program:
r0 = syz_open_dev$vim2m(&(0x7f0000000000), 0x7, 0x2)
ioctl$vim2m_VIDIOC_S_FMT(r0, 0xc0d05605, &(0x7f00000000c0)={0x1, @pix_mp={0x0, 0x7fffffff, 0x50565559, 0x7, 0x8, [{0x1000000, 0x40}, {0x8, 0x8}, {0xf, 0xa0}, {0x0, 0xfffffff0}, {0x9, 0x3}, {0x7fffffff, 0x8}, {0x5, 0x4007}, {0x7, 0x10001}], 0x6, 0x78, 0x2, 0x2, 0x6}})
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f00000000c0)='./file0\x00', 0x0, &(0x7f0000000100), 0x2, 0x500, &(0x7f0000000500)="$eJzs3U9sI1cZAPBvJn/sTdMmhR4AFbqUwoJWayfeNqp6oZwqhCoheuSwDYkTRbHjKHZKE/aQPXJHohInOHHmgMQBqSfuSBzgxqUckAqsQA0SByOP7V3njzfWbmzvxr+fNJo38+L53tvRvGd91s4LYGJdj4ijiJiNiPcjYqFzPuls8XZ7a/3dZ/fvrh3fv7uWRLP53j+TrL51Lno+0/Jc55r5iPjBOxE/Sk4F/VNE/eBwe7VSKe91ThUb1d1i/eDw1lZ1dbO8Wd4plVaWV5bevP1G6dL6+kr1N59ei4jf/+7Ln/zx6Fs/aTVrvlPX24/L1O76zIM4LdMR8b1hBBuDqU5/Zh/nw4/1IS5TGhGfi4hXs+d/Iaayu3nSydv07RG2DgAYhmZzIZoLvccAwFWXZjmwJC10cgHzkaaFQjuH91LMpZVavXFzo7a/s97OlS3GTLqxVSkvdXKFizGTbGxNl5ezcve4Ui6dOr4dES9GxM9y17Ljwlqtsj7OLz4AMMGeOzX//yfXnv8BgCsu/7CYG2c7AIDRyY+7AQDAyJn/AWDymP8BYPKY/wFg8pj/AWDymP8BYKJ8/913W1vzuPP+6/UPDva3ax/cWi/XtwvV/bXCWm1vt7BZq21m7+ypXnS9Sq22u/x67H9YbJTrjWL94PBOtba/07iTvdf7TnlmJL0CAB7lxVc+/ksSEUdvXcu26Hnf/4Vz9cvDbh0wTOm4GwCMzdS4GwCMzdnVvoBJIR8P9CzRe6/ndP5M4bSPBrp8at1QePrc+OIT5P+BZ5r8P0yux8v/+y4PV4H8P0yuZjOx5j8ATBg5fiC5oL739/+lZs/BYL//AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwJU0n21JWuisBT4faVooRDwfEYsxk2xsVcpLEfFCRPw5N5NrHS9HhHWDAOBZlv496az/dWPhtfnTtbO5/+ayfUT8+Bfv/fzD1UZjbzliNvnXg/ONjzrnS+NoPwBwke483Z3Huz67f3etu42yPZ9+p724aCvucWdr10zHdLbPZ7mGuX8nneO21veVqUuIf3QvIr5wXv+TLDey2Fn59HT8VuznRxo/PRE/zera+9a/xecvoS0waT5ujT9vn/f8pXE925///OezEerJdce/4zPjX/pg/JvqM/5dHzTG63/47pmTzYV23b2IL01HHHcv3jP+dOMnfeK/NmD8v778lVf71TV/GXEjzut/ciJWsVHdLdYPDm9tVVc3y5vlnVJpZXll6c3bb5SKWY662M1Un/WPt26+0C9+q/9zfeLnL+j/1wfs/6/+9/4Pv/qI+N/82vn3/6VHxG/Nid8YMP7q3G/z/epa8df79P+i+39zwPif/O1wfcA/BQBGoH5wuL1aqZT3hl1Ihx8iKyQRRyPoTruQ+/VP3xlVrCEW4ulohsLTVBj3yAQM28OHftwtAQAAAAAAAAAAAAAA+hnFfycadx8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4uv4fAAD//5iA1Hs=")
mount(&(0x7f0000000080)=@filename='./file0\x00', &(0x7f00000000c0)='./file0\x00', 0x0, 0x23010, 0x0)
mount$tmpfs(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x2000031, 0x0)
r1 = syz_open_dev$dri(&(0x7f0000000340), 0x2, 0xc8d03)
ioctl$DRM_IOCTL_SYNCOBJ_TIMELINE_WAIT(r1, 0xc03064ca, &(0x7f00000000c0)={0x0, 0x0, 0xfffffffffffeffff, 0x0, 0x9})
quotactl$Q_SETINFO(0xffffffff80000601, &(0x7f0000000000)=@loop={'/dev/loop', 0x0}, 0x0, &(0x7f0000000080)={0x0, 0x0, 0x1, 0x4})
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r3 = openat$binder_debug(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/debug/binder/state\x00', 0x0, 0x0)
pipe2$9p(&(0x7f0000000080)={0xffffffffffffffff, <r4=>0xffffffffffffffff}, 0x4080)
write$P9_RUNLINKAT(r4, &(0x7f00000001c0)={0x7, 0x4d, 0x1}, 0x7)
r5 = openat$comedi(0xffffff9c, &(0x7f0000000040)='/dev/comedi3\x00', 0x2000, 0x0)
ioctl$COMEDI_DEVCONFIG(r5, 0x40946400, &(0x7f0000000200)={'pcl726\x00', [0x4f0, 0x81, 0x2, 0x6, 0x6, 0x1ff, 0x0, 0x9, 0xd7, 0x7, 0x3, 0x8, 0xfffffffe, 0xf408, 0x3, 0x0, 0xa, 0x5, 0x4, 0x5, 0x79b, 0x35, 0x9, 0xa7b1, 0x0, 0x9, 0x7, 0xf7f, 0x4d, 0x9, 0x7]})
ioctl$COMEDI_SUBDINFO(r3, 0x80486402, &(0x7f00000002c0))
ioctl$NS_GET_OWNER_UID(r3, 0xb704, &(0x7f0000000200))
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x2, &(0x7f0000000000)=[{0x14}, {0x6, 0x0, 0x0, 0x7ffffcb9}]})
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cc, 0x0)

[   85.667638][ T5324] Bluetooth: hci0: command tx timeout
[   85.740014][ T5347] loop0: detected capacity change from 0 to 512
[   85.791503][ T5347] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000d40000 r/w without journal. Quota mode: writeback.
[   85.805811][ T5347] ext4 filesystem being mounted at /0/file0 supports timestamps until 2038-01-19 (0x7fffffff)
[   85.817812][ T5347] EXT4-fs (loop0): re-mounted 00000000-0000-0000-0000-000000d40000 ro.
[   85.827581][ T5347] ------------[ cut here ]------------
[   85.832038][ T5347] UBSAN: shift-out-of-bounds in drivers/comedi/drivers/pcl726.c:331:46
[   85.835559][ T5347] shift exponent 129 is too large for 32-bit type 'int'
[   85.838915][ T5347] CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller-00348-g772b78c2abd8 #0 PREEMPT(full) 
[   85.838934][ T5347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.838943][ T5347] Call Trace:
[   85.838948][ T5347]  <TASK>
[   85.838953][ T5347]  dump_stack_lvl+0x189/0x250
[   85.839045][ T5347]  ? __pfx_dump_stack_lvl+0x10/0x10
[   85.839061][ T5347]  ? __pfx__printk+0x10/0x10
[   85.839088][ T5347]  ubsan_epilogue+0xa/0x40
[   85.839113][ T5347]  __ubsan_handle_shift_out_of_bounds+0x386/0x410
[   85.839166][ T5347]  ? __kmalloc_noprof+0x29b/0x4f0
[   85.839188][ T5347]  pcl726_attach+0xac4/0xd50
[   85.839244][ T5347]  comedi_device_attach+0x520/0x670
[   85.839263][ T5347]  comedi_unlocked_ioctl+0x686/0xf40
[   85.839286][ T5347]  ? __pfx_comedi_unlocked_ioctl+0x10/0x10
[   85.839322][ T5347]  ? __lock_acquire+0xab9/0xd20
[   85.839347][ T5347]  ? __fget_files+0x2a/0x420
[   85.839364][ T5347]  ? __fget_files+0x2a/0x420
[   85.839379][ T5347]  ? __fget_files+0x3a0/0x420
[   85.839393][ T5347]  ? __fget_files+0x2a/0x420
[   85.839409][ T5347]  ? bpf_lsm_file_ioctl+0x9/0x20
[   85.839421][ T5347]  ? __pfx_comedi_unlocked_ioctl+0x10/0x10
[   85.839436][ T5347]  __se_sys_ioctl+0xf9/0x170
[   85.839450][ T5347]  do_syscall_64+0xfa/0x3b0
[   85.839493][ T5347]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.839513][ T5347]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.839526][ T5347]  ? clear_bhb_loop+0x60/0xb0
[   85.839541][ T5347]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.839554][ T5347] RIP: 0033:0x7fcf0958e929
[   85.839566][ T5347] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   85.839575][ T5347] RSP: 002b:00007fcf0a3cb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   85.839589][ T5347] RAX: ffffffffffffffda RBX: 00007fcf097b5fa0 RCX: 00007fcf0958e929
[   85.839597][ T5347] RDX: 0000200000000200 RSI: 0000000040946400 RDI: 000000000000000a
[   85.839605][ T5347] RBP: 00007fcf09610b39 R08: 0000000000000000 R09: 0000000000000000
[   85.839613][ T5347] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.839622][ T5347] R13: 0000000000000000 R14: 00007fcf097b5fa0 R15: 00007ffe6b4055c8
[   85.839642][ T5347]  </TASK>
[   85.839647][ T5347] ---[ end trace ]---
[   85.963569][ T5347] Kernel panic - not syncing: UBSAN: panic_on_warn set ...
[   85.967032][ T5347] CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller-00348-g772b78c2abd8 #0 PREEMPT(full) 
[   85.972212][ T5347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.977209][ T5347] Call Trace:
[   85.978923][ T5347]  <TASK>
[   85.980426][ T5347]  dump_stack_lvl+0x99/0x250
[   85.982629][ T5347]  ? __asan_memcpy+0x40/0x70
[   85.984743][ T5347]  ? __pfx_dump_stack_lvl+0x10/0x10
[   85.986989][ T5347]  ? __pfx__printk+0x10/0x10
[   85.988995][ T5347]  panic+0x2db/0x790
[   85.990668][ T5347]  ? __pfx_panic+0x10/0x10
[   85.992547][ T5347]  ? _printk+0xcf/0x120
[   85.994307][ T5347]  ? __pfx__printk+0x10/0x10
[   85.996388][ T5347]  check_panic_on_warn+0x89/0xb0
[   85.998715][ T5347]  __ubsan_handle_shift_out_of_bounds+0x386/0x410
[   86.001596][ T5347]  ? __kmalloc_noprof+0x29b/0x4f0
[   86.003859][ T5347]  pcl726_attach+0xac4/0xd50
[   86.005912][ T5347]  comedi_device_attach+0x520/0x670
[   86.008206][ T5347]  comedi_unlocked_ioctl+0x686/0xf40
[   86.010644][ T5347]  ? __pfx_comedi_unlocked_ioctl+0x10/0x10
[   86.013267][ T5347]  ? __lock_acquire+0xab9/0xd20
[   86.015446][ T5347]  ? __fget_files+0x2a/0x420
[   86.017467][ T5347]  ? __fget_files+0x2a/0x420
[   86.019559][ T5347]  ? __fget_files+0x3a0/0x420
[   86.021451][ T5347]  ? __fget_files+0x2a/0x420
[   86.023358][ T5347]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.025428][ T5347]  ? __pfx_comedi_unlocked_ioctl+0x10/0x10
[   86.027935][ T5347]  __se_sys_ioctl+0xf9/0x170
[   86.030157][ T5347]  do_syscall_64+0xfa/0x3b0
[   86.032093][ T5347]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.034378][ T5347]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.036926][ T5347]  ? clear_bhb_loop+0x60/0xb0
[   86.039515][ T5347]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.042561][ T5347] RIP: 0033:0x7fcf0958e929
[   86.044608][ T5347] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.052826][ T5347] RSP: 002b:00007fcf0a3cb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.056593][ T5347] RAX: ffffffffffffffda RBX: 00007fcf097b5fa0 RCX: 00007fcf0958e929
[   86.060606][ T5347] RDX: 0000200000000200 RSI: 0000000040946400 RDI: 000000000000000a
[   86.064117][ T5347] RBP: 00007fcf09610b39 R08: 0000000000000000 R09: 0000000000000000
[   86.068125][ T5347] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.072002][ T5347] R13: 0000000000000000 R14: 00007fcf097b5fa0 R15: 00007ffe6b4055c8
[   86.075416][ T5347]  </TASK>
[   86.077100][ T5347] Kernel Offset: disabled
[   86.078986][ T5347] Rebooting in 86400 seconds..