, 0xb}}], 0x5df, 0x2, 0x0) ppoll(&(0x7f0000000180)=[{r0}], 0x1, 0x0, 0x0, 0x0) 3m3.492585525s ago: executing program 3 (id=434): mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x0) mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x101091, 0x0) mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0) mount$bind(&(0x7f0000000000)='./file0/file0\x00', &(0x7f0000000340)='./file0/file0\x00', 0x0, 0x81105a, 0x0) mount(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x80000, 0x0) mount$bind(&(0x7f0000000480)='./file0\x00', &(0x7f0000000400)='./file0/file0\x00', 0x0, 0x12f451, 0x0) umount2(&(0x7f0000000240)='./file0/file0\x00', 0xb) 2m57.26631889s ago: executing program 3 (id=436): r0 = gettid() timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc)) timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) r1 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0) ioctl$VHOST_SET_FEATURES(r1, 0x4008af00, &(0x7f0000000080)=0x200000000) readv(r1, &(0x7f00000002c0)=[{&(0x7f0000000400)=""/89, 0x59}], 0x1) ioctl$DRM_IOCTL_MODE_GETCONNECTOR(0xffffffffffffffff, 0xc05064a7, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0}) 2m54.640227847s ago: executing program 3 (id=437): r0 = socket$inet6(0xa, 0x80002, 0x88) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x10000000004e20, 0x0, @mcast2, 0x6}, 0x1c) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, 0x0, 0x0) syz_emit_ethernet(0x83, &(0x7f0000000240)=ANY=[@ANYBLOB="aaaaaaaaaaaaaaaaf9ff030086dd601b8b97004d88c19edace00000000000000002100000002ff02000000000000000000000000000104004e20004d13"], 0x0) r1 = socket$inet6_udplite(0xa, 0x2, 0x88) sendmmsg$inet6(r1, &(0x7f0000000440)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @mcast2}, 0x1c, 0x0}}], 0x1, 0x0) ppoll(&(0x7f0000000d40)=[{r0}], 0x25, &(0x7f0000000300)={0x0, 0x3938700}, 0x0, 0x0) 2m42.815884173s ago: executing program 34 (id=437): r0 = socket$inet6(0xa, 0x80002, 0x88) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x10000000004e20, 0x0, @mcast2, 0x6}, 0x1c) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, 0x0, 0x0) syz_emit_ethernet(0x83, &(0x7f0000000240)=ANY=[@ANYBLOB="aaaaaaaaaaaaaaaaf9ff030086dd601b8b97004d88c19edace00000000000000002100000002ff02000000000000000000000000000104004e20004d13"], 0x0) r1 = socket$inet6_udplite(0xa, 0x2, 0x88) sendmmsg$inet6(r1, &(0x7f0000000440)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @mcast2}, 0x1c, 0x0}}], 0x1, 0x0) ppoll(&(0x7f0000000d40)=[{r0}], 0x25, &(0x7f0000000300)={0x0, 0x3938700}, 0x0, 0x0) 44.019909606s ago: executing program 2 (id=452): r0 = syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0) r1 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r1, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r1, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_GETPLANE(r1, 0xc02064b6, &(0x7f00000001c0)={r2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_GETPLANE(r0, 0xc02064b6, &(0x7f0000000200)={r2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_SETCRTC(r0, 0xc06864a2, &(0x7f0000000400)={0x0, 0x0, r4, r3, 0x0, 0x97b1, 0x0, 0x800, {0x4, 0x1, 0x3, 0x69, 0x200, 0x0, 0x2, 0x5, 0x4cab, 0xe156, 0x2, 0x0, 0x25, 0x0, "fe1d00003413000000000000000caa000000090000000000000004b427180010"}}) 37.565571012s ago: executing program 2 (id=453): r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0201, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000000000)) ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x70) r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000) write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000) ioctl$SNDCTL_DSP_GETIPTR(r1, 0x800c5011, &(0x7f0000000240)) 23.97890664s ago: executing program 2 (id=454): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000180)=0x100000001, 0x4) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r0, 0x6, 0x14, &(0x7f0000000140)=0x1, 0x4) connect$inet6(r0, &(0x7f0000000080)={0xa, 0x0, 0x0, @loopback, 0x80001}, 0x1c) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000380)='cpuacct.usage_sys\x00', 0x275a, 0x0) write$binfmt_script(r1, &(0x7f00000004c0)={'#! ', '', [], 0xa, "d943f459535ea6824ac85972d7"}, 0x11) sendfile(r0, r1, &(0x7f0000000100)=0x10, 0x746) 14.974352339s ago: executing program 2 (id=455): capset(0x0, &(0x7f0000000280)={0x0, 0x3, 0x7, 0x0, 0x10040, 0x8f}) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) mkdirat(0xffffffffffffffff, &(0x7f0000000380)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0) r0 = add_key$keyring(&(0x7f00000001c0), &(0x7f00000002c0)={'syz', 0x0}, 0x0, 0x0, 0xfffffffffffffffd) r1 = add_key$user(&(0x7f0000000380), &(0x7f0000000340)={'syz', 0x0}, &(0x7f00000006c0)='Z', 0x1, r0) r2 = add_key$user(&(0x7f0000000200), &(0x7f00000005c0), &(0x7f00000000c0), 0x390, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000080)={r1, r2, r2}, 0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000140)={'sha1-generic\x00'}}) 6.674018252s ago: executing program 2 (id=456): r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r1, &(0x7f00000001c0)={0xa, 0x4e22}, 0x1c) setsockopt$inet6_int(r1, 0x29, 0x3, &(0x7f0000000380)=0x1040, 0x4) sendto$inet6(r1, 0x0, 0x0, 0x200008d4, &(0x7f000072e000)={0xa, 0x4e22, 0x0, @loopback, 0x1}, 0x1c) sendto$inet6(r1, &(0x7f00000000c0)="d500b83d1414e8858dddd5e75521c818d1fa", 0x12, 0x24048080, 0x0, 0x0) close_range(r0, 0xffffffffffffffff, 0x0) 0s ago: executing program 2 (id=457): socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff}) r1 = syz_open_dev$ndb(&(0x7f00000000c0), 0x0, 0x0) ioctl$NBD_SET_FLAGS(r1, 0xab0a, 0x479) r2 = syz_open_dev$ndb(&(0x7f0000000040), 0x0, 0x200) ioctl$NBD_SET_SOCK(r2, 0xab00, r0) ioctl$NBD_DO_IT(r1, 0xab03) ioctl$NBD_CLEAR_SOCK(r1, 0xab04) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:60590' (ED25519) to the list of known hosts. syzkaller login: [ 397.406188][ T3210] cgroup: Unknown subsys name 'net' [ 398.085652][ T3210] cgroup: Unknown subsys name 'cpuset' [ 398.209600][ T3210] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 461.916731][ T3210] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 551.665652][ T3217] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 552.031136][ T3217] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 552.831442][ T3219] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 553.281334][ T3219] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 564.682204][ T3217] hsr_slave_0: entered promiscuous mode [ 564.735120][ T3217] hsr_slave_1: entered promiscuous mode [ 565.594312][ T3219] hsr_slave_0: entered promiscuous mode [ 565.625855][ T3219] hsr_slave_1: entered promiscuous mode [ 565.646219][ T3219] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 565.651218][ T3219] Cannot create hsr debugfs directory [ 574.162663][ T3219] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 574.494359][ T3219] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 574.694181][ T3219] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 575.085531][ T3219] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 576.641639][ T3217] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 576.726273][ T3217] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 576.826909][ T3217] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 577.133471][ T3217] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 590.327654][ T3219] 8021q: adding VLAN 0 to HW filter on device bond0 [ 593.311570][ T3217] 8021q: adding VLAN 0 to HW filter on device bond0 [ 624.998342][ T3219] veth0_vlan: entered promiscuous mode [ 625.729275][ T3219] veth1_vlan: entered promiscuous mode [ 626.905079][ T3219] veth0_macvtap: entered promiscuous mode [ 627.222757][ T3219] veth1_macvtap: entered promiscuous mode [ 628.840385][ T3217] veth0_vlan: entered promiscuous mode [ 629.686466][ T3217] veth1_vlan: entered promiscuous mode [ 630.172074][ T3219] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 630.174411][ T3219] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 630.175679][ T3219] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 630.176884][ T3219] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 632.441080][ T3217] veth0_macvtap: entered promiscuous mode [ 632.792455][ T3217] veth1_macvtap: entered promiscuous mode [ 634.087542][ T3217] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 634.091785][ T3217] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 634.092397][ T3219] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 634.095075][ T3217] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 634.097060][ T3217] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 681.220302][ T3970] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 693.202621][ T3983] syz.1.25 uses obsolete (PF_INET,SOCK_PACKET) [ 713.592487][ T4008] Zero length message leads to an empty skb [ 718.484977][ T4013] fanotify: failed to encode fid (type=0, len=0, err=-2) [ 723.063840][ T34] audit: type=1326 audit(722.030:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4016 comm="syz.0.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=98 compat=0 ip=0xdbb4a code=0x7fc00000 [ 731.339931][ T34] audit: type=1326 audit(730.330:3): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4016 comm="syz.0.37" exe="/syz-executor" sig=0 arch=c00000f3 syscall=139 compat=0 ip=0x7fffb1ff45e8 code=0x7fc00000 [ 797.135389][ T55] block nbd0: Receive control failed (result -107) [ 797.182594][ T4091] nbd0: detected capacity change from 0 to 63 [ 809.051219][ T4108] ALSA: mixer_oss: invalid OSS volume ':' [ 809.053255][ T4108] ALSA: mixer_oss: invalid OSS volume '010000E0' [ 809.056019][ T4108] ALSA: mixer_oss: invalid OSS volume '3' [ 809.063582][ T4108] ALSA: mixer_oss: invalid OSS volume '010000E0' [ 809.065392][ T4108] ALSA: mixer_oss: invalid OSS volume '4' [ 809.067123][ T4108] ALSA: mixer_oss: invalid OSS volume '010000E0' [ 809.101181][ T4108] ALSA: mixer_oss: invalid OSS volume '5' [ 813.006305][ C0] GRED: Unable to relocate VQ 0x0 after dequeue, screwing up backlog [ 814.026061][ T4116] netlink: 'syz.1.75': attribute type 64 has an invalid length. [ 814.035621][ T4116] netlink: 16 bytes leftover after parsing attributes in process `syz.1.75'. [ 825.452850][ T4131] netlink: 'syz.1.80': attribute type 1 has an invalid length. [ 825.460418][ T4131] netlink: 224 bytes leftover after parsing attributes in process `syz.1.80'. [ 835.415747][ T4143] netlink: 4 bytes leftover after parsing attributes in process `syz.1.85'. [ 843.824363][ T4157] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 847.852004][ T4161] input: syz1 as /devices/virtual/input/input0 [ 851.274550][ T4171] netlink: 8 bytes leftover after parsing attributes in process `syz.0.97'. [ 851.276758][ T4171] netlink: 4 bytes leftover after parsing attributes in process `syz.0.97'. [ 851.292920][ T4171] netlink: 'syz.0.97': attribute type 18 has an invalid length. [ 878.920734][ T4209] capability: warning: `syz.0.111' uses 32-bit capabilities (legacy support in use) [ 896.010463][ T4232] Illegal XDP return value 4294967274 on prog (id 26) dev syz_tun, expect packet loss! [ 926.110618][ T4265] capability: warning: `syz.0.134' uses deprecated v2 capabilities in a way that may be insecure [ 952.244739][ T4289] iwpm_register_pid: Unable to send a nlmsg (client = 2) [ 952.504609][ T4289] infiniband syz2: RDMA CMA: cma_listen_on_dev, error -98 [ 960.113879][ T4306] syz_tun: entered promiscuous mode [ 960.237255][ T4306] batadv_slave_0: entered promiscuous mode [ 960.424099][ T4304] batadv_slave_0: left promiscuous mode [ 960.470151][ T4304] syz_tun: left promiscuous mode [ 991.152008][ T4307] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 991.276777][ T4307] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1011.841224][ T4307] hsr_slave_0: entered promiscuous mode [ 1011.915684][ T4307] hsr_slave_1: entered promiscuous mode [ 1011.997019][ T4307] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 1012.003046][ T4307] Cannot create hsr debugfs directory [ 1012.601709][ T34] audit: type=1800 audit(1011.540:4): pid=4572 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.1.157" name="dmabuf" dev="dmabuf" ino=4 res=0 errno=0 [ 1021.776100][ T4307] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 1021.884526][ T4307] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 1022.007486][ T4307] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 1022.164158][ T4307] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 1022.700618][ T12] nci: nci_extract_activation_params_iso_dep: unsupported activation_rf_tech_and_mode 0x6 [ 1035.851770][ T4307] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1038.289544][ C0] GRED: Unable to relocate VQ 0x0 after dequeue, screwing up backlog [ 1088.555360][ T4307] veth0_vlan: entered promiscuous mode [ 1089.127606][ T4307] veth1_vlan: entered promiscuous mode [ 1091.952890][ T4307] veth0_macvtap: entered promiscuous mode [ 1092.333911][ T4307] veth1_macvtap: entered promiscuous mode [ 1095.560971][ T4307] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1095.562897][ T4307] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1095.564595][ T4307] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1095.565999][ T4307] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1129.321777][ T4772] tls_set_device_offload_rx: netdev not found [ 1137.794334][ T4785] process 'syz.1.185' launched './file2' with NULL argv: empty string added [ 1143.313223][ T4789] syzkaller1: entered promiscuous mode [ 1143.315790][ T4789] syzkaller1: entered allmulticast mode [ 1148.080460][ T34] audit: type=1326 audit(1147.070:5): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=4798 comm="syz.1.190" exe="/syz-executor" sig=31 arch=c00000f3 syscall=98 compat=0 ip=0xdbb4a code=0x0 [ 1215.931639][ T4074] hid-generic 0000:0000:0000.0001: unknown main item tag 0x0 [ 1216.021805][ T4074] hid-generic 0000:0000:0000.0001: hidraw0: HID v0.00 Device [syz1] on syz0 [ 1248.975115][ T10] hid-generic 0000:0000:0000.0002: unknown main item tag 0x0 [ 1249.130443][ T10] hid-generic 0000:0000:0000.0002: hidraw0: HID v0.00 Device [syz1] on syz0 [ 1249.833561][ T4074] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 1250.160284][ T4074] usb 2-1: Using ep0 maxpacket: 16 [ 1250.239528][ T4074] usb 2-1: config 0 has no interfaces? [ 1250.243703][ T4074] usb 2-1: New USB device found, idVendor=056a, idProduct=0029, bcdDevice= 0.00 [ 1250.245032][ T4074] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1250.374731][ T4074] usb 2-1: config 0 descriptor?? [ 1251.229516][ T4901] hid-generic 0000:0000:0000.0002: pid 4901 passed too large report [ 1251.353437][ T4074] usb 2-1: USB disconnect, device number 2 [ 1267.033095][ T4932] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1267.115910][ T4932] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1281.846172][ T4946] netlink: 'syz.2.243': attribute type 11 has an invalid length. [ 1281.849166][ T4946] netlink: 4 bytes leftover after parsing attributes in process `syz.2.243'. [ 1282.206900][ T4946] netdevsim netdevsim2 netdevsim0: set [0, 0] type 1 family 0 port 8472 - 0 [ 1282.212006][ T4946] netdevsim netdevsim2 netdevsim1: set [0, 0] type 1 family 0 port 8472 - 0 [ 1282.214167][ T4946] netdevsim netdevsim2 netdevsim2: set [0, 0] type 1 family 0 port 8472 - 0 [ 1282.216316][ T4946] netdevsim netdevsim2 netdevsim3: set [0, 0] type 1 family 0 port 8472 - 0 [ 1282.413807][ T4946] netlink: 'syz.2.243': attribute type 11 has an invalid length. [ 1282.423014][ T4946] netlink: 4 bytes leftover after parsing attributes in process `syz.2.243'. [ 1290.587611][ T4955] netlink: 4 bytes leftover after parsing attributes in process `syz.2.246'. [ 1316.201554][ T4975] mmap: syz.1.254 (4975) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 1336.464654][ T5002] nbd: device at index 1 is going down [ 1363.469169][ T5035] input: syz1 as /devices/virtual/input/input1 [ 1363.536922][ T5036] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1363.576461][ T5036] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1368.721354][ T10] usb 2-1: new high-speed USB device number 3 using dummy_hcd [ 1368.961651][ T10] usb 2-1: Using ep0 maxpacket: 16 [ 1369.106893][ T10] usb 2-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 1369.111100][ T10] usb 2-1: config 0 has no interfaces? [ 1369.113025][ T10] usb 2-1: New USB device found, idVendor=045e, idProduct=07da, bcdDevice= 0.00 [ 1369.115156][ T10] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 1369.590773][ T10] usb 2-1: config 0 descriptor?? [ 1371.551842][ T4915] usb 2-1: USB disconnect, device number 3 [ 1375.989185][ T5058] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1376.000521][ T5058] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1393.293575][ T5083] netlink: 4 bytes leftover after parsing attributes in process `syz.1.286'. [ 1417.837024][ T5122] TCP: request_sock_subflow_v6: Possible SYN flooding on port [fe80::aa]:20002. Sending cookies. [ 1422.561757][ T5128] netlink: 4 bytes leftover after parsing attributes in process `syz.1.293'. [ 1449.056506][ T5154] pim6reg1: entered promiscuous mode [ 1449.059528][ T5154] pim6reg1: entered allmulticast mode [ 1449.624611][ T5158] binder: 5157:5158 ioctl 4018620d 0 returned -22 [ 1450.445681][ T5161] binder: 5157:5161 ioctl c018620c 0 returned -14 [ 1454.621087][ T5164] netlink: 4 bytes leftover after parsing attributes in process `syz.2.302'. [ 1488.842650][ C0] GRED: Unable to relocate VQ 0x0 after dequeue, screwing up backlog [ 1500.770834][ T4915] usb 2-1: new high-speed USB device number 4 using dummy_hcd [ 1500.841357][ T5211] netlink: 4 bytes leftover after parsing attributes in process `syz.2.316'. [ 1501.005235][ T4915] usb 2-1: Using ep0 maxpacket: 16 [ 1501.182114][ T4915] usb 2-1: config 1 contains an unexpected descriptor of type 0x2, skipping [ 1501.186359][ T4915] usb 2-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 1501.204924][ T4915] usb 2-1: config 1 has 1 interface, different from the descriptor's value: 3 [ 1501.391718][ T4915] usb 2-1: New USB device found, idVendor=1d6b, idProduct=0101, bcdDevice= 0.40 [ 1501.395707][ T4915] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1501.397623][ T4915] usb 2-1: Product: syz [ 1501.431906][ T4915] usb 2-1: Manufacturer: syz [ 1501.433767][ T4915] usb 2-1: SerialNumber: syz [ 1504.457219][ T4915] usb 2-1: 0:2 : does not exist [ 1509.000414][ T4915] usb 2-1: 1:0: failed to get current value for ch 0 (-22) [ 1509.807118][ T4915] usb 2-1: USB disconnect, device number 4 [ 1576.263451][ T5312] netlink: 96 bytes leftover after parsing attributes in process `syz.2.341'. [ 1592.081991][ T5336] netdevsim netdevsim2: Direct firmware load for  failed with error -2 [ 1592.085822][ T5336] netdevsim netdevsim2: Falling back to sysfs fallback for:  [ 1633.977576][ T5385] infiniband syz2: RDMA CMA: cma_listen_on_dev, error -98 [ 1655.204998][ T5363] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1655.404919][ T5363] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1674.233245][ T5363] hsr_slave_0: entered promiscuous mode [ 1674.349634][ T5363] hsr_slave_1: entered promiscuous mode [ 1674.378721][ T5363] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 1674.380980][ T5363] Cannot create hsr debugfs directory [ 1686.254855][ T5363] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 1686.459586][ T5363] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 1686.574664][ T5363] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 1686.724825][ T5363] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 1694.045711][ T5733] gtp0: entered promiscuous mode [ 1700.665114][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x1 [ 1700.672985][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.674765][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.676415][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.701622][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.732537][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.734564][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.736261][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.765881][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x2 [ 1700.791758][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.793841][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.795742][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.797447][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.831556][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.833374][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.835022][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.836722][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.857557][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.876504][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.881170][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.882994][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.884724][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.886373][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.911268][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.913501][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.915230][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.916952][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.959433][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.961512][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.963211][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.964977][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1700.966668][ T4915] hid-generic 0000:0000:0000.0003: unknown main item tag 0x0 [ 1701.115819][ T4915] hid-generic 0000:0000:0000.0003: hidraw0: HID v0.00 Device [syz0] on syz1 [ 1703.529516][ T5363] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1767.303755][ T5363] veth0_vlan: entered promiscuous mode [ 1767.968963][ T5363] veth1_vlan: entered promiscuous mode [ 1770.404144][ T5363] veth0_macvtap: entered promiscuous mode [ 1770.765272][ T5363] veth1_macvtap: entered promiscuous mode [ 1773.525015][ T5363] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1773.526569][ T5363] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1773.540915][ T5363] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1773.542620][ T5363] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1792.721277][ T5840] syz_tun: entered allmulticast mode [ 1794.555577][ T5839] syz_tun: left allmulticast mode [ 1824.661181][ T5867] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 1824.693610][ T5867] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 1841.034194][ T5880] netlink: 4 bytes leftover after parsing attributes in process `syz.3.402'. [ 1874.572236][ T5894] netlink: 32 bytes leftover after parsing attributes in process `syz.3.406'. [ 1901.326962][ T5923] fanotify: failed to encode fid (type=0, len=0, err=-2) [ 1916.351993][ T5935] binder: 5934:5935 ioctl c0306201 200000000040 returned -14 [ 1957.932868][ T5974] hsr_slave_0: hsr_addr_subst_dest: Unknown node [ 1957.940217][ T5974] hsr_slave_1: hsr_addr_subst_dest: Unknown node [ 1958.062930][ T5974] hsr_slave_0: left promiscuous mode [ 1958.096633][ T5974] hsr_slave_1: left promiscuous mode [ 1966.026422][ T5982] ======================================================= [ 1966.026422][ T5982] WARNING: The mand mount option has been deprecated and [ 1966.026422][ T5982] and is ignored by this kernel. Remove the mand [ 1966.026422][ T5982] option from the mount to silence this warning. [ 1966.026422][ T5982] ======================================================= [ 1973.926107][ T4674] netdevsim netdevsim3 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 1974.974169][ T4674] netdevsim netdevsim3 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 1976.032218][ T4674] netdevsim netdevsim3 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 1977.031478][ T4674] netdevsim netdevsim3 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 1991.770540][ T4674] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 1992.131133][ T4674] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 1992.363595][ T4674] bond0 (unregistering): Released all slaves [ 1994.387761][ T4674] hsr_slave_0: left promiscuous mode [ 1994.533058][ T4674] hsr_slave_1: left promiscuous mode [ 1995.363812][ T4674] veth1_macvtap: left promiscuous mode [ 1995.368750][ T4674] veth0_macvtap: left promiscuous mode [ 1995.406019][ T4674] veth1_vlan: left promiscuous mode [ 1995.450769][ T4674] veth0_vlan: left promiscuous mode [ 2079.906376][ T6015] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 2080.205597][ T6015] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 2084.889496][ T6241] syz_tun: entered allmulticast mode [ 2085.043306][ T6240] syz_tun: left allmulticast mode [ 2106.123099][ T6015] hsr_slave_0: entered promiscuous mode [ 2106.192437][ T6015] hsr_slave_1: entered promiscuous mode [ 2106.261111][ T6015] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 2106.262714][ T6015] Cannot create hsr debugfs directory [ 2122.493038][ T6015] netdevsim netdevsim4 netdevsim0: renamed from eth0 [ 2123.096661][ T6015] netdevsim netdevsim4 netdevsim1: renamed from eth1 [ 2123.984993][ T6015] netdevsim netdevsim4 netdevsim2: renamed from eth2 [ 2124.623778][ T6015] netdevsim netdevsim4 netdevsim3: renamed from eth3 [ 2146.725933][ T6015] 8021q: adding VLAN 0 to HW filter on device bond0 [ 2151.171246][ T6424] [ 2151.172127][ T6424] ====================================================== [ 2151.172884][ T6424] WARNING: possible circular locking dependency detected [ 2151.174163][ T6424] 6.16.0-rc1-syzkaller-gfda589c28604 #0 Not tainted [ 2151.176092][ T6424] ------------------------------------------------------ [ 2151.177311][ T6424] syz.2.457/6424 is trying to acquire lock: [ 2151.178576][ T6424] ffffaf801a4dfa30 (&nbd->config_lock){+.+.}-{4:4}, at: nbd_open+0x3c0/0x6fe [ 2151.182233][ T6424] [ 2151.182233][ T6424] but task is already holding lock: [ 2151.184643][ T6424] ffffffff88e269e8 (nbd_index_mutex){+.+.}-{4:4}, at: nbd_open+0x98/0x6fe [ 2151.187866][ T6424] [ 2151.187866][ T6424] which lock already depends on the new lock. [ 2151.187866][ T6424] [ 2151.190156][ T6424] [ 2151.190156][ T6424] the existing dependency chain (in reverse order) is: [ 2151.191354][ T6424] [ 2151.191354][ T6424] -> #3 (nbd_index_mutex){+.+.}-{4:4}: [ 2151.194760][ T6424] lock_acquire+0x1ac/0x448 [ 2151.197075][ T6424] __mutex_lock+0x166/0x1292 [ 2151.199507][ T6424] mutex_lock_nested+0x14/0x1c [ 2151.201082][ T6424] nbd_open+0x98/0x6fe [ 2151.202425][ T6424] blkdev_get_whole+0x8a/0x266 [ 2151.204515][ T6424] bdev_open+0x292/0xce6 [ 2151.206410][ T6424] blkdev_open+0x264/0x39a [ 2151.207666][ T6424] do_dentry_open+0x97e/0x171e [ 2151.208945][ T6424] vfs_open+0xbe/0x380 [ 2151.210100][ T6424] path_openat+0x1bd8/0x2a82 [ 2151.211432][ T6424] do_filp_open+0x19c/0x380 [ 2151.212789][ T6424] do_sys_openat2+0x11a/0x1c2 [ 2151.213991][ T6424] __riscv_sys_openat+0x178/0x1fe [ 2151.215214][ T6424] syscall_handler+0x94/0x118 [ 2151.216511][ T6424] do_trap_ecall_u+0x396/0x530 [ 2151.217841][ T6424] handle_exception+0x146/0x152 [ 2151.219360][ T6424] [ 2151.219360][ T6424] -> #2 (&disk->open_mutex){+.+.}-{4:4}: [ 2151.221650][ T6424] lock_acquire+0x1ac/0x448 [ 2151.223030][ T6424] __mutex_lock+0x166/0x1292 [ 2151.225199][ T6424] mutex_lock_nested+0x14/0x1c [ 2151.227267][ T6424] __del_gendisk+0x132/0xac6 [ 2151.229902][ T6424] del_gendisk+0xf6/0x19a [ 2151.232140][ T6424] nbd_dev_remove+0x3c/0xf2 [ 2151.234281][ T6424] nbd_dev_remove_work+0x1c/0x26 [ 2151.236486][ T6424] process_one_work+0x96a/0x1f32 [ 2151.238582][ T6424] worker_thread+0x5ce/0xde8 [ 2151.240333][ T6424] kthread+0x39c/0x7d4 [ 2151.241503][ T6424] ret_from_fork_kernel+0x2a/0xbb2 [ 2151.242735][ T6424] ret_from_fork_kernel_asm+0x16/0x18 [ 2151.245139][ T6424] [ 2151.245139][ T6424] -> #1 (&set->update_nr_hwq_lock){++++}-{4:4}: [ 2151.248659][ T6424] lock_acquire+0x1ac/0x448 [ 2151.250132][ T6424] down_write+0x9c/0x19a [ 2151.251344][ T6424] blk_mq_update_nr_hw_queues+0x3e/0xb86 [ 2151.252656][ T6424] nbd_start_device+0x140/0xb2c [ 2151.254673][ T6424] nbd_genl_connect+0xae0/0x1b24 [ 2151.256141][ T6424] genl_family_rcv_msg_doit+0x206/0x2e6 [ 2151.257603][ T6424] genl_rcv_msg+0x514/0x78e [ 2151.259070][ T6424] netlink_rcv_skb+0x206/0x3be [ 2151.260475][ T6424] genl_rcv+0x36/0x4c [ 2151.261817][ T6424] netlink_unicast+0x4f0/0x82c [ 2151.263942][ T6424] netlink_sendmsg+0x85e/0xdd6 [ 2151.265357][ T6424] __sock_sendmsg+0xcc/0x160 [ 2151.266750][ T6424] ____sys_sendmsg+0x63e/0x79c [ 2151.269010][ T6424] ___sys_sendmsg+0x144/0x1e6 [ 2151.271222][ T6424] __sys_sendmsg+0x188/0x246 [ 2151.273433][ T6424] __riscv_sys_sendmsg+0x70/0xa2 [ 2151.275669][ T6424] syscall_handler+0x94/0x118 [ 2151.277747][ T6424] do_trap_ecall_u+0x396/0x530 [ 2151.279988][ T6424] handle_exception+0x146/0x152 [ 2151.282154][ T6424] [ 2151.282154][ T6424] -> #0 (&nbd->config_lock){+.+.}-{4:4}: [ 2151.285434][ T6424] check_noncircular+0x132/0x146 [ 2151.287601][ T6424] __lock_acquire+0x12b2/0x24ea [ 2151.289838][ T6424] lock_acquire+0x1ac/0x448 [ 2151.291436][ T6424] __mutex_lock+0x166/0x1292 [ 2151.292214][ T6424] mutex_lock_nested+0x14/0x1c [ 2151.292936][ T6424] nbd_open+0x3c0/0x6fe [ 2151.293694][ T6424] blkdev_get_whole+0x8a/0x266 [ 2151.294501][ T6424] bdev_open+0x292/0xce6 [ 2151.295146][ T6424] blkdev_open+0x264/0x39a [ 2151.295816][ T6424] do_dentry_open+0x97e/0x171e [ 2151.296566][ T6424] vfs_open+0xbe/0x380 [ 2151.297240][ T6424] path_openat+0x1bd8/0x2a82 [ 2151.298414][ T6424] do_filp_open+0x19c/0x380 [ 2151.299570][ T6424] do_sys_openat2+0x11a/0x1c2 [ 2151.300738][ T6424] __riscv_sys_openat+0x178/0x1fe [ 2151.301899][ T6424] syscall_handler+0x94/0x118 [ 2151.302826][ T6424] do_trap_ecall_u+0x396/0x530 [ 2151.303604][ T6424] handle_exception+0x146/0x152 [ 2151.304551][ T6424] [ 2151.304551][ T6424] other info that might help us debug this: [ 2151.304551][ T6424] [ 2151.305325][ T6424] Chain exists of: [ 2151.305325][ T6424] &nbd->config_lock --> &disk->open_mutex --> nbd_index_mutex [ 2151.305325][ T6424] [ 2151.307437][ T6424] Possible unsafe locking scenario: [ 2151.307437][ T6424] [ 2151.308928][ T6424] CPU0 CPU1 [ 2151.309488][ T6424] ---- ---- [ 2151.310141][ T6424] lock(nbd_index_mutex); [ 2151.310992][ T6424] lock(&disk->open_mutex); [ 2151.312006][ T6424] lock(nbd_index_mutex); [ 2151.313027][ T6424] lock(&nbd->config_lock); [ 2151.314061][ T6424] [ 2151.314061][ T6424] *** DEADLOCK *** [ 2151.314061][ T6424] [ 2151.314900][ T6424] 2 locks held by syz.2.457/6424: [ 2151.315682][ T6424] #0: ffffaf801a4f5358 (&disk->open_mutex){+.+.}-{4:4}, at: bdev_open+0x3d0/0xce6 [ 2151.317529][ T6424] #1: ffffffff88e269e8 (nbd_index_mutex){+.+.}-{4:4}, at: nbd_open+0x98/0x6fe [ 2151.320300][ T6424] [ 2151.320300][ T6424] stack backtrace: [ 2151.321581][ T6424] CPU: 0 UID: 0 PID: 6424 Comm: syz.2.457 Not tainted 6.16.0-rc1-syzkaller-gfda589c28604 #0 PREEMPT [ 2151.321985][ T6424] Hardware name: riscv-virtio,qemu (DT) [ 2151.322387][ T6424] Call Trace: [ 2151.322539][ T6424] [] dump_backtrace+0x2e/0x3c [ 2151.322960][ T6424] [] show_stack+0x30/0x3c [ 2151.323239][ T6424] [] dump_stack_lvl+0x12e/0x1a6 [ 2151.323617][ T6424] [] dump_stack+0x1c/0x24 [ 2151.324030][ T6424] [] print_circular_bug+0x254/0x29a [ 2151.324526][ T6424] [] check_noncircular+0x132/0x146 [ 2151.324909][ T6424] [] __lock_acquire+0x12b2/0x24ea [ 2151.325294][ T6424] [] lock_acquire+0x1ac/0x448 [ 2151.325696][ T6424] [] __mutex_lock+0x166/0x1292 [ 2151.325961][ T6424] [] mutex_lock_nested+0x14/0x1c [ 2151.326225][ T6424] [] nbd_open+0x3c0/0x6fe [ 2151.326582][ T6424] [] blkdev_get_whole+0x8a/0x266 [ 2151.327090][ T6424] [] bdev_open+0x292/0xce6 [ 2151.327486][ T6424] [] blkdev_open+0x264/0x39a [ 2151.327984][ T6424] [] do_dentry_open+0x97e/0x171e [ 2151.328420][ T6424] [] vfs_open+0xbe/0x380 [ 2151.328856][ T6424] [] path_openat+0x1bd8/0x2a82 [ 2151.329458][ T6424] [] do_filp_open+0x19c/0x380 [ 2151.330064][ T6424] [] do_sys_openat2+0x11a/0x1c2 [ 2151.330552][ T6424] [] __riscv_sys_openat+0x178/0x1fe [ 2151.331020][ T6424] [] syscall_handler+0x94/0x118 [ 2151.331369][ T6424] [] do_trap_ecall_u+0x396/0x530 [ 2151.331707][ T6424] [] handle_exception+0x146/0x152 SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 2154.482156][ T6431] block nbd2: shutting down sockets [ 2175.331945][ T5988] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 2175.442435][ T5988] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 2175.537333][ T5988] bond0 (unregistering): Released all slaves [ 2176.482855][ T5988] hsr_slave_0: left promiscuous mode [ 2176.582146][ T5988] hsr_slave_1: left promiscuous mode VM DIAGNOSIS: 09:57:49 Registers: info registers vcpu 0 CPU#0 V = 0 pc ffffffff80359a90 mhartid 0000000000000000 mstatus 0000000a000000a0 hstatus 0000000200000000 vsstatus 0000000a00000000 mip 0000000000000200 mie 000000000000022a mideleg 0000000000001666 hideleg 0000000000000444 medeleg 0000000000f0b509 hedeleg 000000000000b109 mtvec 00000000800004f0 stvec ffffffff8634b694 vstvec 0000000000000000 mepc ffffffff8008eba2 sepc ffffffff802d3320 vsepc 0000000000000000 mcause 0000000000000009 scause 8000000000000005 vscause 0000000000000000 mtval 0000000000000000 stval 0000000000000000 htval 0000000000000000 mtval2 0000000000000000 mscratch 000000008004a000 sscratch 0000000000000000 satp 904ab0000009fcf5 x0/zero 0000000000000000 x1/ra ffffffff802ffbae x2/sp ffff8f80019d6c20 x3/gp ffffffff89c83ca0 x4/tp ffffaf801a51cec0 x5/t0 ffff8f80019d6d14 x6/t1 fffffffef1390fb8 x7/t2 63722d302e36312e x8/s0 ffff8f80019d6c60 x9/s1 ffffffff882e86c0 x10/a0 ffffffff882e86c0 x11/a1 0000000000000000 x12/a2 0000000000000000 x13/a3 0000000000000007 x14/a4 0000000000000000 x15/a5 0000000000000000 x16/a6 0000000000000003 x17/a7 0000000000000003 x18/s2 0000000200000020 x19/s3 0000000000000400 x20/s4 ffff8f80019d6e60 x21/s5 0000000000000000 x22/s6 ffff8f80019d6d20 x23/s7 ffffffff88ff2998 x24/s8 0000000000000000 x25/s9 0000000000000001 x26/s10 dfffffff00000000 x27/s11 ffff8f80019d6d80 x28/t3 ffffffff90e45f77 x29/t4 fffffffef1390fb8 x30/t5 fffffffef1390fb9 x31/t6 ffff8f80019d6778 fcsr 0000000000000000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000 info registers vcpu 1 CPU#1 V = 0 pc ffffffff802d77f0 mhartid 0000000000000001 mstatus 0000000a000001a2 hstatus 0000000200000000 vsstatus 0000000a00000000 mip 0000000000000000 mie 000000000000022a mideleg 0000000000001666 hideleg 0000000000000444 medeleg 0000000000f0b509 hedeleg 000000000000b109 mtvec 00000000800004f0 stvec ffffffff8634b694 vstvec 0000000000000000 mepc ffffffff804eb56c sepc ffffffff812fc48a vsepc 0000000000000000 mcause 8000000000000003 scause 8000000000000005 vscause 0000000000000000 mtval 0000000000000000 stval 0000000000000000 htval 0000000000000000 mtval2 0000000000000000 mscratch 0000000080048000 sscratch 0000000000000000 satp 900660000009d238 x0/zero 0000000000000000 x1/ra ffffffff800784e2 x2/sp ffff8f8002e27830 x3/gp ffffffff89c83ca0 x4/tp ffffaf801ab9b480 x5/t0 ffff8f8000017680 x6/t1 fffffffef11fd788 x7/t2 1ffff1f000002ef8 x8/s0 ffff8f8002e27830 x9/s1 ffff8f8002e27970 x10/a0 0000000000000000 x11/a1 0000000000000000 x12/a2 0000000000000002 x13/a3 ffffffff8007856c x14/a4 0000000000000000 x15/a5 ffffffff8634b9fc x16/a6 0000000000000003 x17/a7 ffffffff88febc43 x18/s2 ffff8f8002e27970 x19/s3 ffffffff8020e730 x20/s4 0000000000000000 x21/s5 dfffffff00000000 x22/s6 ffffffff8020e730 x23/s7 ffff8f8002e27980 x24/s8 dfffffff00000000 x25/s9 0000000000007fff x26/s10 ffffffff8634b694 x27/s11 0000000000000000 x28/t3 4814524e00000000 x29/t4 fffffffef11fd788 x30/t5 fffffffef11fd789 x31/t6 0000000000000002 fcsr 0000000000000000 f0/ft0 0000000000000000 f1/ft1 0000000000000000 f2/ft2 0000000000000000 f3/ft3 0000000000000000 f4/ft4 0000000000000000 f5/ft5 0000000000000000 f6/ft6 0000000000000000 f7/ft7 0000000000000000 f8/fs0 0000000000000000 f9/fs1 0000000000000000 f10/fa0 0000000000000000 f11/fa1 0000000000000000 f12/fa2 0000000000000000 f13/fa3 0000000000000000 f14/fa4 0000000000000000 f15/fa5 0000000000000000 f16/fa6 0000000000000000 f17/fa7 0000000000000000 f18/fs2 0000000000000000 f19/fs3 0000000000000000 f20/fs4 0000000000000000 f21/fs5 0000000000000000 f22/fs6 0000000000000000 f23/fs7 0000000000000000 f24/fs8 0000000000000000 f25/fs9 0000000000000000 f26/fs10 0000000000000000 f27/fs11 0000000000000000 f28/ft8 0000000000000000 f29/ft9 0000000000000000 f30/ft10 0000000000000000 f31/ft11 0000000000000000