last executing test programs:

259.370556ms ago: executing program 2 (id=3):
r0 = open(&(0x7f0000000000)='.\x00', 0x0, 0x0)
r1 = open(&(0x7f0000000000)='.\x00', 0x0, 0x0)
r2 = inotify_init()
inotify_add_watch(r2, &(0x7f0000000000)='.\x00', 0x1400037e)
mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x10)
open(&(0x7f00000000c0)='./file0\x00', 0x40000, 0x80)
mkdirat(r1, &(0x7f0000000200)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x0)
renameat2(r1, &(0x7f0000000100)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', r0, &(0x7f0000000180)='./file1\x00', 0x4)
renameat2(r1, &(0x7f0000000300)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', r1, &(0x7f00000003c0)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x0)
syz_clone3(&(0x7f0000000080)={0x11, 0x0, 0x0, 0x0, {0x11}, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0}}, 0x58)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100})
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000001c0), 0x0, 0x0)
ioctl$TCXONC(r4, 0x40045436, 0x3)
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r3, 0x0)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140), 0x0, 0x0, 0x0})

221.744386ms ago: executing program 2 (id=5):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder1\x00', 0x0, 0x0)
mmap$binder(&(0x7f00000c0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0)
mmap$binder(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x1, 0x11, r0, 0x0)
r1 = socket$unix(0x1, 0x5, 0x0)
r2 = socket$can_bcm(0x1d, 0x2, 0x2)
ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f0000000100)={'vcan0\x00', <r3=>0x0})
connect$can_bcm(r2, &(0x7f00000000c0)={0x1d, r3}, 0x10)
sendmsg$can_bcm(r2, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000580)=ANY=[@ANYBLOB="0100000003ece1e40ad8871461ab0800", @ANYRES64=0x0, @ANYRES64=0x0, @ANYRES64=0x0, @ANYRES64=r1, @ANYBLOB="3bf81bb9f9"], 0x20000600}}, 0x0)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)
r5 = userfaultfd(0x801)
setsockopt$XDP_UMEM_COMPLETION_RING(r4, 0x11b, 0x6, &(0x7f0000000000)=0x200a6, 0x4)
ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000140)={0xaa, 0x298})
mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x1000009, 0x32, 0xffffffffffffffff, 0x3000)
ioctl$UFFDIO_WAKE(r5, 0x8010aa02, &(0x7f00000000c0)={&(0x7f0000320000/0x3000)=nil, 0x3000})
sendmsg$can_bcm(r2, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000580)=ANY=[], 0x4640}, 0x2, 0x0, 0x0, 0x4004}, 0x48084)
syz_clone(0x0, &(0x7f0000000180)="03f5f098cad7ee43e4547fdff0d503b3d853a2dccddd46f1f7f34954a71b105f954851a95f1ec48ba3acd4efb42518ab00a690946804231fddc031abf4bf", 0x3e, &(0x7f00000001c0), &(0x7f0000000240), &(0x7f0000000280))
mmap(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0x3, 0x8032, 0xffffffffffffffff, 0x0)

221.162396ms ago: executing program 3 (id=4):
fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) (async)
r0 = fsmount(0xffffffffffffffff, 0x0, 0x3) (async)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002}) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
pipe(&(0x7f0000000300)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff}) (async)
r4 = socket$inet6_tcp(0xa, 0x1, 0x0) (async)
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000001080)=""/4096, &(0x7f0000000180)=""/6, &(0x7f0000000240)=""/21, 0xddcdd004})
setsockopt$inet6_tcp_int(r4, 0x6, 0x2, &(0x7f0000000200)=0xc5, 0x4) (async)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000100)={'lo\x00', <r5=>0x0})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async)
r6 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFULNL_MSG_CONFIG(r6, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)={0x1c, 0x1, 0x4, 0x201, 0x0, 0x0, {0xc03b43635c88f564, 0x0, 0x8}, [@NFULA_CFG_CMD={0x5, 0x1, 0x4}]}, 0x1c}, 0x1, 0x0, 0x0, 0x24000010}, 0x4040040) (async)
bind$inet6(r4, &(0x7f0000000000)={0xa, 0x8000002}, 0x1c) (async)
mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup/syz1\x00', 0x1ff) (async)
r7 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
mkdirat$cgroup(r7, &(0x7f0000000080)='syz0\x00', 0x1ff)
r8 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000001480)='./cgroup/syz1\x00', 0x200002, 0x0)
mkdirat$cgroup(r8, &(0x7f0000000240)='syz1\x00', 0x1ff)
r9 = openat$cgroup_ro(r8, &(0x7f0000000040)='cgroup.freeze\x00', 0x275a, 0x0)
write$cgroup_int(r9, &(0x7f0000000200)=0x1, 0x12)
sendto$inet6(r4, 0x0, 0x0, 0x22004001, &(0x7f0000b63fe4)={0xa, 0x2, 0x0, @loopback}, 0x1c) (async)
sendto$inet6(r2, &(0x7f00000006c0)="44f9b108b1cdc885c9c533d21f474bec8b8827dc442da71e578d13a8eef9f7ab15378571d8e27546090000006e754308d11137c11903065c3feb7a5ee82c43c3d4eb204e83b421934d432a5404970c85d92d7083fd38844cbb0c6c5eb508ddc2dc7a5907a794ff0000005a688138dea09b776cbfa784cbf55070f89c34ab3074fb0d775da4df5a3f48bbdf45000000020000ec9e77da65725b80f76a873664db6bb5753444fe05f33e5f910455ff836c3cd6a44a880f018f0c6f57f95088fbe0c87fbe6cbcb94662d2a12f6d000000000000000000003a53189e4854e673638110510bba810e48b3c5d35b722c88d0b8d4f3bbda618005594385ea95f881538ad592b4f100a70d08672b4cf186daa5c490fe197d418ebc106f62782568e526826ce407134f807fa87642598210d67db0cd07feba5bad14adef2113482b1ab2f6379b867f78fac0dc57275bab81e700671dcf672d7148219db1970a55e60f1db0511c5371380b15842b7c514046e05cc89ed9ca86ce3a5a3d5e564417bd8bed48f5446c6270944041b1a0ffda9e3f254892c1f79567a7cccb2dea9aaeee63aeff5cac00000000000000861a9e351413f2709898860f963c85cf4aa940c5f0b513243db91a95a1324010ca860843ed9d699f462c92333714076a21c12632c2a1a12514ec10605a131ac2846be634dc05ccd48c2ef182131031e279002faad03ea75902d0bdb494b1f51cced7d9ebc775f442e8ce109a8be1f34965fce4999dc66042ac67dceb3ad2e7a951d5afacf59fe08a178a8afabea74d297ca83971a900fa087c8e12ca50f836784a759b5bd3fbe78d3155b6948078b04b14a4e98910bd3b028792ba452a2d4b2d2a5b00dcceba8c9fd9002632b72417ffe9", 0x27a, 0x4008815, 0x0, 0x5) (async)
dup3(r1, 0xffffffffffffffff, 0x0) (async)
r10 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x802, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r10, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a})
mmap$binder(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x1, 0x11, r0, 0x8001) (async)
ioctl$sock_inet6_SIOCDELRT(r6, 0x890c, &(0x7f0000000340)={@private0={0xfc, 0x0, '\x00', 0x1}, @mcast2, @empty, 0x7fffffff, 0x2, 0x1, 0x0, 0x9ee4, 0x100010, r5}) (async)
write$UHID_INPUT(r3, &(0x7f0000002080)={0x8, {"9a57eafe487d085bb8a8eaafeb9dc1a847a2a2d3070e3e98b649a3cd1ed2b39e175ccef43a74b557808d10970f6a78b0e1b8e4e7e3da01184389160730118614df1756a8944b4b78c7d91802b5f012084d90183e8abacc5e6e0a7f5d288ece4759854dd8fb4bceb2e4f29b2c51848de109cbf57a23dd8b51de18556ad0ea47efc55f388580d311838cac02d94cdc0afe06b55032c563a870388a17e48a6890a023685292c15fb7a316007ec34ccd803bf608a81bbb885bbf7188619c4d1be19d343a1fa6ec7d12650129800c0b10137393232942e7c903ac51606842e2abb566ea70540e2ddd45ef821fd62011ec892bc64c16cc92f11f1bd3632600b2b52ad3aca74b2c74f4893e82626fcae1a406b0ab94af1af02b3e40a050db32982152eda1852fd47a58beb93f7dc5176da320157f73db0bfea890524595a10ee11abe8c57b50e9ad0ae35540454a4b807ed17ca3a5365109a8e6c9dc3038ee33f387505c4995fc117222f05c4a5bc4ee0d91ca220f782956d02710cb95ebab0cbd2d4f3981a63a2a1a1f4dd873131e6372c1a507d8d7e3cc7f27b64e8dbd7e3270d3ba1064b015689a0b23033f4a683d70c613212f72b6ea666b76c0130f7851d93f6f720002ee8ab7be1ae51a8d52b32c47fea765a865f0ffe3575b4e31499f9c29b776c401b07261bc605828a6fa77006b220ccc84320926c0c52316e83144c8264da1620ae679a90982d06806f59e45cbcb0197fc3e7f492d7832024e8d9d57bb7664d454d553a95211f9fd94e7079bd3bfce9604f7efe4acb7d10d5db5a987b562c3806a07cac44df86f47da7da67c16fce65450a59cfc95f35dbb6e226d4b313b1212551ae8ea2e92546adb27a8000e1bda8666d67cf56bbe64f6772db20937733ffefecbd0a2259f199caf6c91b4482b5ab7c02467ca2ba38669e3862f8bd41f967d3351387126a423e01de8cd43a1588321f8a8c1056fe203ab351ce12a654bab85fcf27ba75199c5e9c5d4909ab75ffc3167a51c636cdc0c6a712a5167ab34449aedf06322182c222b7bd617604c0a22dbc72e06bce8cff8f996efa0f01a7d6891e5a0480490f2252b032cfe2cdbe5be3be3b6aeff64f0ab6671cbc75c6faf0ea3826af6506f7d9ada130f4e9e8ef4a8a7688351e3d42727f071b301c2e23266d3e6f7c5c443a4e9de7f6ec4621a71d784ed3336ecb60b2ea1a7d598f91951c75b1727e4e5908e2984b81c4cbda63bf46d14042d9cde3897521df4a9bd2ed8242d73ae7bf8e0ffa64147fe07e41a9f6a7dbfbeb659b749e873bd8d8e3d9d1d96bba17d2f5b2f6be8c0a56404f0f877c4dcde4d0a1f4b02e45cde41ec54a3fd92191e1a1af405bc3c6f70231a72e4975b23af53d292b82d2fa184d281bde9e0d1a26b81bf2ba1455f1f88e49d230ca31d1c7eba7f8ad856b9efa9ae46eb1a5c7ee2f13fc811dffc0f3361d46077134b9cdb58d016b38b5105349365063d8c4de5b11a7e6e6d0a5a1b28b934f80f4b0704a709836ae9a7cacbcc23a2ab685605c8ba57daf50e543c4fdeeae8c37cf4ff0eeb15f02e869966bbd20fb436fabfcbd3d27b66dc407f86632597462b64c42ae9b3998661126dd29068024573f8241b00594277bd7faec8262c4925908d7cfd7e3915639328a0b20d03f6f175cd56de1fd4857a72f4422691b2e15409a53a8361f7614e69c55e8d2756e312af462c1a9a19f7c72728a19f6dbf847651fa607e8408ef8b0f86a27aa2b39d222c51e6249649ff8ff5f831d1b9cf1e2686d9e94498a1c6d35bdadf27af32a5a8607132a320507db72ba63f0c36c7d876f1e8439d8e778bb2352803e3a74450430ed5b2cec199cdd487685d414adb09240fbd8d888f5d5626d1db3906c49c531a9c93438f91f2a77ca57305d9f637923b12e76288d19fd86e97edce4d35e6ce9be8ddea5d80f49b6e04cf88ce91cefefdd102e06e07c7992a5641411afce4f15e928b03c2ce7c2e8fd6d09ff8aca37750e402fcdcb268dc945b8196d6b897ef4ae872cfd3d16530eb37d6cd8a907c62cb63903f2e630d07cc6728ff70c849988a5d22f6f1ee791f4623fa537801df732fc055722087be2e1553f56148f17bb42e3380c294ac07b76b83e07658bbfaa1951636f1509245f8a5d9ad422a55775c9c6423e78ff04a2ef62e8b36c7e85496ba9968f8f77ffe9d87c676a923590519b4cb95e5d5b69c81a6a64ae4304317677ab5e37d1de270eda0673f958cf2dfbd9ae1e9ae6f3afadf0552731098264d70f03d994650ac10ad17078dd9bfb99fe5e9262d43e16bc2cfa07077d9dd8097cb3f02fc198728d9d4a22180209df33524053b6d50d62f2235f787509b6c43a629e96ddd821879d7ff89698eab5bc4c05612b93a08b5871a43c192afcdd6a5a380a2b7ed61cecee7555f71c14d795c902099c6136c1300de63e40cd6bf62a66f8fb3ef114dd0b5780f805891cce3d01414e727f4608279ca25db8502bd87753a9144bbb07e40ddc17b4a8434a2735cb2ec27526d15113517c06b9a2bd3e3ed36db66319ea75977518898cb8d085e2edb7745f0c573831167c5c4a0780616e2dd8b6baf3c1479eea627812d48b586e3d04983dcac180357e1f0e3a8a9115f5c10f63464cb2e471101ce2ad031aacfcacbe5d161603c66a129c7d8cd468a00878206d7d169cac258e78504d8845b7111d0daca04b5caeb20f6be5c1a7ed16b790c6923b2b8e5d023754907d2c0675ff8a6b0b68ca16d240b1144a50c7f589183570b690a2bb2ea555f88ebaf60fcf3cd743f6980a23af2c35a455a1f0a8fef485b9e019cb68163ea99f8ba355df1bc4797be124ef2e41c4cd3f7e660e88a79975764f8ea24c122fb465e716d2be9762f548589c77b945fa61ebca32151bf42ffbf8e4fc7919b782e4cd42794999c9c2d75c12889288085d296a7bc932ef50a3d91fb479b62e5fb313f8d19ba11c10782970bbeec71d0b0719611bb71a391718195755fcace0caa595087da90ead366c6b8ad5a585c4b2e813ff7fca616f9932461767f3a6a57bc654ea19e4f7669e3159136d27dc74f716eda8e2b4fbcb4ae98794b80ad71d3ad5c1e97259baffbd44b26974b1d612810caf27aab8ae3588dad6996fe5fc2f21944a8384c22d62f0231694021964e0d2ebd150ff963893e7d8b88a332659a3953dca80c66ea4f9873146c50c96efd8ca0961091701ac0ba455261812bffd10b5df44c6d61650c444f39fd6a1e32f2da483d4f17f1212b029f19a0074d67394a53370b6e2e646ecb1bd32059446323a49c568220e10e53fc42fbad39a049d709460dd216f04e5002d51e4289233bfbf55fb5570b122c77a9364223ebb76f6ab2be81ece095e02426fe247dccc7bcdfef31c219cc21f664deb0ad921edef90fa5c28009d8c379be75286eaba76734bded79242b035216558d4cb0a0fce61e82312e17966bbb740543a87ed20d183cc5852b8f5cf23fceacff57e5415b0c163ba84912992d5add25b31359834b085e8c39a3331c80f582ace6a6943841219b511066063229d88dbf0a505e5642a7f820855a5a8af416e5bbab017f7d90138254cda025df2864308220a2ec13280dcd6cf5167f38e179d0bdadc7a645567439f5dd3fa7b62ac7622e1ec003491987ff922c0dad8c658d38f44e13777121f5faf4979f364f4c563f000043eab9cf78a33de3562a05b887e8d8d9aa2c734b63480d2ee0a613d8683e15edc89ad7adb322f3ba68cd3e8001f7af6716adb2bd846958580d7ea64150bb9300fc266eca98078995785927b66be27eb8a2ba69e342da2aa92ea8a144bd63d75d0fe3bc5fe957ef32b2b42941ed5f1586c54de431c7e6396fde7c1727832a9203c60092abb358616a29891a95d371d6c8d774c0027562b6489ee1e4aac06bfc8ffc37db1abee8dac28f40945d7985325d92c9a9e6f029cbddd168e1a08fc6e19ff62816c8ad74aa7598a2a08aa347991fce0c730177d0cf7649ceb78504400fcfdf30f666fcb247148a54a7bf8e40a09baa48a68b7f2238f608b5b9f34fccc177627fd83a90e387952dafc7cf6726f94562b56bd5bf49be9bd79297671d942d28139796917e6622455c2fbe15099340a50778921504ec6d56f1643b6cf470b2cb4a3706f720b81de4ae9faf975fb4b7d5fca9501f047f10cf934a702804cbf543c6f5438d2f4ecf7a6e85a3c371350d1daf33df73cf541aadb49f94cf32017603bb330abbeea7c57b31e848492df7f942b1581f7194c30e23fa3351ee1f81f6ff27732c274723502f6cb9e536c115f939409d34b129312a08ea15bc4fd17ec8eadc74c6c213b5aef76d3e6b117f3cc63975378322dee92cf39831dffb67d8faac6951478b60040a72b9564fad17b126a664177218024dd2bd1abc7e803d4d4af0fa008b5e73afa7934093a9c0d90b77d2f6e00febcce5b127cb0cd82c0ff9579c2185dd79a31c4ec50b10740147db31f4ce58fe0adb743351fd125a757727a200a840822a14a7187b047dd9b895f8ced632bb58fcf2154fad2afdec05d65fc50bb0b668d8b2425266e999030810dd95af604a40b6d52c6db010826e1c018712d5a876d18296c31e836af32fa6b6d1688cb16df08f2546ffd2e9e839a904b0f8f5791022b7791e58768d11f9bdd08e4aa9b991667f0161dc8ed81e0ea2aaa872f91d0cfd2e190873dcbd1367999ee7059e28c0a68ea84d158d737465fe4c11408c3a07d3468b4043567cb2c7b37d4e91d2212953ccfe264ca9549e010019044122ee3f2220f0dd10520daf19e8157faaedba93e77b883f7d890c22343987ba9b6dfb1da8ad60776b49da6b978b73990915a8a497554a72928883b295884157ab1125b4cfeacd1288bda6a4c1e8c617c35c595edc015c4d9d2130be711985676021460af5f9d079ba7d5ce2cd432ccf9527b12c9c281270de39f98100109c4df5a936f6dbcf1cf771c9efde9767bf422c1a4e4a9be67f041a0ff796502417799ca2c3b8651137332bae62997f895dbc96f59ed93f372689edfbb10d4a0e79d5d211aefd1e85bdc0ec4b148bd17fd7b7b6122cfc70bc7233b6386c51e2999b14fab0d1337c95367db85765bbbd83e63553f1e45979680989643d89cea0e735643dc9455d509af04e55b96349d4c226023d81c022f04b522ad5fa77b9feeb66ee5a775281560b212736eac76743a3765df410958e3087868d6af37bba56ff547e456276e02ff76954f54bdec36fad49780e0f2897dcc2289fdf937a15250f360118bd5cd4ad4fa0f3d0edb4ea8f4a250d3a570155f6b2df91a1758a251edd3c745bb6ad9e964f446135d94a7d8257fbde32c4022501a73340596edc3a540e9f6142d46ac064a08d878f1e8dc15ef61cd64fcf6e2ca5572686d0569c4e9f45e912b847ac07a1f17988f0d794c4056adc0f75425befb3e3b22b710ccd7297d2f6fa9d5e990e7f178f80c7112b9c08a96b03a1bc1ec1b291dc2640a23faf54c234ef2add120710f28661fff15f837c7165700df75aabcc51fcdcdd2dc761ec8f7aa90b5a9ecd410953c5f7931ddf439dd26c7c833809100e5846a4aa6f2d658fb4b6da3e2878c4bbc7d9e3d7b6436dd43df640769bcabd1e2db5fe59e9efd388a18a9aec4e5ac8ddaf48f1dd42940d3a7ed0eed3413450258f2e8cdd1fe9140704b07b3564b9f3572a4aeb8bd111a09276459a046b34f3d0c1d6e9b99be005c3afa6ef6888c21fcec9bc0df003ae231a2652bdac2336d1b0ee2aa8cfdcfedae45d7d0795da541685d0d1042d495", 0x1000}}, 0x1006)

215.005997ms ago: executing program 1 (id=2):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000080)='./binderfs/binder0\x00', 0x802, 0x0)
ioctl$BINDER_SET_MAX_THREADS(r0, 0x40046205, &(0x7f0000000140)=0x2)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000240)={0x4, 0x0, &(0x7f00000001c0)=[@enter_looper], 0x51, 0x0, &(0x7f0000000580)="de547e22bade76f1a03b79e954ee20bc43f7fe47218a02ff8ba942478a7b69462fc21aff55002ce55e854564e7d309f20d222f9220c8d9b1b0d196137252587ab17948adf2dcbba03d2f3e0e647c2e70b7"})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x1)
r4 = socket$nl_audit(0x10, 0x3, 0x9)
sendmsg$AUDIT_USER_TTY(r4, &(0x7f0000007c40)={0x0, 0x0, &(0x7f0000007c00)={&(0x7f0000007b00)={0x10, 0x464, 0x400, 0x70bd25, 0x25dfdbfb}, 0x10}, 0x1, 0x0, 0x0, 0x20004000}, 0x10)
mmap$KVM_VCPU(&(0x7f0000000000/0xa000)=nil, 0x930, 0x1000001, 0x11, r3, 0x0)
syz_clone3(&(0x7f0000000280)={0x243012400, 0x0, 0x0, 0x0, {0x13}, 0x0, 0x0, 0x0, 0x0}, 0x58)

171.847527ms ago: executing program 0 (id=1):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0xa00, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x22052, r1, 0x2000)
r2 = syz_init_net_socket$bt_rfcomm(0x1f, 0x1, 0x3)
ioctl$FS_IOC_GETFLAGS(r2, 0x800452d2, 0x0)
r3 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$ARPT_SO_SET_REPLACE(r3, 0x0, 0x60, &(0x7f0000000600)={'filter\x00', 0x7, 0x4, 0x408, 0x0, 0x210, 0x0, 0x320, 0x320, 0x320, 0x8000000, 0x0, {[{{@uncond, 0xc0, 0x100}, @unspec=@ERROR={0x40, 'ERROR\x00', 0x0, "39db3a550f0420921586a79ec5b64093e6072fc889bea60bdd24beacd802"}}, {{@uncond, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@empty, @mac=@random="d6c0105d02ce", @loopback, @empty, 0x8, 0x1}}}, {{@arp={@loopback, @rand_addr=0x64010100, 0xff000000, 0x0, 0x5, 0xd, {@mac, {[0xff, 0xff, 0xff, 0xff, 0xff]}}, {@empty, {[0x0, 0xff, 0xff, 0xff, 0xff, 0xff]}}, 0x5, 0x5, 0x0, 0x6, 0x40, 0x12, 'veth1_to_bridge\x00', 'ip6_vti0\x00', {0xff}, {0xff}, 0x0, 0x40}, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@mac=@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0xe}, @empty, @broadcast, @rand_addr=0x64010100, 0x8, 0x1}}}], {{'\x00', 0xc0, 0xe8}, {0x28}}}}, 0x458)
msync(&(0x7f0000640000/0xd000)=nil, 0xd000, 0x3)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000200)={0x73622a85, 0x1081, 0x200000000000})
mmap$binder(&(0x7f0000c00000/0x400000)=nil, 0x400000, 0x1, 0x11, r0, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r5 = syz_init_net_socket$bt_rfcomm(0x1f, 0x3, 0x3)
setsockopt$bt_rfcomm_RFCOMM_LM(r5, 0x12, 0x3, &(0x7f0000000000)=0xd, 0x4)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000100)={0x4c, 0x0, &(0x7f0000000500)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2d, 0x20, 0x0, 0x0}, 0x10}], 0x0, 0x0, 0x0})

93.893768ms ago: executing program 1 (id=6):
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
r0 = open_tree(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x89901)
move_mount(r0, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0)
chroot(&(0x7f0000000300)='./file0/../file0/../file0/../file0\x00')
mount$incfs(&(0x7f0000000140)='./file0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000040), 0x2, 0x0)
mkdirat(0xffffffffffffff9c, 0x0, 0x0)
r1 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
close(0xffffffffffffffff)
ioctl$FS_IOC_REMOVE_ENCRYPTION_KEY(0xffffffffffffffff, 0xc0406618, 0x0)
move_mount(r1, &(0x7f0000000140)='.\x00', 0xffffffffffffff9c, 0x0, 0x0)
pivot_root(&(0x7f0000000240)='./file0\x00', &(0x7f00000000c0)='./file0/../file0/../file0/../file0/../file0\x00')

92.774019ms ago: executing program 1 (id=7):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) (async)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0) (async)
r2 = inotify_init()
inotify_add_watch(r2, &(0x7f0000000000)='.\x00', 0x400017e)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0)
socket$xdp(0x2c, 0x3, 0x0) (async)
socket$xdp(0x2c, 0x3, 0x0)
unlink(&(0x7f0000000280)='./file1\x00') (async)
close_range(r1, 0xffffffffffffffff, 0x0) (async)
madvise(&(0x7f0000c00000/0x400000)=nil, 0x400000, 0xe) (async)
r4 = gettid()
ioctl$KVM_SET_VCPU_EVENTS(0xffffffffffffffff, 0x4040aea0, 0x0) (async)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r4}, &(0x7f0000bbdffc)) (async)
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) (async)
r5 = userfaultfd(0x801)
ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f00000000c0)) (async)
ioctl$UFFDIO_REGISTER(r5, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x3}) (async)
r6 = syz_io_uring_setup(0x50cf, &(0x7f0000000000)={0x0, 0xfffffffc, 0x40000, 0x5, 0x333}, &(0x7f0000000080), &(0x7f0000ff4000))
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0xa4, 0x0, &(0x7f0000000380)=[@dead_binder_done, @clear_death={0x400c630f, 0x3}, @reply={0x40406301, {0x1, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x60, 0x18, &(0x7f00000002c0)={@fda={0x66646185, 0x7, 0x0, 0x27}, @ptr={0x70742a85, 0x1, &(0x7f0000000240)=""/48, 0x30, 0x1, 0x40}, @flat=@weak_binder={0x77622a85, 0xb, 0x1}}, &(0x7f0000000340)={0x0, 0x20, 0x48}}}, @transaction={0x40406300, {0x3, 0x0, 0x0, 0x0, 0x21, 0x0, 0x0, 0x50, 0x18, &(0x7f00000001c0)={@fd, @fda={0x66646185, 0xa, 0x1, 0x1d}, @fd={0x66642a85, 0x0, r6}}, &(0x7f00000020c0)={0x0, 0x18, 0x38}}}], 0x0, 0x0, 0x0})
r7 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x0, 0x0)
r8 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r9 = syz_genetlink_get_family_id$wireguard(&(0x7f0000000600), 0xffffffffffffffff)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffefffff6, 0x20031, 0xffffffffffffffff, 0x0) (async)
r10 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r10, 0xc018aa3f, &(0x7f0000000000)) (async)
ioctl$UFFDIO_REGISTER(r10, 0xc020aa00, &(0x7f0000000140)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x4}) (async)
ioctl$UFFDIO_COPY(r10, 0xc028aa03, &(0x7f0000000080)={&(0x7f00006c6000/0x400000)=nil, &(0x7f000018b000/0x3000)=nil, 0x400000, 0x0, 0x18100}) (async)
sendmsg$WG_CMD_SET_DEVICE(r8, &(0x7f0000001000)={0x0, 0x0, &(0x7f0000000fc0)={&(0x7f0000000000)=ANY=[@ANYBLOB="ec000000", @ANYRES16=r9, @ANYBLOB="01000000000000000000010000000800050001000000140002007767310000000000000000000000000024000300a0cb879a47f5bc644c0e693fa6d031c74a1553b6e901b9ff2f518c78042fb5420800050000000000900008808c00008024000100975c9d81c983c8209ee781254b899f8ed925ae9f0923c23c62f53c57cdbf691c640009801c"], 0xec}, 0x1, 0x0, 0x0, 0x4084}, 0x24000010) (async)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000140)=0x4) (async)
lseek(r7, 0x3, 0x0)

0s ago: executing program 3 (id=8):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100})
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0x18, 0x0, &(0x7f0000000180)=[@decrefs, @clear_death], 0x0, 0x0, 0x0})

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.10.38' (ED25519) to the list of known hosts.
[   25.765126][   T36] audit: type=1400 audit(1750621005.180:64): avc:  denied  { mounton } for  pid=281 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   25.767236][  T281] cgroup: Unknown subsys name 'net'
[   25.787792][   T36] audit: type=1400 audit(1750621005.180:65): avc:  denied  { mount } for  pid=281 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   25.815305][   T36] audit: type=1400 audit(1750621005.210:66): avc:  denied  { unmount } for  pid=281 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   25.815541][  T281] cgroup: Unknown subsys name 'devices'
[   26.015432][  T281] cgroup: Unknown subsys name 'hugetlb'
[   26.021358][  T281] cgroup: Unknown subsys name 'rlimit'
[   26.157080][   T36] audit: type=1400 audit(1750621005.570:67): avc:  denied  { setattr } for  pid=281 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   26.180390][   T36] audit: type=1400 audit(1750621005.570:68): avc:  denied  { mounton } for  pid=281 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   26.205203][   T36] audit: type=1400 audit(1750621005.570:69): avc:  denied  { mount } for  pid=281 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[   26.216391][  T283] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
Setting up swapspace version 1, size = 127995904 bytes
[   26.237209][   T36] audit: type=1400 audit(1750621005.650:70): avc:  denied  { relabelto } for  pid=283 comm="mkswap" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   26.262698][   T36] audit: type=1400 audit(1750621005.650:71): avc:  denied  { write } for  pid=283 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   26.293479][   T36] audit: type=1400 audit(1750621005.710:72): avc:  denied  { read } for  pid=281 comm="syz-executor" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   26.294090][  T281] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   26.318991][   T36] audit: type=1400 audit(1750621005.710:73): avc:  denied  { open } for  pid=281 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   27.624729][  T288] bridge0: port 1(bridge_slave_0) entered blocking state
[   27.631804][  T288] bridge0: port 1(bridge_slave_0) entered disabled state
[   27.639071][  T288] bridge_slave_0: entered allmulticast mode
[   27.645556][  T288] bridge_slave_0: entered promiscuous mode
[   27.652020][  T288] bridge0: port 2(bridge_slave_1) entered blocking state
[   27.659223][  T288] bridge0: port 2(bridge_slave_1) entered disabled state
[   27.666371][  T288] bridge_slave_1: entered allmulticast mode
[   27.672596][  T288] bridge_slave_1: entered promiscuous mode
[   27.737982][  T291] bridge0: port 1(bridge_slave_0) entered blocking state
[   27.745081][  T291] bridge0: port 1(bridge_slave_0) entered disabled state
[   27.752292][  T291] bridge_slave_0: entered allmulticast mode
[   27.758573][  T291] bridge_slave_0: entered promiscuous mode
[   27.774649][  T290] bridge0: port 1(bridge_slave_0) entered blocking state
[   27.781702][  T290] bridge0: port 1(bridge_slave_0) entered disabled state
[   27.788856][  T290] bridge_slave_0: entered allmulticast mode
[   27.795137][  T290] bridge_slave_0: entered promiscuous mode
[   27.801280][  T291] bridge0: port 2(bridge_slave_1) entered blocking state
[   27.808490][  T291] bridge0: port 2(bridge_slave_1) entered disabled state
[   27.815631][  T291] bridge_slave_1: entered allmulticast mode
[   27.821894][  T291] bridge_slave_1: entered promiscuous mode
[   27.831511][  T289] bridge0: port 1(bridge_slave_0) entered blocking state
[   27.838584][  T289] bridge0: port 1(bridge_slave_0) entered disabled state
[   27.845684][  T289] bridge_slave_0: entered allmulticast mode
[   27.851966][  T289] bridge_slave_0: entered promiscuous mode
[   27.858192][  T290] bridge0: port 2(bridge_slave_1) entered blocking state
[   27.865255][  T290] bridge0: port 2(bridge_slave_1) entered disabled state
[   27.872319][  T290] bridge_slave_1: entered allmulticast mode
[   27.878680][  T290] bridge_slave_1: entered promiscuous mode
[   27.891634][  T289] bridge0: port 2(bridge_slave_1) entered blocking state
[   27.898751][  T289] bridge0: port 2(bridge_slave_1) entered disabled state
[   27.905862][  T289] bridge_slave_1: entered allmulticast mode
[   27.912077][  T289] bridge_slave_1: entered promiscuous mode
[   28.067476][  T288] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.074563][  T288] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.081856][  T288] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.088911][  T288] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.117970][  T291] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.125072][  T291] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.132364][  T291] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.139434][  T291] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.157924][  T289] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.165007][  T289] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.172255][  T289] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.179306][  T289] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.194628][  T290] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.201700][  T290] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.209116][  T290] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.216277][  T290] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.244923][   T46] bridge0: port 1(bridge_slave_0) entered disabled state
[   28.252240][   T46] bridge0: port 2(bridge_slave_1) entered disabled state
[   28.259926][   T46] bridge0: port 1(bridge_slave_0) entered disabled state
[   28.267924][   T46] bridge0: port 2(bridge_slave_1) entered disabled state
[   28.275220][   T46] bridge0: port 1(bridge_slave_0) entered disabled state
[   28.282473][   T46] bridge0: port 1(bridge_slave_0) entered disabled state
[   28.289964][   T46] bridge0: port 2(bridge_slave_1) entered disabled state
[   28.297247][   T46] bridge0: port 2(bridge_slave_1) entered disabled state
[   28.314864][   T46] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.321933][   T46] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.329700][   T46] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.336783][   T46] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.365824][   T46] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.372908][   T46] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.381136][   T46] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.388203][   T46] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.409810][   T13] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.416997][   T13] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.424930][   T13] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.431988][   T13] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.445125][   T46] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.452226][   T46] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.464692][   T46] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.471761][   T46] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.506116][  T288] veth0_vlan: entered promiscuous mode
[   28.516341][  T291] veth0_vlan: entered promiscuous mode
[   28.536994][  T289] veth0_vlan: entered promiscuous mode
[   28.550566][  T291] veth1_macvtap: entered promiscuous mode
[   28.565191][  T290] veth0_vlan: entered promiscuous mode
[   28.587639][  T288] veth1_macvtap: entered promiscuous mode
[   28.594835][  T290] veth1_macvtap: entered promiscuous mode
[   28.612556][  T289] veth1_macvtap: entered promiscuous mode
[   28.620091][  T291] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   28.700112][  T313] rust_binder: Read failure Err(EAGAIN) in pid:2
[   28.700851][  T313] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
[   28.863403][  T321] ------------[ cut here ]------------
[   28.868946][  T321] WARNING: CPU: 0 PID: 321 at fs/inode.c:340 drop_nlink+0xce/0x110
[   28.876981][  T321] Modules linked in:
[   28.880937][  T321] CPU: 0 UID: 0 PID: 321 Comm: syz.1.2 Not tainted 6.12.23-syzkaller-gd9fd901baa98 #0 f1acc3ef52b3e732a05c4f7a2560722db90bb473
[   28.894142][  T321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   28.904425][  T321] RIP: 0010:drop_nlink+0xce/0x110
[   28.909649][  T321] Code: 04 00 00 be 08 00 00 00 e8 7f 56 ee ff f0 48 ff 83 b8 04 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 e2 68 98 ff <0f> 0b eb 81 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 59 ff ff ff 4c
[   28.929443][  T321] RSP: 0018:ffffc9000b84f860 EFLAGS: 00010293
[   28.935619][  T321] RAX: ffffffff81ed146e RBX: ffff88812f751a78 RCX: ffff88810af9df00
[   28.943680][  T321] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   28.951676][  T321] RBP: ffffc9000b84f888 R08: 0000000000000003 R09: 0000000000000004
[   28.959805][  T321] R10: dffffc0000000000 R11: fffff52001709efc R12: dffffc0000000000
[   28.968031][  T321] R13: 1ffff11025eea358 R14: ffff88812f751ac0 R15: 0000000000000000
[   28.976270][  T321] FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[   28.985280][  T321] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   28.991894][  T321] CR2: 00007f41566e56c0 CR3: 000000010bf46000 CR4: 00000000003526b0
[   28.999970][  T321] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.008023][  T321] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.016306][  T321] Call Trace:
[   29.019632][  T321]  <TASK>
[   29.022578][  T321]  shmem_rmdir+0x5f/0x90
[   29.026887][  T321]  vfs_rmdir+0x3dd/0x560
[   29.031154][  T321]  incfs_kill_sb+0x109/0x230
[   29.035813][  T321]  deactivate_locked_super+0xd5/0x2a0
[   29.041215][  T321]  deactivate_super+0xb8/0xe0
[   29.045955][  T321]  cleanup_mnt+0x3f1/0x480
[   29.050414][  T321]  __cleanup_mnt+0x1d/0x40
[   29.055088][  T321]  task_work_run+0x1e0/0x250
[   29.059714][  T321]  ? __cfi_task_work_run+0x10/0x10
[   29.064892][  T321]  ? free_nsproxy+0x223/0x290
[   29.069741][  T321]  do_exit+0x9b4/0x2630
[   29.073950][  T321]  ? _raw_spin_unlock_irqrestore+0x4a/0x70
[   29.079801][  T321]  ? __cfi_do_exit+0x10/0x10
[   29.084482][  T321]  ? __kasan_check_read+0x15/0x20
[   29.089566][  T321]  ? do_nanosleep+0x44e/0x590
[   29.094290][  T321]  ? pte_offset_map_rw_nolock+0xba/0x110
[   29.099950][  T321]  ? __kasan_check_write+0x18/0x20
[   29.105133][  T321]  ? _raw_spin_lock_irq+0x8d/0x120
[   29.110286][  T321]  ? __cfi__raw_spin_lock_irq+0x10/0x10
[   29.115908][  T321]  do_group_exit+0x22a/0x300
[   29.120528][  T321]  ? __kasan_check_write+0x18/0x20
[   29.125716][  T321]  get_signal+0x139d/0x14f0
[   29.130257][  T321]  arch_do_signal_or_restart+0x96/0x720
[   29.136006][  T321]  ? common_nsleep+0x93/0xb0
[   29.140651][  T321]  ? __cfi_arch_do_signal_or_restart+0x10/0x10
[   29.146923][  T321]  ? __se_sys_clock_nanosleep+0x2fd/0x390
[   29.152689][  T321]  ? __kasan_check_read+0x15/0x20
[   29.157767][  T321]  ? fpregs_assert_state_consistent+0xb7/0xe0
[   29.163886][  T321]  syscall_exit_to_user_mode+0x58/0xb0
[   29.169375][  T321]  do_syscall_64+0x64/0xf0
[   29.173886][  T321]  ? clear_bhb_loop+0x35/0x90
[   29.178601][  T321]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   29.184560][  T321] RIP: 0033:0x7f15fbdc11e5
[   29.189013][  T321] Code: Unable to access opcode bytes at 0x7f15fbdc11bb.
[   29.196086][  T321] RSP: 002b:00007f15fcbf0ea0 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
[   29.204615][  T321] RAX: fffffffffffffdfc RBX: 0000000000000058 RCX: 00007f15fbdc11e5
[   29.212614][  T321] RDX: 00007f15fcbf0ee0 RSI: 0000000000000000 RDI: 0000000000000000
[   29.220729][  T321] RBP: 00007f15fbe10b39 R08: 0000000000000000 R09: 0000000000000058
[   29.228778][  T321] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[   29.236830][  T321] R13: 0000000000000000 R14: 00007f15fbfb5fa0 R15: 00007ffc3f02c8e8
[   29.244854][  T321]  </TASK>
[   29.247891][  T321] ---[ end trace 0000000000000000 ]---
[   29.343492][  T321] ==================================================================
[   29.351660][  T321] BUG: KASAN: null-ptr-deref in ihold+0x24/0x70
[   29.357947][  T321] Write of size 4 at addr 0000000000000168 by task syz.1.2/321
[   29.365526][  T321] 
[   29.367868][  T321] CPU: 1 UID: 0 PID: 321 Comm: syz.1.2 Tainted: G        W          6.12.23-syzkaller-gd9fd901baa98 #0 f1acc3ef52b3e732a05c4f7a2560722db90bb473
[   29.367904][  T321] Tainted: [W]=WARN
[   29.367912][  T321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   29.367925][  T321] Call Trace:
[   29.367932][  T321]  <TASK>
[   29.367940][  T321]  __dump_stack+0x21/0x30
[   29.367976][  T321]  dump_stack_lvl+0x10c/0x190
[   29.368001][  T321]  ? __cfi_dump_stack_lvl+0x10/0x10
[   29.368028][  T321]  print_report+0x3d/0x70
[   29.368047][  T321]  kasan_report+0x163/0x1a0
[   29.368077][  T321]  ? ihold+0x24/0x70
[   29.368107][  T321]  ? _raw_spin_unlock+0x45/0x60
[   29.368134][  T321]  ? ihold+0x24/0x70
[   29.368161][  T321]  kasan_check_range+0x299/0x2a0
[   29.368191][  T321]  __kasan_check_write+0x18/0x20
[   29.368214][  T321]  ihold+0x24/0x70
[   29.368241][  T321]  vfs_rmdir+0x26a/0x560
[   29.368261][  T321]  incfs_kill_sb+0x109/0x230
[   29.368283][  T321]  deactivate_locked_super+0xd5/0x2a0
[   29.368304][  T321]  deactivate_super+0xb8/0xe0
[   29.368323][  T321]  cleanup_mnt+0x3f1/0x480
[   29.368352][  T321]  __cleanup_mnt+0x1d/0x40
[   29.368379][  T321]  task_work_run+0x1e0/0x250
[   29.368399][  T321]  ? __cfi_task_work_run+0x10/0x10
[   29.368420][  T321]  ? free_nsproxy+0x223/0x290
[   29.368444][  T321]  do_exit+0x9b4/0x2630
[   29.368465][  T321]  ? _raw_spin_unlock_irqrestore+0x4a/0x70
[   29.368494][  T321]  ? __cfi_do_exit+0x10/0x10
[   29.368513][  T321]  ? __kasan_check_read+0x15/0x20
[   29.368535][  T321]  ? do_nanosleep+0x44e/0x590
[   29.368559][  T321]  ? pte_offset_map_rw_nolock+0xba/0x110
[   29.368584][  T321]  ? __kasan_check_write+0x18/0x20
[   29.368607][  T321]  ? _raw_spin_lock_irq+0x8d/0x120
[   29.368633][  T321]  ? __cfi__raw_spin_lock_irq+0x10/0x10
[   29.368660][  T321]  do_group_exit+0x22a/0x300
[   29.368680][  T321]  ? __kasan_check_write+0x18/0x20
[   29.368704][  T321]  get_signal+0x139d/0x14f0
[   29.368729][  T321]  arch_do_signal_or_restart+0x96/0x720
[   29.368756][  T321]  ? common_nsleep+0x93/0xb0
[   29.368781][  T321]  ? __cfi_arch_do_signal_or_restart+0x10/0x10
[   29.368809][  T321]  ? __se_sys_clock_nanosleep+0x2fd/0x390
[   29.368837][  T321]  ? __kasan_check_read+0x15/0x20
[   29.368860][  T321]  ? fpregs_assert_state_consistent+0xb7/0xe0
[   29.368882][  T321]  syscall_exit_to_user_mode+0x58/0xb0
[   29.368906][  T321]  do_syscall_64+0x64/0xf0
[   29.368933][  T321]  ? clear_bhb_loop+0x35/0x90
[   29.368964][  T321]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   29.369003][  T321] RIP: 0033:0x7f15fbdc11e5
[   29.369019][  T321] Code: Unable to access opcode bytes at 0x7f15fbdc11bb.
[   29.369030][  T321] RSP: 002b:00007f15fcbf0ea0 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
[   29.369052][  T321] RAX: fffffffffffffdfc RBX: 0000000000000058 RCX: 00007f15fbdc11e5
[   29.369067][  T321] RDX: 00007f15fcbf0ee0 RSI: 0000000000000000 RDI: 0000000000000000
[   29.369080][  T321] RBP: 00007f15fbe10b39 R08: 0000000000000000 R09: 0000000000000058
[   29.369093][  T321] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[   29.369106][  T321] R13: 0000000000000000 R14: 00007f15fbfb5fa0 R15: 00007ffc3f02c8e8
[   29.369123][  T321]  </TASK>
[   29.369130][  T321] ==================================================================
[   29.696889][  T321] Disabling lock debugging due to kernel taint
[   29.703228][  T321] BUG: kernel NULL pointer dereference, address: 0000000000000168
[   29.711066][  T321] #PF: supervisor write access in kernel mode
[   29.717198][  T321] #PF: error_code(0x0002) - not-present page
[   29.723195][  T321] PGD 0 P4D 0 
[   29.726595][  T321] Oops: Oops: 0002 [#1] PREEMPT SMP KASAN PTI
[   29.732697][  T321] CPU: 0 UID: 0 PID: 321 Comm: syz.1.2 Tainted: G    B   W          6.12.23-syzkaller-gd9fd901baa98 #0 f1acc3ef52b3e732a05c4f7a2560722db90bb473
[   29.747406][  T321] Tainted: [B]=BAD_PAGE, [W]=WARN
[   29.752443][  T321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   29.762518][  T321] RIP: 0010:ihold+0x2a/0x70
[   29.767059][  T321] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 cd 5f 98 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 3c 4d ee ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 dd
[   29.786733][  T321] RSP: 0018:ffffc9000b84f8a0 EFLAGS: 00010246
[   29.792833][  T321] RAX: ffff88810af9df00 RBX: 0000000000000000 RCX: ffff88810af9df00
[   29.800829][  T321] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   29.808828][  T321] RBP: ffffc9000b84f8b0 R08: ffffffff88954947 R09: 1ffffffff112a928
[   29.816821][  T321] R10: dffffc0000000000 R11: fffffbfff112a929 R12: ffff88812f751a84
[   29.824817][  T321] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
[   29.832821][  T321] FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[   29.841778][  T321] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.848403][  T321] CR2: 0000000000000168 CR3: 00000001213a4000 CR4: 00000000003526b0
[   29.856403][  T321] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.864400][  T321] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.872396][  T321] Call Trace:
[   29.875704][  T321]  <TASK>
[   29.878649][  T321]  vfs_rmdir+0x26a/0x560
[   29.882935][  T321]  incfs_kill_sb+0x109/0x230
[   29.887549][  T321]  deactivate_locked_super+0xd5/0x2a0
[   29.892945][  T321]  deactivate_super+0xb8/0xe0
[   29.897646][  T321]  cleanup_mnt+0x3f1/0x480
[   29.902098][  T321]  __cleanup_mnt+0x1d/0x40
[   29.906549][  T321]  task_work_run+0x1e0/0x250
[   29.911159][  T321]  ? __cfi_task_work_run+0x10/0x10
[   29.916286][  T321]  ? free_nsproxy+0x223/0x290
[   29.920987][  T321]  do_exit+0x9b4/0x2630
[   29.925165][  T321]  ? _raw_spin_unlock_irqrestore+0x4a/0x70
[   29.931006][  T321]  ? __cfi_do_exit+0x10/0x10
[   29.935631][  T321]  ? __kasan_check_read+0x15/0x20
[   29.940727][  T321]  ? do_nanosleep+0x44e/0x590
[   29.945434][  T321]  ? pte_offset_map_rw_nolock+0xba/0x110
[   29.951092][  T321]  ? __kasan_check_write+0x18/0x20
[   29.956227][  T321]  ? _raw_spin_lock_irq+0x8d/0x120
[   29.961369][  T321]  ? __cfi__raw_spin_lock_irq+0x10/0x10
[   29.966943][  T321]  do_group_exit+0x22a/0x300
[   29.971574][  T321]  ? __kasan_check_write+0x18/0x20
[   29.976711][  T321]  get_signal+0x139d/0x14f0
[   29.981247][  T321]  arch_do_signal_or_restart+0x96/0x720
[   29.986827][  T321]  ? common_nsleep+0x93/0xb0
[   29.991448][  T321]  ? __cfi_arch_do_signal_or_restart+0x10/0x10
[   29.997636][  T321]  ? __se_sys_clock_nanosleep+0x2fd/0x390
[   30.003389][  T321]  ? __kasan_check_read+0x15/0x20
[   30.008437][  T321]  ? fpregs_assert_state_consistent+0xb7/0xe0
[   30.014544][  T321]  syscall_exit_to_user_mode+0x58/0xb0
[   30.020028][  T321]  do_syscall_64+0x64/0xf0
[   30.024472][  T321]  ? clear_bhb_loop+0x35/0x90
[   30.029200][  T321]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   30.035122][  T321] RIP: 0033:0x7f15fbdc11e5
[   30.039559][  T321] Code: Unable to access opcode bytes at 0x7f15fbdc11bb.
[   30.046594][  T321] RSP: 002b:00007f15fcbf0ea0 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
[   30.055037][  T321] RAX: fffffffffffffdfc RBX: 0000000000000058 RCX: 00007f15fbdc11e5
[   30.063027][  T321] RDX: 00007f15fcbf0ee0 RSI: 0000000000000000 RDI: 0000000000000000
[   30.071018][  T321] RBP: 00007f15fbe10b39 R08: 0000000000000000 R09: 0000000000000058
[   30.079012][  T321] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[   30.087011][  T321] R13: 0000000000000000 R14: 00007f15fbfb5fa0 R15: 00007ffc3f02c8e8
[   30.095013][  T321]  </TASK>
[   30.098053][  T321] Modules linked in:
[   30.101988][  T321] CR2: 0000000000000168
[   30.106154][  T321] ---[ end trace 0000000000000000 ]---
[   30.111623][  T321] RIP: 0010:ihold+0x2a/0x70
[   30.116166][  T321] Code: f3 0f 1e fa 55 48 89 e5 41 56 53 48 89 fb e8 cd 5f 98 ff 48 8d bb 68 01 00 00 be 04 00 00 00 e8 3c 4d ee ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 68 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 dd
[   30.135796][  T321] RSP: 0018:ffffc9000b84f8a0 EFLAGS: 00010246
[   30.141889][  T321] RAX: ffff88810af9df00 RBX: 0000000000000000 RCX: ffff88810af9df00
[   30.149882][  T321] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   30.157871][  T321] RBP: ffffc9000b84f8b0 R08: ffffffff88954947 R09: 1ffffffff112a928
[   30.165880][  T321] R10: dffffc0000000000 R11: fffffbfff112a929 R12: ffff88812f751a84
[   30.173874][  T321] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
[   30.181864][  T321] FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[   30.190907][  T321] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   30.197518][  T321] CR2: 0000000000000168 CR3: 00000001213a4000 CR4: 00000000003526b0
[   30.205515][  T321] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.213504][  T321] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.221512][  T321] Kernel panic - not syncing: Fatal exception
[   30.227849][  T321] Kernel Offset: disabled
[   30.232176][  T321] Rebooting in 86400 seconds..