last executing test programs: 50.407200393s ago: executing program 3 (id=1480): r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2000c0c1}, 0x40000) 50.381787571s ago: executing program 3 (id=1481): sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000001140)={&(0x7f0000000140)=ANY=[], 0x68}}, 0x10) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000140)=@newqdisc={0x5c, 0x24, 0x4ee4e6a52ff56541, 0x70b926, 0x25dfdbfc, {0x0, 0x0, 0x0, 0x0, {0x0, 0xd}, {0x6, 0xb}, {0xffff, 0xffe0}}, [@qdisc_kind_options=@q_cake={{0x9}, {0x2c, 0x2, [@TCA_CAKE_MEMORY={0x8, 0xa, 0x5}, @TCA_CAKE_FWMARK={0x8, 0x12, 0x9}, @TCA_CAKE_OVERHEAD={0x8, 0x6, 0xc7}, @TCA_CAKE_SPLIT_GSO={0x8}, @TCA_CAKE_TARGET={0x8, 0x8, 0x5}]}}]}, 0x5c}, 0x1, 0x0, 0x0, 0x240040e0}, 0x21a06664297a28ba) r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=ANY=[@ANYBLOB="cc0000003600070100000000ff03000003"], 0xcc}, 0x1, 0x0, 0x0, 0x4c094}, 0x4040) 50.347381041s ago: executing program 3 (id=1482): sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=@newtfilter={0x48, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {0x0, 0x9}, {}, {0xd, 0xfff1}}, [@filter_kind_options=@f_cgroup={{0xb}, {0x18, 0x2, [@TCA_CGROUP_EMATCHES={0x14, 0x3, 0x0, 0x1, [@TCA_EMATCH_TREE_LIST={0x10, 0x2, 0x0, 0x1, [@TCF_EM_IPT={0xc, 0x1, 0x0, 0x0, {{0x3, 0x9, 0x80}}}]}]}]}}]}, 0x48}}, 0x1) r0 = socket(0x10, 0x803, 0x0) sendmsg$NL80211_CMD_CRIT_PROTOCOL_START(r0, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000540)={0x0, 0x1c}}, 0x0) getsockname$packet(r0, &(0x7f00000002c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000080)=0x14) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000640)=ANY=[@ANYBLOB="3c0000001000850600000000ff6122314a000800", @ANYRES32=r1, @ANYBLOB="f5ff0f00252155b21c0012000c000100626f6e64000000000c0002000800010001"], 0x3c}}, 0x40000) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="4000000010000305000000000007000000000000", @ANYRES32=0x0, @ANYBLOB="0000000000100000180012800e0001007769726567756172640000000400028008000a00", @ANYRES32=r1], 0x40}, 0x1, 0x0, 0x0, 0x800}, 0xc0b0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={0x0}}, 0x0) r2 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000880)=@ipv6_newroute={0x1c, 0x18, 0x1, 0x70bd2c, 0x0, {0xa, 0x0, 0x14, 0x0, 0xff, 0x3, 0xff, 0x6}}, 0x1c}}, 0x0) sendmmsg(r2, &(0x7f00000002c0), 0x40000000000009f, 0x0) 49.966940672s ago: executing program 3 (id=1485): ioctl$ifreq_SIOCGIFINDEX_wireguard(0xffffffffffffffff, 0x8933, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000000c0)='./file1\x00', 0x2208456, &(0x7f0000000b80)=ANY=[], 0x1, 0x2ab, &(0x7f0000000740)="$eJzs3U9rY1UUAPDz8q8ZXaSIG0XwgS5clalbN40ygtiVEkFdaHBmQJIwMIWAFUy76idw6ffwI7hx4zcQ3Aru2kXlycvL60vaxJYaU5j+fqsz995z73nvDukqJ1+/MRo8fpbE8env0W4nUduLvThLYjtqUTqKRgAAL46zLIu/sttkPqitvxoAYBOKv/+Fu64FANiMTz//4uPu/v6jT9K0Ha91Tsa9JCJGJ+NeMd99Gt/GMJ7Ew+jEeUR2oYib+aJGmtuOt0eTcS/PHH3162z/7p8R0/zd6MT21fwPP9p/tJsWLvJfKqtLo/u0Wf6jE68uz3/3cn6MJtFrxTtvzdW/E5347Zt4FsN4HHlulf/Dbpp+kP14+v2X+TF5flKL3tZ0XSWrb+ZGAAAAAAAAAAAAAAAAAAAAAAC4D3bSNCna90z79+RD0/454179fDq/k5bm+/tMyv5ASblR0R8oi1mLnkkWP5X9dR6maZrNFlb5jXi94YcFAAAAAAAAAAAAAAAAAAAAIHfw3eGgPxw+eb6WoOwGUH6t/7b77M2NvBmHg3599YZbNz+rcVQ9eF7rvy6ORiPW9FquCx7k9ax9563qcj+LIigvZq1nvfJ+senhoJ/OpsqXPOgn153VLi/u5/mpVvzXwrLpf4nzbPFO2xelLma11vQ2Wi8vnfo7y7Kb7fPeH8UdzUaSaYuNm53enAVLHzAP2lfv4pfVG678yKiv55MHAAAAAAAAAAAAAAAAAAC4rPrS75LJ4xVJxXjtfy0MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADao+v3/MmhHxOLIYtCskleuqYJWPD+4y+cDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgfvgnAAD///PnTH8=") syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x2, 0x0, 0x0) chdir(&(0x7f00000003c0)='./bus\x00') openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x143041, 0x0) syz_mount_image$fuse(0x0, &(0x7f0000000580)='./file1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0, 0x0, 0x0, 0x0, 0x0) renameat2(0xffffffffffffff9c, &(0x7f00000007c0)='./file1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0xffffffffffffff9c, &(0x7f0000000680)='./file1\x00', 0x2) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000280)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000180)=0x7) madvise(&(0x7f0000c00000/0x400000)=nil, 0x400000, 0xe) mlock(&(0x7f0000c00000/0x400000)=nil, 0x400000) syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0xa2bb1000) connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x2}, 0x6e) sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0) mlock(&(0x7f0000c00000/0x400000)=nil, 0x400000) 49.785371678s ago: executing program 3 (id=1490): sched_setaffinity(0x0, 0x0, 0x0) r0 = socket$nl_route(0x10, 0x3, 0x0) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000040)={0x5, 0x0, 0x0, &(0x7f0000000100)='syzkaller\x00', 0x1000d, 0x0, 0x0, 0x41100, 0x4}, 0x94) ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, 0x0) ioctl(r0, 0x8b1a, &(0x7f0000000040)) r1 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r1, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) 48.791411019s ago: executing program 3 (id=1498): open(&(0x7f0000000200)='./file0\x00', 0x4008040, 0x0) pipe2(0x0, 0x0) socket(0x10, 0x803, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x1, &(0x7f0000000200)=0x7) newfstatat(0xffffffff0000005d, 0x0, 0x0, 0x1000) connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f0000000940)=[{{&(0x7f0000000300)=@in6={0xa, 0x0, 0x0, @remote}, 0x80, &(0x7f00000007c0)=[{&(0x7f0000000280)=""/50, 0x32}, {&(0x7f0000000500)=""/233, 0xe9}, {&(0x7f0000000600)=""/164, 0xa4}, {&(0x7f0000000440)=""/98, 0x62}, {&(0x7f00000006c0)=""/225, 0x12d}], 0x5, &(0x7f0000000840)=""/217, 0xd9}, 0x5}], 0x1, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r1 = syz_open_procfs(0x0, &(0x7f0000000240)='net/vlan/vlan0\x00') preadv(r1, &(0x7f00000004c0)=[{&(0x7f0000000000)=""/216, 0xd8}], 0x1, 0xa3, 0xd) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.net/syz1\x00', 0x1ff) r2 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r3 = openat$cgroup_int(r2, &(0x7f00000002c0)='blkio.throttle.write_iops_device\x00', 0x2, 0x0) write$cgroup_subtree(r3, &(0x7f00000000c0)=ANY=[], 0x6a) 48.775207798s ago: executing program 32 (id=1498): open(&(0x7f0000000200)='./file0\x00', 0x4008040, 0x0) pipe2(0x0, 0x0) socket(0x10, 0x803, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x1, &(0x7f0000000200)=0x7) newfstatat(0xffffffff0000005d, 0x0, 0x0, 0x1000) connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f0000000940)=[{{&(0x7f0000000300)=@in6={0xa, 0x0, 0x0, @remote}, 0x80, &(0x7f00000007c0)=[{&(0x7f0000000280)=""/50, 0x32}, {&(0x7f0000000500)=""/233, 0xe9}, {&(0x7f0000000600)=""/164, 0xa4}, {&(0x7f0000000440)=""/98, 0x62}, {&(0x7f00000006c0)=""/225, 0x12d}], 0x5, &(0x7f0000000840)=""/217, 0xd9}, 0x5}], 0x1, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r1 = syz_open_procfs(0x0, &(0x7f0000000240)='net/vlan/vlan0\x00') preadv(r1, &(0x7f00000004c0)=[{&(0x7f0000000000)=""/216, 0xd8}], 0x1, 0xa3, 0xd) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.net/syz1\x00', 0x1ff) r2 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) r3 = openat$cgroup_int(r2, &(0x7f00000002c0)='blkio.throttle.write_iops_device\x00', 0x2, 0x0) write$cgroup_subtree(r3, &(0x7f00000000c0)=ANY=[], 0x6a) 6.375417162s ago: executing program 0 (id=1771): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) writev(0xffffffffffffffff, 0x0, 0x0) r3 = socket$inet_tcp(0x2, 0x1, 0x0) getsockopt$IPT_SO_GET_REVISION_TARGET(r3, 0x0, 0x43, 0x0, 0x0) connect$inet(r3, 0x0, 0x0) r4 = socket(0x10, 0x803, 0x0) write(r4, &(0x7f0000000340)="1c0000005e001f3814584707f9f4ffffff000000230000001ff80000", 0x1c) recvfrom$inet(0xffffffffffffffff, &(0x7f0000000080)=""/8, 0xfffffffffffffd0b, 0x720, 0x0, 0xfffffffffffffd25) 5.833457332s ago: executing program 2 (id=1774): socket(0x1e, 0x4, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYRES32, @ANYBLOB="0000000000000000b70800000d0000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x4, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="0b00000005000000050000000900000001"], 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000009c0)={0x1f, 0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000800000000000000000000018110000", @ANYRES32=r2], 0x0, 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback=0x36, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = bpf$PROG_LOAD(0x5, &(0x7f00000002c0)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x2, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r3, r1, 0x25, 0x0, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000100)=ANY=[], 0x0) r4 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='comm\x00') fchdir(r4) r5 = socket$unix(0x1, 0x5, 0x0) connect$unix(r5, &(0x7f0000000640)=@file={0x1, './cgroup\x00'}, 0x6e) 5.698960933s ago: executing program 2 (id=1775): r0 = socket$kcm(0x2, 0x1000000000000002, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000b80)=ANY=[@ANYBLOB], 0x0}, 0x94) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000680), 0x189502, 0x0) ioctl$SNDCTL_DSP_SETDUPLEX(r1, 0x5016, 0x0) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff) prlimit64(0x0, 0xe, &(0x7f0000000140)={0xf, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, 0x0) r3 = getpid() sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f00002eb000/0x4000)=nil, 0x4000, 0x2000000, 0x2010, 0xffffffffffffffff, 0xc8cfe000) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r4, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e) sendmmsg$unix(r5, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r4, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) fcntl$setpipe(0xffffffffffffffff, 0x407, 0x7000000) r6 = io_uring_setup(0x164b, &(0x7f0000000440)={0x0, 0xfc10, 0x800, 0x2, 0x316}) r7 = add_key$keyring(&(0x7f0000000000), &(0x7f0000000040)={'syz', 0x2}, 0x0, 0x0, 0xfffffffffffffffe) keyctl$chown(0x4, r7, 0xee01, 0x0) keyctl$setperm(0x5, r7, 0x30925) r8 = add_key(&(0x7f0000000000)='big_key\x00', &(0x7f0000000040)={'syz', 0x0}, &(0x7f0000000080)="ae", 0x1, 0xffffffffffffffff) keyctl$search(0xa, r7, &(0x7f0000000040)='keyring\x00', &(0x7f0000000080)={'syz', 0x2}, r8) io_uring_register$IORING_REGISTER_FILES(r6, 0x2, &(0x7f0000000380)=[r4, r0, r0, 0xffffffffffffffff, 0xffffffffffffffff, r4, r5], 0x7) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x4000000) r9 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r9, 0x8933, &(0x7f00000003c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_CHANNEL_SWITCH(r9, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000400)=ANY=[@ANYBLOB=',\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="010008020000001800006600000008000300", @ANYRES32=r10, @ANYBLOB="08002600940900000800b7"], 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0) 5.514011489s ago: executing program 0 (id=1777): sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=@newtfilter={0x48, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {0x0, 0x9}, {}, {0xd, 0xfff1}}, [@filter_kind_options=@f_cgroup={{0xb}, {0x18, 0x2, [@TCA_CGROUP_EMATCHES={0x14, 0x3, 0x0, 0x1, [@TCA_EMATCH_TREE_LIST={0x10, 0x2, 0x0, 0x1, [@TCF_EM_IPT={0xc, 0x1, 0x0, 0x0, {{0x3, 0x9, 0x80}}}]}]}]}}]}, 0x48}}, 0x1) r0 = socket$netlink(0x10, 0x3, 0x0) r1 = socket(0x10, 0x803, 0x0) sendmsg$NL80211_CMD_CRIT_PROTOCOL_START(r1, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000540)={0x0, 0x1c}}, 0x0) getsockname$packet(r1, &(0x7f00000002c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000080)=0x14) sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000640)=ANY=[@ANYBLOB="3c0000001000850600000000ff6122314a000800", @ANYRES32=r2, @ANYBLOB="f5ff0f00252155b21c0012000c000100626f6e64000000000c0002000800010001"], 0x3c}}, 0x40000) sendmsg$nl_route(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="400000001000030500000000000700", @ANYRES32=0x0, @ANYBLOB="0000000000100000180012800e0001007769726567756172640000000400028008000a00", @ANYRES32=r2], 0x40}, 0x1, 0x0, 0x0, 0x800}, 0xc0b0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={0x0}}, 0x0) r3 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000880)=@ipv6_newroute={0x1c, 0x18, 0x1, 0x70bd2c, 0x0, {0xa, 0x0, 0x14, 0x0, 0xff, 0x3, 0xff, 0x6}}, 0x1c}}, 0x0) sendmmsg(r3, &(0x7f00000002c0), 0x40000000000009f, 0x0) 5.23992219s ago: executing program 0 (id=1780): bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x14, &(0x7f0000000280)=ANY=[@ANYBLOB="180000000000000000000000000000001801"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x37, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b70200001a000000bfa30000000000000703000000feff"], 0x0}, 0x94) r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000041436120410e5150e8d5000000010902f98a5c01000000090401001186eee2000905821704"], 0x0) syz_usb_control_io$sierra_net(r0, 0x0, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0xffffffffffffff42, &(0x7f0000000000)=ANY=[]) 4.074870245s ago: executing program 2 (id=1784): r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_int(r0, 0x29, 0x42, 0x0, 0x5c) socket$inet6_sctp(0xa, 0x5, 0x84) bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x48) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) mq_timedsend(0xffffffffffffffff, 0x0, 0x0, 0x6, 0x0) syz_genetlink_get_family_id$SEG6(&(0x7f0000003e40), 0xffffffffffffffff) mount(&(0x7f00000000c0)=@nullb, &(0x7f0000000040)='.\x00', &(0x7f0000000140)='zonefs\x00', 0x0, 0x0) socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_open_dev$dri(&(0x7f0000000080), 0x1, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r4, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r4, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_OBJ_GETPROPERTIES(r4, 0xc02064b9, &(0x7f00000002c0)={&(0x7f0000000240)=[0x0, 0x0, 0x0], &(0x7f0000000040), 0x3}) ioctl$DRM_IOCTL_MODE_ATOMIC(r4, 0xc03864bc, &(0x7f0000000580)={0x201, 0x1, &(0x7f0000000180)=[0x0], &(0x7f0000000400)=[0x3], &(0x7f0000000640)=[r5, r5, r5], &(0x7f0000000340), 0x0, 0xffffffffffffffff}) 3.55976597s ago: executing program 1 (id=1788): seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f00000001c0)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) truncate(&(0x7f0000000000)='./file0\x00', 0x96f) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000000)={0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x50) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x800}, 0x40000) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x1, &(0x7f0000000280)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f00000003c0)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0) sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$IPT_SO_SET_REPLACE(r3, 0x0, 0x40, &(0x7f0000001f40)=@raw={'raw\x00', 0x8, 0x3, 0x3e8, 0x248, 0x43, 0xa0, 0x248, 0x98, 0x350, 0x178, 0x178, 0x350, 0x178, 0x49, 0x0, {[{{@ip={@loopback, @local, 0x0, 0x0, 'veth0_to_bond\x00', 'ip6erspan0\x00'}, 0x12a, 0x228, 0x248, 0x0, {0x0, 0x7a010000}, [@common=@inet=@recent0={{0xf8}, {0x0, 0x0, 0x8, 0x0, 'syz0\x00'}}, @common=@unspec=@string={{0xc0}, {0x0, 0x3, 'kmp\x00', "7af8bdb4c056dc65949041982abfe9ed51b01289c0026e2e6034ed587be5f09017b907388134b0ede40eb8d493f20d534fc37f23ec524d91a7a041f36bb1d1c3ab474544c5ef3f2fa69a80a0d967ee4464257d28d31e6843bc1221dfb9a6a27ad13af7061b737fd97d94f50942c68242819c941c0b4d9ec154c7d327187e8198", 0x38, 0x2, {0x1}}}]}, @unspec=@TRACE={0x20}}, {{@uncond, 0x0, 0xe8, 0x108, 0x0, {}, [@common=@unspec=@connbytes={{0x38}, {[{0xb}]}}, @common=@set={{0x40}, {{0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x300]}}}]}, @unspec=@NOTRACK={0x20}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28, '\x00', 0x4}}}}, 0x448) 2.997293485s ago: executing program 2 (id=1792): sendmsg$inet(0xffffffffffffffff, 0x0, 0x40000) setreuid(0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r2 = syz_init_net_socket$ax25(0x3, 0x3, 0x8) ioctl$SIOCAX25OPTRT(r2, 0x89e7, 0x0) 2.520436963s ago: executing program 1 (id=1793): socket$inet6_mptcp(0xa, 0x1, 0x106) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000240)={0x18, 0xc, 0x0, &(0x7f00000001c0)='GPL\x00'}, 0x94) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) getpid() r0 = getpid() sched_setscheduler(r0, 0x1, &(0x7f0000000180)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) bind$bt_l2cap(0xffffffffffffffff, 0x0, 0x0) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000004c0)={0x0}}, 0x0) sendmsg$IPSET_CMD_LIST(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000100)={0x1c, 0x7, 0x6, 0x801, 0x0, 0x0, {0x5, 0x0, 0x2}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x24000840}, 0x4800) sendmmsg(0xffffffffffffffff, &(0x7f00000002c0), 0x0, 0x400c800) bpf$PROG_LOAD(0x5, 0x0, 0x0) socket$packet(0x11, 0x2, 0x300) ioctl$AUTOFS_IOC_FAIL(0xffffffffffffffff, 0x4c80, 0xfffff) 2.079350662s ago: executing program 5 (id=1794): r0 = socket$kcm(0x2, 0x1000000000000002, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000b80)=ANY=[@ANYBLOB], 0x0}, 0x94) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000680), 0x189502, 0x0) ioctl$SNDCTL_DSP_SETDUPLEX(r1, 0x5016, 0x0) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff) prlimit64(0x0, 0xe, &(0x7f0000000140)={0xf, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, 0x0) r3 = getpid() sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f00002eb000/0x4000)=nil, 0x4000, 0x2000000, 0x2010, 0xffffffffffffffff, 0xc8cfe000) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r4, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e) sendmmsg$unix(r5, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r4, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) fcntl$setpipe(0xffffffffffffffff, 0x407, 0x7000000) r6 = io_uring_setup(0x164b, &(0x7f0000000440)={0x0, 0xfc10, 0x800, 0x2, 0x316}) r7 = add_key$keyring(&(0x7f0000000000), &(0x7f0000000040)={'syz', 0x2}, 0x0, 0x0, 0xfffffffffffffffe) keyctl$chown(0x4, r7, 0xee01, 0x0) keyctl$setperm(0x5, r7, 0x30925) r8 = add_key(&(0x7f0000000000)='big_key\x00', &(0x7f0000000040)={'syz', 0x0}, &(0x7f0000000080)="ae", 0x1, 0xffffffffffffffff) keyctl$search(0xa, r7, &(0x7f0000000040)='keyring\x00', &(0x7f0000000080)={'syz', 0x2}, r8) io_uring_register$IORING_REGISTER_FILES(r6, 0x2, &(0x7f0000000380)=[r4, r0, r0, 0xffffffffffffffff, 0xffffffffffffffff, r4, r5], 0x7) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x4000000) r9 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r9, 0x8933, &(0x7f00000003c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_CHANNEL_SWITCH(r9, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000400)=ANY=[@ANYBLOB=',\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="010008020000001800006600000008000300", @ANYRES32=r10, @ANYBLOB="08002600940900000800b7"], 0x2c}, 0x1, 0x0, 0x0, 0x4000000}, 0x0) 1.945762437s ago: executing program 4 (id=1796): r0 = syz_io_uring_setup(0x110, &(0x7f0000000380)={0x0, 0x10, 0x0, 0x5, 0x80}, &(0x7f0000000240)=0x0, &(0x7f0000000280)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r1, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r1, r2, &(0x7f00000002c0)=@IORING_OP_FILES_UPDATE={0x14, 0x0, 0x0, 0x0, 0xfffffffffffffffc, &(0x7f0000000000)=[0xffffffffffffffff], 0x1}) io_uring_enter(r0, 0x47f6, 0x0, 0x0, 0x0, 0x0) 1.944329357s ago: executing program 4 (id=1797): socket(0x1e, 0x4, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB, @ANYRES32, @ANYBLOB="0000000000000000b70800000d0000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x4, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="0b00000005000000050000000900000001"], 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000009c0)={0x1f, 0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000800000000000000000000018110000", @ANYRES32=r2], 0x0, 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback=0x36, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = bpf$PROG_LOAD(0x5, &(0x7f00000002c0)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x2, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r3, r1, 0x25, 0x0, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000100)=ANY=[], 0x0) r4 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='comm\x00') fchdir(r4) r5 = socket$unix(0x1, 0x5, 0x0) connect$unix(r5, &(0x7f0000000640)=@file={0x1, './cgroup\x00'}, 0x6e) 1.923199657s ago: executing program 4 (id=1798): r0 = syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000280)='./mnt\x00', 0x800810, &(0x7f0000000180)={[{@nobh}, {@max_dir_size_kb={'max_dir_size_kb', 0x3d, 0x4}}]}, 0xff, 0x23f, &(0x7f0000000540)="$eJzs3T1oLFUYBuB3Zne95t5FrtoI4g+IiAbCtRNsYqMQkBBEBBUiIjZKIsQEu8TKxkJrlVQ2QeyMlpIm2CiCVdQUsRE0WBgstFiZnURisuLPxh1xngdmZ2b3nPnOMPOe3WbYAK11Nclskk6S6SS9JMXpBnfWy9Xj3c2p3cVkMHjsh2LYrt6vnfS7kmQjyQNJdsoiL3STte2nDn7ae+Se11d7d7+7/eTURE/y2OHB/qNH78y/9sHc/WufffHdfJHZ9H93XhevGPFet0hu+jeK/UcU3aZHwF+x8Mr7X1a5vznJXcP891KmvnhvrFy308t9b/9R3ze///zWSY4VuHiDQa/6DtwYAK1TJumnKGeS1NtlOTNT/4b/qnO5fHF55eXp55dXl55reqYCLko/2X/4o0sfXjmT/287df6B/68q/48vbH1dbR91mh4NMBG31asq/9PPrN8b+YfWkX9oL/mH9pJ/aC/5h/aSf2gv+Yf2kn9oL/mH9pJ/aK/T+QcA2mVwqeknkIGmND3/AAAAAAAAAAAAAAAAAAAA521O7S6eLJOq+clbyeFDSbqj6neG/0ecXD98vfxjUTX7TVF3G8vTd4x5gDG91/DT1zd802z9T29vtv76UrLxapJr3e75+684vv/+uRv/5PPes2MW+JuKM/sPPjHZ+mf9stVs/bm95ONq/rk2av4pc8twPXr+6VfXb8z6L/085gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYmF8DAAD//xFQbUc=") ioctl$BTRFS_IOC_QUOTA_RESCAN(r0, 0x4040942c, 0x0) r1 = fsopen(&(0x7f0000000080)='cgroup\x00', 0x0) fsconfig$FSCONFIG_SET_STRING(r1, 0x3, &(0x7f0000000000)='source', &(0x7f0000000840)='%\\,:\x85X\\\x03\xa6\xd7}\xcd\xeb*\xb1\xa8\xb7\x81\xc8\xcbR\xa8?\x97 \xcbz&\x17\xa4\xfd^\xe1I\x11X\x90\x03\xb7W\x05\xb0\x99\x10F0\xb5YP9\xc3\xe2M\xaa\x81\xfev:\xe40\x9e\xdb\x98\xb4\xd0\xdcE\x14\x910\x1b.G\xab\x86\xdfy\xe6\xde11_H]\xe2\xc3\xb2fa\x7f\x8c\xf3\xc6\x85\xc9\xd6j\xff\xaa\xdbWD\x87\xe3\\mUSy\x0f\x82qW\fE\xd15ec>:D+', 0x0) setxattr$system_posix_acl(0x0, &(0x7f0000000000)='system.posix_acl_default\x00', &(0x7f00000003c0)=ANY=[], 0x24, 0x0) syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="043e130100"], 0x16) syz_clone3(0x0, 0x0) prctl$PR_SET_TAGGED_ADDR_CTRL(0x37, 0x1) r2 = socket$inet_sctp(0x2, 0x1, 0x84) getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r2, 0x84, 0x7, &(0x7f0000001fc0), &(0x7f0000002000)=0x4) syz_mount_image$exfat(&(0x7f00000000c0), &(0x7f0000000040)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='iocharset=cp857,time_offset=0x0000000000000003,errors=remount-ro,fmask=00000000000000000000006,iocharset=cp862,allow_utime=00000000000000000077777,namecase=1,dmask=00000000000000000000201,utf8,dmask=000000000000\x00'/224], 0x1, 0x1543, &(0x7f0000000500)="$eJzs3AucTlX3OPC19t5nDImnSS7D3nsdnuSySZJckuSSJJUkyS0hSfJKQmIISRqSkFyGJIaQXCYmjfv9fklokjRJkltuyf5/Jubn7Vf9e2+/1/t5Z30/n/Ox15yz9lnnWfOc55wzZr7rNqx2kzo1GhER/FPw4j8JABALAIMAIC8ABABQIa5CXOb6nBIT/rmdsH+th5KvdAXsSuL+Z2/c/+yN+5+9cf+zN+5/9sb9z964/9kb95+x7Gzz9ELX8JJ9F37+n+2kj/2fIX/+/xfJKDPuq7VlrusOEPO3pnD/szfu/3+t4G/ZiPufvXH/s6vYK10A+w/A7//sIMcfruH+Z2/cf8aysyv9/PlKLxD5D3sNjuS82Jh/1/EzxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGP/Bmf8ZQoAssZXui7GGGOMMcYYY4z96/gcV7oCxhhjjDHGGGOM/d9DECBBQQAxkANiISfkAgEAV0MeyAsRuAbi4FrIB9dBfigABaEQxENhKAIaDFggCKEoFIMoXA/F4QYoASWhFJQGB2WgLNwI5eAmKA83QwW4BSrCrVAJKkMVqAq3QTW4HarDHVAD7oSaUAtqQx24C+rC3VAP7oH6cC80gPvgfngAGsKD0AgegsbwMDSBR6ApPArNoDm0gJbQ6h/KfwF6wYvQG/pAAvSFfvAS9IcBMBBehkHwCgyGV2EIvAaJMBSGweswHN6AEfAmjIRRMBregjHwNoyFcTAeJkASTIRJ8A5MhndhCrwHU2EaJMN0mAHvw0yYBbPhA5gDH8JcmAfzYQGkwEewEBZBKnwMi+ETSIMlsBSWwXJYASthFayGNbAW1sF62AAbYRNshi2wFbbBdtgBO+FT2AWfwW7YA3vhc0iHL/7O/NP/K787AgIKFKhQYQzGYCzGYi7MhbkxN+bBPBjBCMZhHObDfJgf82NBLIjxGI9FsAgaNEhIWBSLYhSjWByLYwksgaWwFDp0WBbLYjm8CctjeayAFbAiVsRKWBkrY1WsitWwGlbH6lgDa2BNrIm1sTbehXdhX6yH9bA+1scG2CDr8RQ2wkbYGBtjE2yCTbEpNsNm2AJbYCtsha2xNbbBNtgO22F7bI8dsAN2xI7YCTthZ+yMXbALdsWu2A27YXfsgT0yXsgB+CK+iH2wpuiL/bAf9sfEHAPxZXwZX8HB+Cq+iq9hIg7FYfg6vo5v4Ag8hSNxFI7G0VhNvI1jcRySmIBJmISTcBJOxsmYWeh7OA2TcTrOwBk4E2fhLPwA5+CH+CHOw3m4AFMwBRfiIkzFVFyMpzENl+BSXIbLcQUux1W4GlfhWlyHa3EDbsBNuAm34BbchttwB+7AT1EB4Ge4B/dgIqZjOu7Dfbgf9+MBPIAZmIEH8SAewkN4GA/jETyCR/EYHsdjeBJP4ik8jWfwDJ7Dc3gen4v/pvGnJdckgsikhBIxIkbEiliRS+QSuUVukUfkEREREXEiTuQT+UR+kV8UFAVFvIgXRUQRYYQRJMIYABBRERXFRXFRQpQQpUQp4YQTZUVZUU6UE+VFeVFB3CIqiltFJVFZtHVVRVVRTbRz1cUdooaoIWqKWqK2qCPqiLqirqgn6on6or5oIBqI+8UDoqHoiwPxIZHZmSZiKDYVw7CZaC7kpTNYazEC24i2op14QozCkdhBtHYdxdOikxiLncVfxDh8VnQVE7CbeF50Fz1ET/GC6CXauN6ij5iCfUU/MQ37iwFioHhZzMRa4gOck7O2eE0kiqFimHhdLMA3xAjxphgpRonR4i0xRrwtxopxYryYIJLERDFJvCMmi3eFEO+JqWKaSBbTxQzxvpgpZonZ4gMxR3wo5op5Yr5YIFLER2KhWCRSxcdisfhEpIklYqlYJpaLFWKlWCVWizVirVgn1osNYqPYJDaLLWKriIXtYofYKT4Vu8RnYrfYI/aKz0W6+ELsE1+K/eIrcUB8LTLEN+Kg+FYcEt+Jw+J7cUT8II6KY+K4OCFOih/FKXFanBFnxTnxkzgvfhYXhBcgUQoppZKBjJE5ZKzMKXPJq2RuGVx6da+RcfJamU9eJ/PLArKgLCTjZWFZRGpppJUkQ1lUFpNReb0sLm+QJWRJWUqWlk6WkWXljbKcvEmWlzfLCvIWWVHeKivJyrKKrCpvk9Xk7RIiF/dRU9aStWUdeZdMgLtlPXmPrC/vlQ3kffJ++YBsKB+UjeRDsrF8WDaRj8im8lHZTDaXLWRL2Uo+JlvLx2Ub2Va2k0/I9vJJ2UE+JTvKp2Un6S99izwru8rnZDf5vOwue8ie8md5QXrZW/aR0BdkP/mS7C8HyIGxACBfkYPlq3KIfE0myqFymHxdDpdvyBHyTTlSjpKj5VtyjHxbjpXj5Hg5QSbJiXKSfEdOlu/KKfI9OVVOk8lyuhwoB/0y02wp/zT/nd/JH/LL3jfJzXKL3Cq3ye1yh9wpP5W75C65W+6We+VemS7T5T65T+6X++UBeUBmyAx5UB6Uh+QheVgelkfkEXlUHpNn5Ql5Uv4oT8nT8rQ8K8/Jc/L8pdcAFCqhpFIqUDEqh4pVOVUudZXKra5WeVReFVHXqDh1rcqnrlP5VQFVUBVS8aqwKqK0MsoqUqEqqoqpqLoeL33DqFKqtHKqjCqrbvwlP+tHDH+Sr4qrG1QJVfJX+Vn1JfxBfa1UK9VatVZtVBvVTrVT7VV71UF1UB1VR9VJdVKdVWfVRXVRXVVX1U11U91Vd9VT9VS9VC/VW/VWCSpB9VMvqf5qgBqoXlaD1CtqsBqshqghKlElqmFqmBquhqsRaoQaqUaq0Wq0GqPGqLFqrBqvxqsklaQmqUlqspqspqgpaqqaqpJVspqhZqiZaqaarWarOWqOmqvmqvlqvkpRKWqhWqhSVaparBarNLVELVHL1DK1Qq1Qq9QqtUatUevUOrVBbVBparParLaqrWq72q52qp1ql9qldovdaq/aq9JVutqn9qn9ar86oA6oDJWhDqqD6pA6pA6rw+qIOqKOqqPquDquTqqT6pQ6pc6oM+qcOqfOq/PqgrqQedkXiEAEKlBBTBATxAaxQa4gV5A7yB3kCfIEkSASxAVxQb7guiB/UCAoGBQK4oPCQZFAByawgbjU22hwfVA8uCEoEZQMSgWlAxeUCcoGNwblgpuC8sHNQYXglqBicGtQKagcVAmqBrcF1YLbg+rBHUGN4M6gZlArqB3UCe4K6gZ3B/ViIagf3Bs0CO4L7g8eCBoGDwaNgoeCxsHDQZPgkaBp8GjQLGgetAhaBq3+kfmDe/5gfu9PFXjc9dZ9dILuq/vpl3R/PUAP1C/rQfoVPVi/qofo13SiHqqH6df1cP2GHqHf1CP1KD1av6XH6Lf1WD1Oj9cTdJKeqCfpd/Rk/a6eot/TU/U0nayn6xn6fT1Tz9Kz9Qd6jv5Qz9Xz9Hy9QKfoj/RCvUin6o/1Yv2JTtNL9FK9TC/XK/RKvUqv1mv0Wr1Or9cb9Ea9SW/WW/RWvU1v1zv0Tv2p3qU/07v1Hr1Xf67T9Rd6n/5S79df6QP6a52hv9EH9bf6kP5OH9bf6yP6B31UH9PH9Ql9Uv+oT+nT+ow+q8/pn/R5/bO+oH3mxX3mx7tRRpkYE2NiTazJZXKZ8pDb5DF5TMRETJyJM/lMPpPf5DcFTUETb+JNEVPEZCJDpqgpaqImaoqb4qaEKWFKmVLGGWfKmrKmnClnypvypoKpYCqaiqaSqWSqmCrmNnObud3cbu4wd5g7zZ2mlqll6pg6pq6pa+qZeqa+qW8amAbmfnO/aWgamkamkWlsGpsmpolpapqaZqaZaWFamFamlWltWps2po1pZ9qZ9qa96WA6mI6mo+lkOpnOprPpYrqYrqar6Wa6me6mu+lpeppeppfpbXqbBJNg+pl+pr/pbwaagWaQGWQGm8FmiBliEk2iGWaGmeFmuBlhRpiRZpQZnXmSM2+bsWacGW8mmCSTZCaZSWaymWymmClmqplqkk2ymWFmmJlmppltZps5Zo6Za+aa+Wa+STEpZqFZaFJNqllsFps0k2aWmqVmuVluVpqVZrVZbdaatWY9rDcbzUaz2Ww2W81Ws91sNzvNTrPL7DK7zW6z1+w16Sbd7DP7zH6z3xwwB0yGyTAHzUFzyBwyh81hc8QcMUfNUXPcHDcnzUlzypwyZ8wZc84UuPR56U3WyTy3vdrmsXltrM1pc9mr7MU468qrsC1itc1vC9iCtpCNtxdjY60tYUvaUra0dbaMLWtv/E1cyVa2VWxVe5utZm+31X8T17V323r2Hlvf3mvr2Lt+FTew99nMq5OGiAC2uW1sW9om9hHb1D5qm9nmtoVtadvbJ20H+5TtaJ+2newzv4kX2kV2tV1j19p1drfdY8/Ys/aQ/c6esz/Z3raPHWRfsYPtq3aIfc0m2qG/iUfbt+wY+7Yda8fZ8XbCb+KpdppNttPtDPu+nWln/SZOsR/ZOTbVzrXz7Hy74Jc4s6ZU+7FdbD+xaTaApXaZXW5X2JV2VVatPq/dYDfaTXaX/cxutdvsdrvD7sxqh91j99rPbbr9wh6039r99it7wB62GfabX+LM4ztsv7dH7A/2qD1mj9sT9qT9UWVlZx77CfuzvWC9BUICkqQooBjKQbGUk3LRVZSbrqY8lJcidA3F0bWUj66j/FSAClIhiqfCVIQ0GbJEFFJRKkZRup6yyitFpclRGSpLN1I5uonK081UgW6hinQrVaLKVIWq0m1UjW6n6nQH1aA7qSbVotpUh+6iunQ31aN7qD7dSw3oPrqfHqCG9CA1ooeoMT1MTegRakqPUjNqTi2oJbWix6g1PU5tqC21oyeoPT1JHegp6khPUyd6hjrTX6gLPUtd6TnqRs9Td+pBPekF6kUvUm/qQwnUl/rRS9SfBtBAepkG0Ss0mF6lIfQaJdJQGkav03B6g0bQmzSSRtFoeovG0Ns0lsbReJpASTSRJtE7NJnepSn0Hk2laZRM02kGvU8zaRbNpg9oDn1Ic2kezacFlEIf0UJaRKn0MS2mTyiNltBSWkbLaQWtpFW0mtbQWlpH62kDbaRNtJm20FbaRttpB+2kT2kXfUa7aQ/tpc8pnb4gpC9pP31FB+hryqBv6CB9S4foOzpM3/s+9AMdpWN0nE7QSfqRTtFpOkNn6Rz9ROfpZ7pAniDEUIQyVGEQxoQ5wtgwZ5grvCrMHV4d5gnzhpHwmjAuvDbMF14X5g8LhAXDQmF8WDgsEurQhDakMAyLhsXCaHh9WDy8ISwRlgxLhaVDF5YJy4Y3huXCm8Ly4c1hhfCWsGJ4a1gprBw+cm/V8LawWnh7WD28I6wR3hnWDGuFtcM64V1h3fDusF54T1g/vDcsH94X3h8+EDYMHwwbhQ+FjcOHwybhI2HT8NGwWdg8bBG2DFuFj4Wtw8fDNmHbsF34RNg+fDLsED4VdgyfDjuFz/yy/r5Ff7w+Iewb9gtfCl8Kvb9Hzo8uiKZEP4oujC6KpkY/ji6OfhJNiy6JLo0uiy6ProiujK6Kro6uia6Nrouuj26IboxuinpfJwc4dMJJp1zgYlwOF+tyulzuKpfbXe3yuLwu4q5xce5al89d5/K7Aq6gK+TiXWFXxGlnnHXkQlfUFXNRd70r7m5wJVxJV8qVds6VcWVdS9fKtXKt3eOujWvr2rkn3BPuSfeke8o95Z52ndwzrrP7i+vinnVd3XPuOfe86+56uJ7uBdfLTcxz8T2Z4Po5n6O/6+8GuoFukBvkBrvBbogb4hJdohvmhrnhbrgb4Ua4kW6kG+1GuzFujBvrxrrxbrxLcklukpvkJrvJboqb4qa6qS7ZJbsZboab6Wa6arMu7mWum+vmu/kuxaW4hS7zmjHVLXaLXZpLc0vdUrfcLXcr3Uq32q12a91at96tdxvdRrfZbXZb3Va33W13O91Ot8vtcrt93ouTunS3z+1z+91+d8B97TLcN+6g+9Ydct+5w+57d8T94I66Y+64O+FOuh/dKXfanXFn3Tn3kzvvfnYXnHdJkYmRSZF3IpMj70amRN6LTI1MiyRHpkdmRN6PzIzMisyOfBCZE/kwMjcyLzI/siCSEvkosjCyKJIa+TiyOPJJJC2yJLI0siyyPLIi4n3hraEv6ov5qL/eF/c3+BK+pC/lS3vny/iy/kZfzt/ky/ubfQV/i6/ob/WVfGVfxT/qm/nmvoVv6Vv5x3xr/7hv49v6dv4J394/6Tv4p3xH/7Tv5J/xnf1ffBf/rO/qn/Pd/PO+u+/he/oXfC//ou/t+/gE39f38y/5/n6AH+hf9oP8K36wf9UP8a/5RD/UD/Ov++H+DT/Cv+lH+lF+dMxbfkzWLTJM8El+op/k3/GT/bt+in/PT/XTfLKf7mf49/1MP8vP9h/4Of5DP9fP8/P9Ap/iP/IL/SKf6j/2i/0nPs0vyXqo7Ff6VX61X+PX+nV+vd/gN/pNfrPf4rf6bX673+F3+k/9Lv+Z3+33+L3+c5/uv/D7/Jd+v//KH/Bf+wz/jT/ov/WH/Hf+sP/eH/E/+KP+mD/uT/iT/kd/yp/2Z/xZf87/5M/7n/0F/p01xhhjjLG/ycTLQ/HrNRefAPX9nRzxVxv3A4CrtxXK+Ov1mVeU6/NfHA8Q8e0jAPB0n24PZS01ayYkJFzaNk1CUGweQNZPgjLFwOV4CbSDJ6EjtIVyv1v/ANHjHP3J/NFbAHL9VU4sXI4vz/8lACb8zvyPPTF6YcXwTNz/Z/55ACWKXc7JCZfjJdDul+crbaH8H9RfoPWf1J/zqySANn+Vkxsux5frLwuPwzPQ8VdbMsYYY4wxxhhjFw0QVbpk3X9m/Y/P37s/j1eXc3LA5fjP7s8ZY4wxxhhjjDF25T3bo+dTj3Xs2LbL3z+o/ufbqMtfyf337qIp/KOF8eAfGngP8D+NA4B/ckKAzIH8dx7Fln/LvhIvvXX+96rlZ30A/xmt/FcMrvCJiTHGGGOMMfYvd/mi/9dfV1eqIMYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjLBv6Z//GG/wNf6XvSh8jY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxdqX9vwAAAP//0V/4pQ==") r3 = openat(0xffffffffffffff9c, &(0x7f0000004280)='.\x00', 0x0, 0x0) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x3}, 0x28) r4 = syz_init_net_socket$llc(0x1a, 0x801, 0x0) bind$llc(r4, &(0x7f0000000080), 0x10) getdents64(r3, 0xfffffffffffffffe, 0x29) pidfd_send_signal(0xffffffffffffffff, 0x9, 0x0, 0x0) r5 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r5, &(0x7f0000002180)=[{&(0x7f0000000000)="580000001400192340834b80040d8c560a067f0258ff000000000000000058000b4824ca945f64009400ff0325010ebc000000000000008000f0fffeffe809005300fff5dd00000010000100090810000000000000040000", 0x58}], 0x1) syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0405"], 0x7) 1.853343088s ago: executing program 4 (id=1799): r0 = syz_open_procfs(0x0, &(0x7f0000000040)='net/route\x00') pread64(r0, &(0x7f0000000080)=""/102356, 0x18fd4, 0x200) 1.79729928s ago: executing program 2 (id=1800): socket$inet6_mptcp(0xa, 0x1, 0x106) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000240)={0x18, 0xc, 0x0, &(0x7f00000001c0)='GPL\x00'}, 0x94) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) sched_setscheduler(0x0, 0x2, 0x0) r0 = getpid() sched_setscheduler(r0, 0x1, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000040)={0x44, 0x2, 0x6, 0x3, 0x0, 0x0, {0xd}, [@IPSET_ATTR_TYPENAME={0xc, 0x3, 'hash:ip\x00'}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}]}, 0x44}}, 0x0) sendmsg$IPSET_CMD_LIST(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000100)={0x1c, 0x7, 0x6, 0x801, 0x0, 0x0, {0x5, 0x0, 0x2}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x24000840}, 0x4800) sendmmsg(0xffffffffffffffff, &(0x7f00000002c0), 0x0, 0x400c800) ioctl$AUTOFS_IOC_FAIL(0xffffffffffffffff, 0x4c80, 0xfffff) 1.786049881s ago: executing program 4 (id=1801): r0 = syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000280)='./mnt\x00', 0x800810, &(0x7f0000000180)={[{@nobh}, {@max_dir_size_kb={'max_dir_size_kb', 0x3d, 0x4}}]}, 0xff, 0x23f, &(0x7f0000000540)="$eJzs3T1oLFUYBuB3Zne95t5FrtoI4g+IiAbCtRNsYqMQkBBEBBUiIjZKIsQEu8TKxkJrlVQ2QeyMlpIm2CiCVdQUsRE0WBgstFiZnURisuLPxh1xngdmZ2b3nPnOMPOe3WbYAK11Nclskk6S6SS9JMXpBnfWy9Xj3c2p3cVkMHjsh2LYrt6vnfS7kmQjyQNJdsoiL3STte2nDn7ae+Se11d7d7+7/eTURE/y2OHB/qNH78y/9sHc/WufffHdfJHZ9H93XhevGPFet0hu+jeK/UcU3aZHwF+x8Mr7X1a5vznJXcP891KmvnhvrFy308t9b/9R3ze///zWSY4VuHiDQa/6DtwYAK1TJumnKGeS1NtlOTNT/4b/qnO5fHF55eXp55dXl55reqYCLko/2X/4o0sfXjmT/287df6B/68q/48vbH1dbR91mh4NMBG31asq/9PPrN8b+YfWkX9oL/mH9pJ/aC/5h/aSf2gv+Yf2kn9oL/mH9pJ/aK/T+QcA2mVwqeknkIGmND3/AAAAAAAAAAAAAAAAAAAA521O7S6eLJOq+clbyeFDSbqj6neG/0ecXD98vfxjUTX7TVF3G8vTd4x5gDG91/DT1zd802z9T29vtv76UrLxapJr3e75+684vv/+uRv/5PPes2MW+JuKM/sPPjHZ+mf9stVs/bm95ONq/rk2av4pc8twPXr+6VfXb8z6L/085gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYmF8DAAD//xFQbUc=") ioctl$BTRFS_IOC_QUOTA_RESCAN(r0, 0x4040942c, 0x0) r1 = fsopen(0x0, 0x0) fsconfig$FSCONFIG_SET_STRING(r1, 0x3, &(0x7f0000000000)='source', &(0x7f0000000840)='%\\,:\x85X\\\x03\xa6\xd7}\xcd\xeb*\xb1\xa8\xb7\x81\xc8\xcbR\xa8?\x97 \xcbz&\x17\xa4\xfd^\xe1I\x11X\x90\x03\xb7W\x05\xb0\x99\x10F0\xb5YP9\xc3\xe2M\xaa\x81\xfev:\xe40\x9e\xdb\x98\xb4\xd0\xdcE\x14\x910\x1b.G\xab\x86\xdfy\xe6\xde11_H]\xe2\xc3\xb2fa\x7f\x8c\xf3\xc6\x85\xc9\xd6j\xff\xaa\xdbWD\x87\xe3\\mUSy\x0f\x82qW\fE\xd15ec>:D+', 0x0) setxattr$system_posix_acl(&(0x7f0000002a00)='.\x00', &(0x7f0000000000)='system.posix_acl_default\x00', &(0x7f00000003c0)=ANY=[@ANYBLOB="020000000100020000000000040000000000000010000200000000008893bd9b2bfd01ac"], 0x24, 0x0) syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="043e130100"], 0x16) syz_clone3(0x0, 0x0) prctl$PR_SET_TAGGED_ADDR_CTRL(0x37, 0x1) r2 = socket$inet_sctp(0x2, 0x1, 0x84) getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r2, 0x84, 0x7, &(0x7f0000001fc0), &(0x7f0000002000)=0x4) syz_mount_image$exfat(&(0x7f00000000c0), &(0x7f0000000040)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='iocharset=cp857,time_offset=0x0000000000000003,errors=remount-ro,fmask=00000000000000000000006,iocharset=cp862,allow_utime=00000000000000000077777,namecase=1,dmask=00000000000000000000201,utf8,dmask=000000000000\x00'/224], 0x1, 0x1543, &(0x7f0000000500)="$eJzs3AucTlX3OPC19t5nDImnSS7D3nsdnuSySZJckuSSJJUkyS0hSfJKQmIISRqSkFyGJIaQXCYmjfv9fklokjRJkltuyf5/Jubn7Vf9e2+/1/t5Z30/n/Ox15yz9lnnWfOc55wzZr7rNqx2kzo1GhER/FPw4j8JABALAIMAIC8ABABQIa5CXOb6nBIT/rmdsH+th5KvdAXsSuL+Z2/c/+yN+5+9cf+zN+5/9sb9z964/9kb95+x7Gzz9ELX8JJ9F37+n+2kj/2fIX/+/xfJKDPuq7VlrusOEPO3pnD/szfu/3+t4G/ZiPufvXH/s6vYK10A+w/A7//sIMcfruH+Z2/cf8aysyv9/PlKLxD5D3sNjuS82Jh/1/EzxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGP/Bmf8ZQoAssZXui7GGGOMMcYYY4z96/gcV7oCxhhjjDHGGGOM/d9DECBBQQAxkANiISfkAgEAV0MeyAsRuAbi4FrIB9dBfigABaEQxENhKAIaDFggCKEoFIMoXA/F4QYoASWhFJQGB2WgLNwI5eAmKA83QwW4BSrCrVAJKkMVqAq3QTW4HarDHVAD7oSaUAtqQx24C+rC3VAP7oH6cC80gPvgfngAGsKD0AgegsbwMDSBR6ApPArNoDm0gJbQ6h/KfwF6wYvQG/pAAvSFfvAS9IcBMBBehkHwCgyGV2EIvAaJMBSGweswHN6AEfAmjIRRMBregjHwNoyFcTAeJkASTIRJ8A5MhndhCrwHU2EaJMN0mAHvw0yYBbPhA5gDH8JcmAfzYQGkwEewEBZBKnwMi+ETSIMlsBSWwXJYASthFayGNbAW1sF62AAbYRNshi2wFbbBdtgBO+FT2AWfwW7YA3vhc0iHL/7O/NP/K787AgIKFKhQYQzGYCzGYi7MhbkxN+bBPBjBCMZhHObDfJgf82NBLIjxGI9FsAgaNEhIWBSLYhSjWByLYwksgaWwFDp0WBbLYjm8CctjeayAFbAiVsRKWBkrY1WsitWwGlbH6lgDa2BNrIm1sTbehXdhX6yH9bA+1scG2CDr8RQ2wkbYGBtjE2yCTbEpNsNm2AJbYCtsha2xNbbBNtgO22F7bI8dsAN2xI7YCTthZ+yMXbALdsWu2A27YXfsgT0yXsgB+CK+iH2wpuiL/bAf9sfEHAPxZXwZX8HB+Cq+iq9hIg7FYfg6vo5v4Ag8hSNxFI7G0VhNvI1jcRySmIBJmISTcBJOxsmYWeh7OA2TcTrOwBk4E2fhLPwA5+CH+CHOw3m4AFMwBRfiIkzFVFyMpzENl+BSXIbLcQUux1W4GlfhWlyHa3EDbsBNuAm34BbchttwB+7AT1EB4Ge4B/dgIqZjOu7Dfbgf9+MBPIAZmIEH8SAewkN4GA/jETyCR/EYHsdjeBJP4ik8jWfwDJ7Dc3gen4v/pvGnJdckgsikhBIxIkbEiliRS+QSuUVukUfkEREREXEiTuQT+UR+kV8UFAVFvIgXRUQRYYQRJMIYABBRERXFRXFRQpQQpUQp4YQTZUVZUU6UE+VFeVFB3CIqiltFJVFZtHVVRVVRTbRz1cUdooaoIWqKWqK2qCPqiLqirqgn6on6or5oIBqI+8UDoqHoiwPxIZHZmSZiKDYVw7CZaC7kpTNYazEC24i2op14QozCkdhBtHYdxdOikxiLncVfxDh8VnQVE7CbeF50Fz1ET/GC6CXauN6ij5iCfUU/MQ37iwFioHhZzMRa4gOck7O2eE0kiqFimHhdLMA3xAjxphgpRonR4i0xRrwtxopxYryYIJLERDFJvCMmi3eFEO+JqWKaSBbTxQzxvpgpZonZ4gMxR3wo5op5Yr5YIFLER2KhWCRSxcdisfhEpIklYqlYJpaLFWKlWCVWizVirVgn1osNYqPYJDaLLWKriIXtYofYKT4Vu8RnYrfYI/aKz0W6+ELsE1+K/eIrcUB8LTLEN+Kg+FYcEt+Jw+J7cUT8II6KY+K4OCFOih/FKXFanBFnxTnxkzgvfhYXhBcgUQoppZKBjJE5ZKzMKXPJq2RuGVx6da+RcfJamU9eJ/PLArKgLCTjZWFZRGpppJUkQ1lUFpNReb0sLm+QJWRJWUqWlk6WkWXljbKcvEmWlzfLCvIWWVHeKivJyrKKrCpvk9Xk7RIiF/dRU9aStWUdeZdMgLtlPXmPrC/vlQ3kffJ++YBsKB+UjeRDsrF8WDaRj8im8lHZTDaXLWRL2Uo+JlvLx2Ub2Va2k0/I9vJJ2UE+JTvKp2Un6S99izwru8rnZDf5vOwue8ie8md5QXrZW/aR0BdkP/mS7C8HyIGxACBfkYPlq3KIfE0myqFymHxdDpdvyBHyTTlSjpKj5VtyjHxbjpXj5Hg5QSbJiXKSfEdOlu/KKfI9OVVOk8lyuhwoB/0y02wp/zT/nd/JH/LL3jfJzXKL3Cq3ye1yh9wpP5W75C65W+6We+VemS7T5T65T+6X++UBeUBmyAx5UB6Uh+QheVgelkfkEXlUHpNn5Ql5Uv4oT8nT8rQ8K8/Jc/L8pdcAFCqhpFIqUDEqh4pVOVUudZXKra5WeVReFVHXqDh1rcqnrlP5VQFVUBVS8aqwKqK0MsoqUqEqqoqpqLoeL33DqFKqtHKqjCqrbvwlP+tHDH+Sr4qrG1QJVfJX+Vn1JfxBfa1UK9VatVZtVBvVTrVT7VV71UF1UB1VR9VJdVKdVWfVRXVRXVVX1U11U91Vd9VT9VS9VC/VW/VWCSpB9VMvqf5qgBqoXlaD1CtqsBqshqghKlElqmFqmBquhqsRaoQaqUaq0Wq0GqPGqLFqrBqvxqsklaQmqUlqspqspqgpaqqaqpJVspqhZqiZaqaarWarOWqOmqvmqvlqvkpRKWqhWqhSVaparBarNLVELVHL1DK1Qq1Qq9QqtUatUevUOrVBbVBparParLaqrWq72q52qp1ql9qldovdaq/aq9JVutqn9qn9ar86oA6oDJWhDqqD6pA6pA6rw+qIOqKOqqPquDquTqqT6pQ6pc6oM+qcOqfOq/PqgrqQedkXiEAEKlBBTBATxAaxQa4gV5A7yB3kCfIEkSASxAVxQb7guiB/UCAoGBQK4oPCQZFAByawgbjU22hwfVA8uCEoEZQMSgWlAxeUCcoGNwblgpuC8sHNQYXglqBicGtQKagcVAmqBrcF1YLbg+rBHUGN4M6gZlArqB3UCe4K6gZ3B/ViIagf3Bs0CO4L7g8eCBoGDwaNgoeCxsHDQZPgkaBp8GjQLGgetAhaBq3+kfmDe/5gfu9PFXjc9dZ9dILuq/vpl3R/PUAP1C/rQfoVPVi/qofo13SiHqqH6df1cP2GHqHf1CP1KD1av6XH6Lf1WD1Oj9cTdJKeqCfpd/Rk/a6eot/TU/U0nayn6xn6fT1Tz9Kz9Qd6jv5Qz9Xz9Hy9QKfoj/RCvUin6o/1Yv2JTtNL9FK9TC/XK/RKvUqv1mv0Wr1Or9cb9Ea9SW/WW/RWvU1v1zv0Tv2p3qU/07v1Hr1Xf67T9Rd6n/5S79df6QP6a52hv9EH9bf6kP5OH9bf6yP6B31UH9PH9Ql9Uv+oT+nT+ow+q8/pn/R5/bO+oH3mxX3mx7tRRpkYE2NiTazJZXKZ8pDb5DF5TMRETJyJM/lMPpPf5DcFTUETb+JNEVPEZCJDpqgpaqImaoqb4qaEKWFKmVLGGWfKmrKmnClnypvypoKpYCqaiqaSqWSqmCrmNnObud3cbu4wd5g7zZ2mlqll6pg6pq6pa+qZeqa+qW8amAbmfnO/aWgamkamkWlsGpsmpolpapqaZqaZaWFamFamlWltWps2po1pZ9qZ9qa96WA6mI6mo+lkOpnOprPpYrqYrqar6Wa6me6mu+lpeppeppfpbXqbBJNg+pl+pr/pbwaagWaQGWQGm8FmiBliEk2iGWaGmeFmuBlhRpiRZpQZnXmSM2+bsWacGW8mmCSTZCaZSWaymWymmClmqplqkk2ymWFmmJlmppltZps5Zo6Za+aa+Wa+STEpZqFZaFJNqllsFps0k2aWmqVmuVluVpqVZrVZbdaatWY9rDcbzUaz2Ww2W81Ws91sNzvNTrPL7DK7zW6z1+w16Sbd7DP7zH6z3xwwB0yGyTAHzUFzyBwyh81hc8QcMUfNUXPcHDcnzUlzypwyZ8wZc84UuPR56U3WyTy3vdrmsXltrM1pc9mr7MU468qrsC1itc1vC9iCtpCNtxdjY60tYUvaUra0dbaMLWtv/E1cyVa2VWxVe5utZm+31X8T17V323r2Hlvf3mvr2Lt+FTew99nMq5OGiAC2uW1sW9om9hHb1D5qm9nmtoVtadvbJ20H+5TtaJ+2newzv4kX2kV2tV1j19p1drfdY8/Ys/aQ/c6esz/Z3raPHWRfsYPtq3aIfc0m2qG/iUfbt+wY+7Yda8fZ8XbCb+KpdppNttPtDPu+nWln/SZOsR/ZOTbVzrXz7Hy74Jc4s6ZU+7FdbD+xaTaApXaZXW5X2JV2VVatPq/dYDfaTXaX/cxutdvsdrvD7sxqh91j99rPbbr9wh6039r99it7wB62GfabX+LM4ztsv7dH7A/2qD1mj9sT9qT9UWVlZx77CfuzvWC9BUICkqQooBjKQbGUk3LRVZSbrqY8lJcidA3F0bWUj66j/FSAClIhiqfCVIQ0GbJEFFJRKkZRup6yyitFpclRGSpLN1I5uonK081UgW6hinQrVaLKVIWq0m1UjW6n6nQH1aA7qSbVotpUh+6iunQ31aN7qD7dSw3oPrqfHqCG9CA1ooeoMT1MTegRakqPUjNqTi2oJbWix6g1PU5tqC21oyeoPT1JHegp6khPUyd6hjrTX6gLPUtd6TnqRs9Td+pBPekF6kUvUm/qQwnUl/rRS9SfBtBAepkG0Ss0mF6lIfQaJdJQGkav03B6g0bQmzSSRtFoeovG0Ns0lsbReJpASTSRJtE7NJnepSn0Hk2laZRM02kGvU8zaRbNpg9oDn1Ic2kezacFlEIf0UJaRKn0MS2mTyiNltBSWkbLaQWtpFW0mtbQWlpH62kDbaRNtJm20FbaRttpB+2kT2kXfUa7aQ/tpc8pnb4gpC9pP31FB+hryqBv6CB9S4foOzpM3/s+9AMdpWN0nE7QSfqRTtFpOkNn6Rz9ROfpZ7pAniDEUIQyVGEQxoQ5wtgwZ5grvCrMHV4d5gnzhpHwmjAuvDbMF14X5g8LhAXDQmF8WDgsEurQhDakMAyLhsXCaHh9WDy8ISwRlgxLhaVDF5YJy4Y3huXCm8Ly4c1hhfCWsGJ4a1gprBw+cm/V8LawWnh7WD28I6wR3hnWDGuFtcM64V1h3fDusF54T1g/vDcsH94X3h8+EDYMHwwbhQ+FjcOHwybhI2HT8NGwWdg8bBG2DFuFj4Wtw8fDNmHbsF34RNg+fDLsED4VdgyfDjuFz/yy/r5Ff7w+Iewb9gtfCl8Kvb9Hzo8uiKZEP4oujC6KpkY/ji6OfhJNiy6JLo0uiy6ProiujK6Kro6uia6Nrouuj26IboxuinpfJwc4dMJJp1zgYlwOF+tyulzuKpfbXe3yuLwu4q5xce5al89d5/K7Aq6gK+TiXWFXxGlnnHXkQlfUFXNRd70r7m5wJVxJV8qVds6VcWVdS9fKtXKt3eOujWvr2rkn3BPuSfeke8o95Z52ndwzrrP7i+vinnVd3XPuOfe86+56uJ7uBdfLTcxz8T2Z4Po5n6O/6+8GuoFukBvkBrvBbogb4hJdohvmhrnhbrgb4Ua4kW6kG+1GuzFujBvrxrrxbrxLcklukpvkJrvJboqb4qa6qS7ZJbsZboab6Wa6arMu7mWum+vmu/kuxaW4hS7zmjHVLXaLXZpLc0vdUrfcLXcr3Uq32q12a91at96tdxvdRrfZbXZb3Va33W13O91Ot8vtcrt93ouTunS3z+1z+91+d8B97TLcN+6g+9Ydct+5w+57d8T94I66Y+64O+FOuh/dKXfanXFn3Tn3kzvvfnYXnHdJkYmRSZF3IpMj70amRN6LTI1MiyRHpkdmRN6PzIzMisyOfBCZE/kwMjcyLzI/siCSEvkosjCyKJIa+TiyOPJJJC2yJLI0siyyPLIi4n3hraEv6ov5qL/eF/c3+BK+pC/lS3vny/iy/kZfzt/ky/ubfQV/i6/ob/WVfGVfxT/qm/nmvoVv6Vv5x3xr/7hv49v6dv4J394/6Tv4p3xH/7Tv5J/xnf1ffBf/rO/qn/Pd/PO+u+/he/oXfC//ou/t+/gE39f38y/5/n6AH+hf9oP8K36wf9UP8a/5RD/UD/Ov++H+DT/Cv+lH+lF+dMxbfkzWLTJM8El+op/k3/GT/bt+in/PT/XTfLKf7mf49/1MP8vP9h/4Of5DP9fP8/P9Ap/iP/IL/SKf6j/2i/0nPs0vyXqo7Ff6VX61X+PX+nV+vd/gN/pNfrPf4rf6bX673+F3+k/9Lv+Z3+33+L3+c5/uv/D7/Jd+v//KH/Bf+wz/jT/ov/WH/Hf+sP/eH/E/+KP+mD/uT/iT/kd/yp/2Z/xZf87/5M/7n/0F/p01xhhjjLG/ycTLQ/HrNRefAPX9nRzxVxv3A4CrtxXK+Ov1mVeU6/NfHA8Q8e0jAPB0n24PZS01ayYkJFzaNk1CUGweQNZPgjLFwOV4CbSDJ6EjtIVyv1v/ANHjHP3J/NFbAHL9VU4sXI4vz/8lACb8zvyPPTF6YcXwTNz/Z/55ACWKXc7JCZfjJdDul+crbaH8H9RfoPWf1J/zqySANn+Vkxsux5frLwuPwzPQ8VdbMsYYY4wxxhhjFw0QVbpk3X9m/Y/P37s/j1eXc3LA5fjP7s8ZY4wxxhhjjDF25T3bo+dTj3Xs2LbL3z+o/ufbqMtfyf337qIp/KOF8eAfGngP8D+NA4B/ckKAzIH8dx7Fln/LvhIvvXX+96rlZ30A/xmt/FcMrvCJiTHGGGOMMfYvd/mi/9dfV1eqIMYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjLBv6Z//GG/wNf6XvSh8jY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxdqX9vwAAAP//0V/4pQ==") r3 = openat(0xffffffffffffff9c, &(0x7f0000004280)='.\x00', 0x0, 0x0) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000380)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x38, 0x38, 0x4, [@func_proto={0x0, 0x1, 0x0, 0xd, 0x0, [{0x2, 0x3}]}, @func_proto, @array={0x0, 0x0, 0x0, 0x3, 0x0, {0x1, 0x3}}]}, {0x0, [0x5f, 0x2e]}}, 0x0, 0x54, 0x0, 0x3}, 0x28) r4 = syz_init_net_socket$llc(0x1a, 0x801, 0x0) bind$llc(r4, &(0x7f0000000080), 0x10) getdents64(r3, 0xfffffffffffffffe, 0x29) pidfd_send_signal(0xffffffffffffffff, 0x9, 0x0, 0x0) r5 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r5, &(0x7f0000002180)=[{&(0x7f0000000000)="580000001400192340834b80040d8c560a067f0258ff000000000000000058000b4824ca945f64009400ff0325010ebc000000000000008000f0fffeffe809005300fff5dd00000010000100090810000000000000040000", 0x58}], 0x1) syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0405"], 0x7) 1.685320514s ago: executing program 0 (id=1802): r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000840)={0x18, 0x3, &(0x7f0000000040)=ANY=[@ANYRES32], &(0x7f0000000300)='GPL\x00', 0x2, 0xb3, &(0x7f0000000140)=""/179, 0x41100, 0x7b, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x38}, 0x94) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r1 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, r0, 0x71096000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x400000000000041, 0x0) sched_setaffinity(r1, 0x8, &(0x7f0000000240)=0x2) recvmmsg(r2, &(0x7f0000000040), 0x80002c1, 0x2, 0x0) sendmsg$RDMA_NLDEV_CMD_NEWLINK(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000001200)={&(0x7f0000000300)={0x38, 0x1403, 0x1, 0x0, 0x0, "", [{{0x9, 0x2, 'syz0\x00'}, {0x8, 0x41, 'siw\x00'}, {0x14, 0x33, 'vlan1\x00'}}]}, 0x38}, 0x1, 0x0, 0x0, 0x80c9}, 0x20000000) syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) rseq(&(0x7f00000004c0), 0x20, 0x0, 0x0) sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f00000003c0)={0x0, 0x0, 0x0}, 0x28040800) r4 = socket$inet6(0xa, 0x5, 0x0) connect$inet6(r4, &(0x7f0000000300)={0xa, 0x4e22, 0x2, @private2={0xfc, 0x2, '\x00', 0x1}, 0x5}, 0x6e) r5 = socket$netlink(0x10, 0x3, 0x4) writev(r5, &(0x7f0000000200)=[{&(0x7f0000000140)="480000001400190d09004beafd0d8c560a84476080ffe0064e200000590000a2bc5603ca00000f7f89000000200000000101ff0000000309ff5bffff00c7e5ed5e00000000000000", 0x48}], 0x1) ioctl$VIDIOC_SUBSCRIBE_EVENT(0xffffffffffffffff, 0x4020565a, &(0x7f0000000140)={0x3, 0x98f90f, 0x1}) 1.630339001s ago: executing program 1 (id=1803): r0 = socket$packet(0x11, 0x3, 0x300) r1 = syz_open_procfs$namespace(0x0, &(0x7f0000001380)='ns/cgroup\x00') open_by_handle_at(r1, &(0x7f0000000040)=ANY=[@ANYBLOB="20000000f1000000", @ANYRES64=r0], 0x0) 1.625940474s ago: executing program 4 (id=1804): sendmmsg$inet6(0xffffffffffffffff, 0x0, 0x0, 0x80) bpf$PROG_LOAD(0x5, 0x0, 0x0) socket$packet(0x11, 0x2, 0x300) mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000100), 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) mount$fuseblk(&(0x7f0000000040), &(0x7f00000000c0)='./file0\x00', &(0x7f00000001c0), 0x91, &(0x7f0000000200)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0xc000}}) 1.491082139s ago: executing program 1 (id=1805): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) writev(0xffffffffffffffff, 0x0, 0x0) r3 = socket$inet_tcp(0x2, 0x1, 0x0) getsockopt$IPT_SO_GET_REVISION_TARGET(r3, 0x0, 0x43, 0x0, 0x0) connect$inet(r3, 0x0, 0x0) r4 = socket(0x10, 0x803, 0x0) write(r4, 0x0, 0x0) recvfrom$inet(0xffffffffffffffff, &(0x7f0000000080)=""/8, 0xfffffffffffffd0b, 0x720, 0x0, 0xfffffffffffffd25) 660.726787ms ago: executing program 1 (id=1806): bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x14, &(0x7f0000000280)=ANY=[@ANYBLOB="180000000000000000000000000000001801000020646c2100000000002020207b1af8"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x37, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0xc, 0xe, &(0x7f0000000380)=ANY=[@ANYBLOB="b70200001a000000bfa30000000000000703000000fe"], 0x0}, 0x94) r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000041436120410e5150e8d5000000010902f98a5c01000000090401001186eee2000905821704"], 0x0) syz_usb_control_io$sierra_net(r0, 0x0, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0xffffffffffffff42, &(0x7f0000000000)=ANY=[]) 335.284741ms ago: executing program 5 (id=1807): r0 = socket$inet6_sctp(0xa, 0x1, 0x84) r1 = dup(r0) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r1, 0x84, 0x64, &(0x7f0000000040)=[@in6={0xa, 0x4e24, 0x5, @loopback, 0x3}], 0x1c) r2 = dup(r0) sendmmsg$inet(r1, &(0x7f0000004b80)=[{{0x0, 0x0, &(0x7f00000002c0)=[{&(0x7f0000000180)="93", 0x1}], 0x1}}], 0x1, 0x4) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, 0x0, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000b00)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000140)=@newtaction={0x14, 0x30, 0x1, 0x70bd2b, 0x25dfdbfb}, 0x14}, 0x1, 0x0, 0x0, 0x2000c800}, 0x2400c800) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f00000001c0)={0x0, @in6={{0xa, 0x4e60, 0xfffffff2, @empty, 0x3}}, 0x1000000, 0x31, 0xffff1896, 0x3, 0x6, 0x8, 0x1b}, 0x9c) 305.84342ms ago: executing program 0 (id=1808): socket(0x1e, 0x4, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB, @ANYRES32, @ANYBLOB="0000000000000000b70800000d0000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x4, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="0b00000005000000050000000900000001"], 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000009c0)={0x1f, 0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000800000000000000000000018110000", @ANYRES32=r2], 0x0, 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, @fallback=0x36, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = bpf$PROG_LOAD(0x5, &(0x7f00000002c0)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x2, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r3, r1, 0x25, 0x0, @void}, 0x10) syz_emit_ethernet(0xfdef, &(0x7f0000000100)=ANY=[], 0x0) r4 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000040)='comm\x00') fchdir(r4) r5 = socket$unix(0x1, 0x5, 0x0) connect$unix(r5, &(0x7f0000000640)=@file={0x1, './cgroup\x00'}, 0x6e) 279.7141ms ago: executing program 5 (id=1809): r0 = syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000280)='./mnt\x00', 0x800810, &(0x7f0000000180)={[{@nobh}, {@max_dir_size_kb={'max_dir_size_kb', 0x3d, 0x4}}]}, 0xff, 0x23f, &(0x7f0000000540)="$eJzs3T1oLFUYBuB3Zne95t5FrtoI4g+IiAbCtRNsYqMQkBBEBBUiIjZKIsQEu8TKxkJrlVQ2QeyMlpIm2CiCVdQUsRE0WBgstFiZnURisuLPxh1xngdmZ2b3nPnOMPOe3WbYAK11Nclskk6S6SS9JMXpBnfWy9Xj3c2p3cVkMHjsh2LYrt6vnfS7kmQjyQNJdsoiL3STte2nDn7ae+Se11d7d7+7/eTURE/y2OHB/qNH78y/9sHc/WufffHdfJHZ9H93XhevGPFet0hu+jeK/UcU3aZHwF+x8Mr7X1a5vznJXcP891KmvnhvrFy308t9b/9R3ze///zWSY4VuHiDQa/6DtwYAK1TJumnKGeS1NtlOTNT/4b/qnO5fHF55eXp55dXl55reqYCLko/2X/4o0sfXjmT/287df6B/68q/48vbH1dbR91mh4NMBG31asq/9PPrN8b+YfWkX9oL/mH9pJ/aC/5h/aSf2gv+Yf2kn9oL/mH9pJ/aK/T+QcA2mVwqeknkIGmND3/AAAAAAAAAAAAAAAAAAAA521O7S6eLJOq+clbyeFDSbqj6neG/0ecXD98vfxjUTX7TVF3G8vTd4x5gDG91/DT1zd802z9T29vtv76UrLxapJr3e75+684vv/+uRv/5PPes2MW+JuKM/sPPjHZ+mf9stVs/bm95ONq/rk2av4pc8twPXr+6VfXb8z6L/085gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYmF8DAAD//xFQbUc=") ioctl$BTRFS_IOC_QUOTA_RESCAN(r0, 0x4040942c, 0x0) r1 = fsopen(&(0x7f0000000080)='cgroup\x00', 0x0) fsconfig$FSCONFIG_SET_STRING(r1, 0x3, &(0x7f0000000000)='source', &(0x7f0000000840)='%\\,:\x85X\\\x03\xa6\xd7}\xcd\xeb*\xb1\xa8\xb7\x81\xc8\xcbR\xa8?\x97 \xcbz&\x17\xa4\xfd^\xe1I\x11X\x90\x03\xb7W\x05\xb0\x99\x10F0\xb5YP9\xc3\xe2M\xaa\x81\xfev:\xe40\x9e\xdb\x98\xb4\xd0\xdcE\x14\x910\x1b.G\xab\x86\xdfy\xe6\xde11_H]\xe2\xc3\xb2fa\x7f\x8c\xf3\xc6\x85\xc9\xd6j\xff\xaa\xdbWD\x87\xe3\\mUSy\x0f\x82qW\fE\xd15ec>:D+', 0x0) setxattr$system_posix_acl(0x0, &(0x7f0000000000)='system.posix_acl_default\x00', &(0x7f00000003c0)=ANY=[], 0x24, 0x0) syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="043e130100"], 0x16) syz_clone3(0x0, 0x0) prctl$PR_SET_TAGGED_ADDR_CTRL(0x37, 0x1) r2 = socket$inet_sctp(0x2, 0x1, 0x84) getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r2, 0x84, 0x7, &(0x7f0000001fc0), &(0x7f0000002000)=0x4) syz_mount_image$exfat(&(0x7f00000000c0), &(0x7f0000000040)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='iocharset=cp857,time_offset=0x0000000000000003,errors=remount-ro,fmask=00000000000000000000006,iocharset=cp862,allow_utime=00000000000000000077777,namecase=1,dmask=00000000000000000000201,utf8,dmask=000000000000\x00'/224], 0x1, 0x1543, &(0x7f0000000500)="$eJzs3AucTlX3OPC19t5nDImnSS7D3nsdnuSySZJckuSSJJUkyS0hSfJKQmIISRqSkFyGJIaQXCYmjfv9fklokjRJkltuyf5/Jubn7Vf9e2+/1/t5Z30/n/Ox15yz9lnnWfOc55wzZr7rNqx2kzo1GhER/FPw4j8JABALAIMAIC8ABABQIa5CXOb6nBIT/rmdsH+th5KvdAXsSuL+Z2/c/+yN+5+9cf+zN+5/9sb9z964/9kb95+x7Gzz9ELX8JJ9F37+n+2kj/2fIX/+/xfJKDPuq7VlrusOEPO3pnD/szfu/3+t4G/ZiPufvXH/s6vYK10A+w/A7//sIMcfruH+Z2/cf8aysyv9/PlKLxD5D3sNjuS82Jh/1/EzxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGP/Bmf8ZQoAssZXui7GGGOMMcYYY4z96/gcV7oCxhhjjDHGGGOM/d9DECBBQQAxkANiISfkAgEAV0MeyAsRuAbi4FrIB9dBfigABaEQxENhKAIaDFggCKEoFIMoXA/F4QYoASWhFJQGB2WgLNwI5eAmKA83QwW4BSrCrVAJKkMVqAq3QTW4HarDHVAD7oSaUAtqQx24C+rC3VAP7oH6cC80gPvgfngAGsKD0AgegsbwMDSBR6ApPArNoDm0gJbQ6h/KfwF6wYvQG/pAAvSFfvAS9IcBMBBehkHwCgyGV2EIvAaJMBSGweswHN6AEfAmjIRRMBregjHwNoyFcTAeJkASTIRJ8A5MhndhCrwHU2EaJMN0mAHvw0yYBbPhA5gDH8JcmAfzYQGkwEewEBZBKnwMi+ETSIMlsBSWwXJYASthFayGNbAW1sF62AAbYRNshi2wFbbBdtgBO+FT2AWfwW7YA3vhc0iHL/7O/NP/K787AgIKFKhQYQzGYCzGYi7MhbkxN+bBPBjBCMZhHObDfJgf82NBLIjxGI9FsAgaNEhIWBSLYhSjWByLYwksgaWwFDp0WBbLYjm8CctjeayAFbAiVsRKWBkrY1WsitWwGlbH6lgDa2BNrIm1sTbehXdhX6yH9bA+1scG2CDr8RQ2wkbYGBtjE2yCTbEpNsNm2AJbYCtsha2xNbbBNtgO22F7bI8dsAN2xI7YCTthZ+yMXbALdsWu2A27YXfsgT0yXsgB+CK+iH2wpuiL/bAf9sfEHAPxZXwZX8HB+Cq+iq9hIg7FYfg6vo5v4Ag8hSNxFI7G0VhNvI1jcRySmIBJmISTcBJOxsmYWeh7OA2TcTrOwBk4E2fhLPwA5+CH+CHOw3m4AFMwBRfiIkzFVFyMpzENl+BSXIbLcQUux1W4GlfhWlyHa3EDbsBNuAm34BbchttwB+7AT1EB4Ge4B/dgIqZjOu7Dfbgf9+MBPIAZmIEH8SAewkN4GA/jETyCR/EYHsdjeBJP4ik8jWfwDJ7Dc3gen4v/pvGnJdckgsikhBIxIkbEiliRS+QSuUVukUfkEREREXEiTuQT+UR+kV8UFAVFvIgXRUQRYYQRJMIYABBRERXFRXFRQpQQpUQp4YQTZUVZUU6UE+VFeVFB3CIqiltFJVFZtHVVRVVRTbRz1cUdooaoIWqKWqK2qCPqiLqirqgn6on6or5oIBqI+8UDoqHoiwPxIZHZmSZiKDYVw7CZaC7kpTNYazEC24i2op14QozCkdhBtHYdxdOikxiLncVfxDh8VnQVE7CbeF50Fz1ET/GC6CXauN6ij5iCfUU/MQ37iwFioHhZzMRa4gOck7O2eE0kiqFimHhdLMA3xAjxphgpRonR4i0xRrwtxopxYryYIJLERDFJvCMmi3eFEO+JqWKaSBbTxQzxvpgpZonZ4gMxR3wo5op5Yr5YIFLER2KhWCRSxcdisfhEpIklYqlYJpaLFWKlWCVWizVirVgn1osNYqPYJDaLLWKriIXtYofYKT4Vu8RnYrfYI/aKz0W6+ELsE1+K/eIrcUB8LTLEN+Kg+FYcEt+Jw+J7cUT8II6KY+K4OCFOih/FKXFanBFnxTnxkzgvfhYXhBcgUQoppZKBjJE5ZKzMKXPJq2RuGVx6da+RcfJamU9eJ/PLArKgLCTjZWFZRGpppJUkQ1lUFpNReb0sLm+QJWRJWUqWlk6WkWXljbKcvEmWlzfLCvIWWVHeKivJyrKKrCpvk9Xk7RIiF/dRU9aStWUdeZdMgLtlPXmPrC/vlQ3kffJ++YBsKB+UjeRDsrF8WDaRj8im8lHZTDaXLWRL2Uo+JlvLx2Ub2Va2k0/I9vJJ2UE+JTvKp2Un6S99izwru8rnZDf5vOwue8ie8md5QXrZW/aR0BdkP/mS7C8HyIGxACBfkYPlq3KIfE0myqFymHxdDpdvyBHyTTlSjpKj5VtyjHxbjpXj5Hg5QSbJiXKSfEdOlu/KKfI9OVVOk8lyuhwoB/0y02wp/zT/nd/JH/LL3jfJzXKL3Cq3ye1yh9wpP5W75C65W+6We+VemS7T5T65T+6X++UBeUBmyAx5UB6Uh+QheVgelkfkEXlUHpNn5Ql5Uv4oT8nT8rQ8K8/Jc/L8pdcAFCqhpFIqUDEqh4pVOVUudZXKra5WeVReFVHXqDh1rcqnrlP5VQFVUBVS8aqwKqK0MsoqUqEqqoqpqLoeL33DqFKqtHKqjCqrbvwlP+tHDH+Sr4qrG1QJVfJX+Vn1JfxBfa1UK9VatVZtVBvVTrVT7VV71UF1UB1VR9VJdVKdVWfVRXVRXVVX1U11U91Vd9VT9VS9VC/VW/VWCSpB9VMvqf5qgBqoXlaD1CtqsBqshqghKlElqmFqmBquhqsRaoQaqUaq0Wq0GqPGqLFqrBqvxqsklaQmqUlqspqspqgpaqqaqpJVspqhZqiZaqaarWarOWqOmqvmqvlqvkpRKWqhWqhSVaparBarNLVELVHL1DK1Qq1Qq9QqtUatUevUOrVBbVBparParLaqrWq72q52qp1ql9qldovdaq/aq9JVutqn9qn9ar86oA6oDJWhDqqD6pA6pA6rw+qIOqKOqqPquDquTqqT6pQ6pc6oM+qcOqfOq/PqgrqQedkXiEAEKlBBTBATxAaxQa4gV5A7yB3kCfIEkSASxAVxQb7guiB/UCAoGBQK4oPCQZFAByawgbjU22hwfVA8uCEoEZQMSgWlAxeUCcoGNwblgpuC8sHNQYXglqBicGtQKagcVAmqBrcF1YLbg+rBHUGN4M6gZlArqB3UCe4K6gZ3B/ViIagf3Bs0CO4L7g8eCBoGDwaNgoeCxsHDQZPgkaBp8GjQLGgetAhaBq3+kfmDe/5gfu9PFXjc9dZ9dILuq/vpl3R/PUAP1C/rQfoVPVi/qofo13SiHqqH6df1cP2GHqHf1CP1KD1av6XH6Lf1WD1Oj9cTdJKeqCfpd/Rk/a6eot/TU/U0nayn6xn6fT1Tz9Kz9Qd6jv5Qz9Xz9Hy9QKfoj/RCvUin6o/1Yv2JTtNL9FK9TC/XK/RKvUqv1mv0Wr1Or9cb9Ea9SW/WW/RWvU1v1zv0Tv2p3qU/07v1Hr1Xf67T9Rd6n/5S79df6QP6a52hv9EH9bf6kP5OH9bf6yP6B31UH9PH9Ql9Uv+oT+nT+ow+q8/pn/R5/bO+oH3mxX3mx7tRRpkYE2NiTazJZXKZ8pDb5DF5TMRETJyJM/lMPpPf5DcFTUETb+JNEVPEZCJDpqgpaqImaoqb4qaEKWFKmVLGGWfKmrKmnClnypvypoKpYCqaiqaSqWSqmCrmNnObud3cbu4wd5g7zZ2mlqll6pg6pq6pa+qZeqa+qW8amAbmfnO/aWgamkamkWlsGpsmpolpapqaZqaZaWFamFamlWltWps2po1pZ9qZ9qa96WA6mI6mo+lkOpnOprPpYrqYrqar6Wa6me6mu+lpeppeppfpbXqbBJNg+pl+pr/pbwaagWaQGWQGm8FmiBliEk2iGWaGmeFmuBlhRpiRZpQZnXmSM2+bsWacGW8mmCSTZCaZSWaymWymmClmqplqkk2ymWFmmJlmppltZps5Zo6Za+aa+Wa+STEpZqFZaFJNqllsFps0k2aWmqVmuVluVpqVZrVZbdaatWY9rDcbzUaz2Ww2W81Ws91sNzvNTrPL7DK7zW6z1+w16Sbd7DP7zH6z3xwwB0yGyTAHzUFzyBwyh81hc8QcMUfNUXPcHDcnzUlzypwyZ8wZc84UuPR56U3WyTy3vdrmsXltrM1pc9mr7MU468qrsC1itc1vC9iCtpCNtxdjY60tYUvaUra0dbaMLWtv/E1cyVa2VWxVe5utZm+31X8T17V323r2Hlvf3mvr2Lt+FTew99nMq5OGiAC2uW1sW9om9hHb1D5qm9nmtoVtadvbJ20H+5TtaJ+2newzv4kX2kV2tV1j19p1drfdY8/Ys/aQ/c6esz/Z3raPHWRfsYPtq3aIfc0m2qG/iUfbt+wY+7Yda8fZ8XbCb+KpdppNttPtDPu+nWln/SZOsR/ZOTbVzrXz7Hy74Jc4s6ZU+7FdbD+xaTaApXaZXW5X2JV2VVatPq/dYDfaTXaX/cxutdvsdrvD7sxqh91j99rPbbr9wh6039r99it7wB62GfabX+LM4ztsv7dH7A/2qD1mj9sT9qT9UWVlZx77CfuzvWC9BUICkqQooBjKQbGUk3LRVZSbrqY8lJcidA3F0bWUj66j/FSAClIhiqfCVIQ0GbJEFFJRKkZRup6yyitFpclRGSpLN1I5uonK081UgW6hinQrVaLKVIWq0m1UjW6n6nQH1aA7qSbVotpUh+6iunQ31aN7qD7dSw3oPrqfHqCG9CA1ooeoMT1MTegRakqPUjNqTi2oJbWix6g1PU5tqC21oyeoPT1JHegp6khPUyd6hjrTX6gLPUtd6TnqRs9Td+pBPekF6kUvUm/qQwnUl/rRS9SfBtBAepkG0Ss0mF6lIfQaJdJQGkav03B6g0bQmzSSRtFoeovG0Ns0lsbReJpASTSRJtE7NJnepSn0Hk2laZRM02kGvU8zaRbNpg9oDn1Ic2kezacFlEIf0UJaRKn0MS2mTyiNltBSWkbLaQWtpFW0mtbQWlpH62kDbaRNtJm20FbaRttpB+2kT2kXfUa7aQ/tpc8pnb4gpC9pP31FB+hryqBv6CB9S4foOzpM3/s+9AMdpWN0nE7QSfqRTtFpOkNn6Rz9ROfpZ7pAniDEUIQyVGEQxoQ5wtgwZ5grvCrMHV4d5gnzhpHwmjAuvDbMF14X5g8LhAXDQmF8WDgsEurQhDakMAyLhsXCaHh9WDy8ISwRlgxLhaVDF5YJy4Y3huXCm8Ly4c1hhfCWsGJ4a1gprBw+cm/V8LawWnh7WD28I6wR3hnWDGuFtcM64V1h3fDusF54T1g/vDcsH94X3h8+EDYMHwwbhQ+FjcOHwybhI2HT8NGwWdg8bBG2DFuFj4Wtw8fDNmHbsF34RNg+fDLsED4VdgyfDjuFz/yy/r5Ff7w+Iewb9gtfCl8Kvb9Hzo8uiKZEP4oujC6KpkY/ji6OfhJNiy6JLo0uiy6ProiujK6Kro6uia6Nrouuj26IboxuinpfJwc4dMJJp1zgYlwOF+tyulzuKpfbXe3yuLwu4q5xce5al89d5/K7Aq6gK+TiXWFXxGlnnHXkQlfUFXNRd70r7m5wJVxJV8qVds6VcWVdS9fKtXKt3eOujWvr2rkn3BPuSfeke8o95Z52ndwzrrP7i+vinnVd3XPuOfe86+56uJ7uBdfLTcxz8T2Z4Po5n6O/6+8GuoFukBvkBrvBbogb4hJdohvmhrnhbrgb4Ua4kW6kG+1GuzFujBvrxrrxbrxLcklukpvkJrvJboqb4qa6qS7ZJbsZboab6Wa6arMu7mWum+vmu/kuxaW4hS7zmjHVLXaLXZpLc0vdUrfcLXcr3Uq32q12a91at96tdxvdRrfZbXZb3Va33W13O91Ot8vtcrt93ouTunS3z+1z+91+d8B97TLcN+6g+9Ydct+5w+57d8T94I66Y+64O+FOuh/dKXfanXFn3Tn3kzvvfnYXnHdJkYmRSZF3IpMj70amRN6LTI1MiyRHpkdmRN6PzIzMisyOfBCZE/kwMjcyLzI/siCSEvkosjCyKJIa+TiyOPJJJC2yJLI0siyyPLIi4n3hraEv6ov5qL/eF/c3+BK+pC/lS3vny/iy/kZfzt/ky/ubfQV/i6/ob/WVfGVfxT/qm/nmvoVv6Vv5x3xr/7hv49v6dv4J394/6Tv4p3xH/7Tv5J/xnf1ffBf/rO/qn/Pd/PO+u+/he/oXfC//ou/t+/gE39f38y/5/n6AH+hf9oP8K36wf9UP8a/5RD/UD/Ov++H+DT/Cv+lH+lF+dMxbfkzWLTJM8El+op/k3/GT/bt+in/PT/XTfLKf7mf49/1MP8vP9h/4Of5DP9fP8/P9Ap/iP/IL/SKf6j/2i/0nPs0vyXqo7Ff6VX61X+PX+nV+vd/gN/pNfrPf4rf6bX673+F3+k/9Lv+Z3+33+L3+c5/uv/D7/Jd+v//KH/Bf+wz/jT/ov/WH/Hf+sP/eH/E/+KP+mD/uT/iT/kd/yp/2Z/xZf87/5M/7n/0F/p01xhhjjLG/ycTLQ/HrNRefAPX9nRzxVxv3A4CrtxXK+Ov1mVeU6/NfHA8Q8e0jAPB0n24PZS01ayYkJFzaNk1CUGweQNZPgjLFwOV4CbSDJ6EjtIVyv1v/ANHjHP3J/NFbAHL9VU4sXI4vz/8lACb8zvyPPTF6YcXwTNz/Z/55ACWKXc7JCZfjJdDul+crbaH8H9RfoPWf1J/zqySANn+Vkxsux5frLwuPwzPQ8VdbMsYYY4wxxhhjFw0QVbpk3X9m/Y/P37s/j1eXc3LA5fjP7s8ZY4wxxhhjjDF25T3bo+dTj3Xs2LbL3z+o/ufbqMtfyf337qIp/KOF8eAfGngP8D+NA4B/ckKAzIH8dx7Fln/LvhIvvXX+96rlZ30A/xmt/FcMrvCJiTHGGGOMMfYvd/mi/9dfV1eqIMYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjLBv6Z//GG/wNf6XvSh8jY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxdqX9vwAAAP//0V/4pQ==") r3 = openat(0xffffffffffffff9c, &(0x7f0000004280)='.\x00', 0x0, 0x0) bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x3}, 0x28) r4 = syz_init_net_socket$llc(0x1a, 0x801, 0x0) bind$llc(r4, &(0x7f0000000080), 0x10) getdents64(r3, 0xfffffffffffffffe, 0x29) pidfd_send_signal(0xffffffffffffffff, 0x9, 0x0, 0x0) r5 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r5, &(0x7f0000002180)=[{&(0x7f0000000000)="580000001400192340834b80040d8c560a067f0258ff000000000000000058000b4824ca945f64009400ff0325010ebc000000000000008000f0fffeffe809005300fff5dd00000010000100090810000000000000040000", 0x58}], 0x1) syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0405"], 0x7) 278.912288ms ago: executing program 0 (id=1810): sendmsg$inet(0xffffffffffffffff, 0x0, 0x40000) setreuid(0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r2 = syz_init_net_socket$ax25(0x3, 0x3, 0x8) ioctl$SIOCAX25OPTRT(r2, 0x89e7, 0x0) 181.659502ms ago: executing program 5 (id=1811): r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000100)) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000001c0)={0x90, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x40}, @transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 160.181905ms ago: executing program 2 (id=1812): sendmsg$inet(0xffffffffffffffff, 0x0, 0x40000) setreuid(0x0, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) keyctl$instantiate(0xc, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='new default user:syz 000040'], 0x2a, 0x0) getsockopt$bt_hci(0xffffffffffffffff, 0x84, 0x84, 0x0, &(0x7f0000001040)) r3 = add_key(&(0x7f0000000140)='encrypted\x00', &(0x7f0000000180), &(0x7f0000000100), 0xca, 0xfffffffffffffffe) keyctl$read(0xb, r3, &(0x7f0000000240)=""/112, 0x349b7f55) 79.451096ms ago: executing program 5 (id=1813): r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r1 = socket(0x400000000010, 0x3, 0x0) r2 = socket$unix(0x1, 0x5, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2d, 0x25dfdbfd, {0x0, 0x0, 0x0, r3, {0x0, 0xfff1}, {0xffff, 0xffff}, {0x1, 0xf}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8, 0x2, {0x28}}}]}, 0x38}, 0x1, 0x0, 0x0, 0x40000}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000440)={&(0x7f00000001c0)=@newtfilter={0x38, 0x2c, 0xd27, 0x70bd24, 0x25dfdbfb, {0x0, 0x0, 0x0, r3, {0x8, 0xfff1}, {}, {0xa}}, [@filter_kind_options=@f_flower={{0xb}, {0x8, 0x2, [@TCA_FLOWER_KEY_ENC_OPTS={0x4}]}}]}, 0x38}, 0x1, 0x0, 0x0, 0x22044028}, 0x0) 79.190317ms ago: executing program 1 (id=1814): prlimit64(0x0, 0xe, 0x0, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6) r3 = socket$inet6_sctp(0xa, 0x1, 0x84) ioctl$PAGEMAP_SCAN(0xffffffffffffffff, 0xc0606610, 0x0) setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r3, 0x84, 0x16, &(0x7f0000000200)=ANY=[], 0x6) 0s ago: executing program 5 (id=1815): prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0) r0 = getpid() sched_setscheduler(r0, 0x1, 0x0) getpid() mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e) recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x2, 0x0) r1 = syz_io_uring_setup(0x110, &(0x7f0000000380)={0x0, 0x10, 0x0, 0x5, 0x80}, &(0x7f0000000240)=0x0, &(0x7f0000000280)=0x0) syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4) syz_io_uring_submit(r2, r3, &(0x7f00000002c0)=@IORING_OP_FILES_UPDATE={0x14, 0x0, 0x0, 0x0, 0xfffffffffffffffc, &(0x7f0000000000)=[0xffffffffffffffff], 0x1}) io_uring_enter(r1, 0x47f6, 0x0, 0x0, 0x0, 0x0) kernel console output (not intermixed with test programs): 12][ T8479] ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 [ 95.406961][ T8479] ubi0: VID header offset: 64 (aligned 64), data offset: 128 [ 95.408118][ T8479] ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 [ 95.409594][ T8479] ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 [ 95.410924][ T8479] ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 1043192561 [ 95.412516][ T8479] ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 [ 95.414598][ T8492] ubi0: background thread "ubi_bgt0d" started, PID 8492 [ 96.326559][ T8505] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 96.326751][ T8505] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 96.571473][ T8507] openvswitch: netlink: IP tunnel dst address not specified [ 96.785651][ T8513] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 96.785938][ T8513] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 97.136621][ T8524] __nla_validate_parse: 4 callbacks suppressed [ 97.136668][ T8524] netlink: 8 bytes leftover after parsing attributes in process `syz.4.599'. [ 97.247817][ T8532] netlink: 8 bytes leftover after parsing attributes in process `syz.0.596'. [ 97.248132][ T8532] netlink: 4 bytes leftover after parsing attributes in process `syz.0.596'. [ 97.248152][ T8532] netlink: 'syz.0.596': attribute type 13 has an invalid length. [ 97.248162][ T8532] netlink: 'syz.0.596': attribute type 12 has an invalid length. [ 97.251657][ T8526] netlink: 28 bytes leftover after parsing attributes in process `syz.2.598'. [ 97.251980][ T8526] 8021q: adding VLAN 0 to HW filter on device bond7 [ 97.411186][ T8531] syzkaller0: entered promiscuous mode [ 97.412329][ T8531] syzkaller0: entered allmulticast mode [ 97.427295][ T6658] IPVS: starting estimator thread 0... [ 97.444145][ T8535] IPVS: ip_vs_edit_dest(): lower threshold is higher than upper threshold [ 97.455786][ T8535] netlink: 24 bytes leftover after parsing attributes in process `syz.2.601'. [ 97.549542][ T8537] IPVS: using max 71 ests per chain, 170400 per kthread [ 98.579977][ T8561] syz_tun: entered allmulticast mode [ 98.582431][ T8559] syz_tun: left allmulticast mode [ 98.591671][ T8563] netlink: 24 bytes leftover after parsing attributes in process `syz.2.610'. [ 98.609646][ T8566] netlink: 'syz.3.611': attribute type 1 has an invalid length. [ 98.614754][ T8569] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 98.614933][ T8569] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 98.919366][ T8566] netlink: 28 bytes leftover after parsing attributes in process `syz.3.611'. [ 98.919817][ T8566] 8021q: adding VLAN 0 to HW filter on device bond7 [ 99.096410][ T8575] netlink: 8 bytes leftover after parsing attributes in process `syz.0.613'. [ 99.096442][ T8575] netlink: 4 bytes leftover after parsing attributes in process `syz.0.613'. [ 99.096460][ T8575] netlink: 'syz.0.613': attribute type 13 has an invalid length. [ 99.096468][ T8575] netlink: 'syz.0.613': attribute type 12 has an invalid length. [ 99.609799][ T8583] netlink: 'syz.3.617': attribute type 1 has an invalid length. [ 99.609839][ T8583] netlink: 'syz.3.617': attribute type 2 has an invalid length. [ 99.610203][ T8583] netlink: 72 bytes leftover after parsing attributes in process `syz.3.617'. [ 99.970565][ T8593] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 99.970657][ T8593] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 100.244092][ T8599] syzkaller0: entered promiscuous mode [ 100.248911][ T8599] syzkaller0: entered allmulticast mode [ 100.937823][ T8613] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 100.957045][ T8615] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 100.957209][ T8615] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 101.181290][ T8618] mkiss: ax0: crc mode is auto. [ 101.641294][ T8628] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 101.643127][ T8628] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 101.672292][ T8635] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 101.672398][ T8635] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 101.721002][ T8637] netlink: 'syz.2.629': attribute type 13 has an invalid length. [ 101.721062][ T8637] netlink: 'syz.2.629': attribute type 12 has an invalid length. [ 102.268053][ T8643] kernel profiling enabled (shift: 9) [ 102.558259][ T8649] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 103.101773][ T8660] syzkaller0: entered promiscuous mode [ 103.103000][ T8660] syzkaller0: entered allmulticast mode [ 103.252845][ T8670] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 103.254830][ T8670] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 103.625506][ T2037] Bluetooth: hci5: Frame reassembly failed (-84) [ 103.976816][ T8678] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 103.976997][ T8678] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 104.313333][ T8689] random: crng reseeded on system resumption [ 104.615263][ T8702] __nla_validate_parse: 4 callbacks suppressed [ 104.615306][ T8702] netlink: 8 bytes leftover after parsing attributes in process `syz.2.650'. [ 104.615353][ T8702] netlink: 4 bytes leftover after parsing attributes in process `syz.2.650'. [ 104.615463][ T8702] netlink: 'syz.2.650': attribute type 13 has an invalid length. [ 104.615503][ T8702] netlink: 'syz.2.650': attribute type 12 has an invalid length. [ 105.340334][ T26] usb 1-1: new high-speed USB device number 7 using dummy_hcd [ 105.439517][ T8717] netlink: 12 bytes leftover after parsing attributes in process `syz.3.658'. [ 105.498714][ T26] usb 1-1: Using ep0 maxpacket: 32 [ 105.501108][ T26] usb 1-1: config index 0 descriptor too short (expected 35577, got 27) [ 105.501372][ T26] usb 1-1: config 1 has too many interfaces: 92, using maximum allowed: 32 [ 105.501390][ T26] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 92 [ 105.501398][ T26] usb 1-1: config 1 has no interface number 0 [ 105.501408][ T26] usb 1-1: config 1 interface 1 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 105.501418][ T26] usb 1-1: config 1 interface 1 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 17 [ 105.501433][ T26] usb 1-1: New USB device found, idVendor=0e41, idProduct=5051, bcdDevice=d5.e8 [ 105.501442][ T26] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 105.507808][ T26] snd_usb_pod 1-1:1.1: Line 6 Pocket POD found [ 105.512060][ T8720] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 105.512161][ T8720] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 105.609370][ T6166] Bluetooth: hci5: Opcode 0x1003 failed: -110 [ 105.746113][ T8726] netlink: 'syz.1.660': attribute type 1 has an invalid length. [ 105.757256][ T8726] netlink: 28 bytes leftover after parsing attributes in process `syz.1.660'. [ 105.757617][ T8726] 8021q: adding VLAN 0 to HW filter on device bond5 [ 106.089164][ C1] bridge0: port 1(bridge_slave_0) entered learning state [ 106.089537][ C1] bridge0: port 2(bridge_slave_1) entered learning state [ 107.696348][ T8750] netlink: 8 bytes leftover after parsing attributes in process `syz.4.666'. [ 107.696391][ T8750] netlink: 4 bytes leftover after parsing attributes in process `syz.4.666'. [ 107.696424][ T8750] netlink: 'syz.4.666': attribute type 13 has an invalid length. [ 107.696437][ T8750] netlink: 'syz.4.666': attribute type 12 has an invalid length. [ 108.096590][ T26] snd_usb_pod 1-1:1.1: set_interface failed [ 108.096709][ T26] snd_usb_pod 1-1:1.1: Line 6 Pocket POD now disconnected [ 108.096772][ T26] snd_usb_pod 1-1:1.1: probe with driver snd_usb_pod failed with error -71 [ 108.114049][ T8756] fuse: Bad value for 'fd' [ 108.214570][ T8756] fuse: Bad value for 'fd' [ 108.260011][ T8764] netlink: 'syz.3.671': attribute type 1 has an invalid length. [ 108.270558][ T8764] netlink: 28 bytes leftover after parsing attributes in process `syz.3.671'. [ 108.272903][ T8764] 8021q: adding VLAN 0 to HW filter on device bond8 [ 108.291908][ T26] usb 1-1: USB disconnect, device number 7 [ 108.741283][ T8784] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 108.743288][ T8784] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 109.914286][ T8793] fuse: Bad value for 'fd' [ 109.920429][ T8793] fuse: Bad value for 'fd' [ 110.576367][ T8808] Set syz1 is full, maxelem 6117 reached [ 111.022913][ T8824] binder: 8823:8824 tried to acquire reference to desc 0, got 1 instead [ 111.023759][ T8824] binder: 8823:8824 got new transaction with bad transaction stack, transaction 45 has target 8823:0 [ 111.023799][ T8824] binder: 8823:8824 transaction call to 8823:0 failed 46/29201/-71, code 0 size 0-0 line 3292 [ 111.024150][ T8824] binder: 8823:8824 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 111.024165][ T8824] binder: 8824 RLIMIT_NICE not set [ 111.024180][ T8824] binder: 8824 RLIMIT_NICE not set [ 111.024275][ T8824] binder: 8824 RLIMIT_NICE not set [ 111.024326][ T8824] binder_alloc: 8823: binder_alloc_buf, no vma [ 111.024336][ T8824] binder: cannot allocate buffer: vma cleared, target dead or dying [ 111.024356][ T8824] binder: 8823:8824 transaction reply to 8823:8824 failed 47/29189/-3, code 0 size 0-0 line 3389 [ 111.024376][ T8824] binder: send failed reply for transaction 45 to 8823:8824 [ 111.024727][ T6682] binder: undelivered TRANSACTION_COMPLETE [ 111.024742][ T6682] binder: undelivered TRANSACTION_ERROR: 29201 [ 111.024753][ T6682] binder: undelivered TRANSACTION_ERROR: 29189 [ 111.050950][ T6682] binder: undelivered TRANSACTION_ERROR: 29190 [ 111.068850][ T8828] fuse: Bad value for 'fd' [ 111.069248][ T8828] fuse: Bad value for 'fd' [ 113.085354][ T54] Bluetooth: hci3: command 0x2016 tx timeout [ 113.968204][ T8882] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 113.968338][ T8882] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 114.269635][ T8875] bond5: entered promiscuous mode [ 114.273793][ T8875] 8021q: adding VLAN 0 to HW filter on device bond5 [ 114.355312][ T8882] 8021q: adding VLAN 0 to HW filter on device bond5 [ 114.356804][ T8882] bond5: (slave wireguard2): The slave device specified does not support setting the MAC address [ 114.360052][ T8882] bond5: (slave wireguard2): Error -95 calling set_mac_address [ 115.123486][ T8879] workqueue: Failed to create a rescuer kthread for wq "wg-crypt-wireguard%d": -EINTR [ 115.239427][ T6582] Bluetooth: hci3: command 0x2016 tx timeout [ 115.427336][ T8915] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 115.430355][ T8915] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 115.465808][ T8920] syz.2.724 (8920) used obsolete PPPIOCDETACH ioctl [ 115.864906][ T8925] Set syz1 is full, maxelem 6117 reached [ 116.300508][ T54] Bluetooth: hci0: command 0x2016 tx timeout [ 116.356255][ T8936] bond6: entered promiscuous mode [ 116.356588][ T8936] 8021q: adding VLAN 0 to HW filter on device bond6 [ 116.379536][ T8936] 8021q: adding VLAN 0 to HW filter on device bond6 [ 116.379731][ T8936] bond6: (slave wireguard2): The slave device specified does not support setting the MAC address [ 116.381405][ T8936] bond6: (slave wireguard2): Error -95 calling set_mac_address [ 116.410434][ T8944] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 116.411913][ T8944] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 116.427924][ T8944] bond6: (slave wireguard2): The slave device specified does not support setting the MAC address [ 116.430345][ T8944] bond6: (slave wireguard2): Error -95 calling set_mac_address [ 116.663386][ C1] vxcan1: j1939_tp_rxtimer: 0x00000000f8a7b66d: rx timeout, send abort [ 116.664355][ C1] vxcan1: j1939_xtp_rx_abort_one: 0x00000000f8a7b66d: 0x40000: (3) A timeout occurred and this is the connection abort to close the session. [ 117.250515][ T8950] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 117.317180][ T8958] netlink: 28 bytes leftover after parsing attributes in process `syz.4.736'. [ 117.819869][ T8974] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 117.820285][ T8974] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 118.282510][ T6166] Bluetooth: hci0: command 0x2016 tx timeout [ 118.674377][ T8997] netlink: 28 bytes leftover after parsing attributes in process `syz.2.748'. [ 119.160846][ T6166] Bluetooth: hci4: unexpected event for opcode 0x1408 [ 119.760048][ T6793] usb 1-1: new high-speed USB device number 8 using dummy_hcd [ 120.257981][ T6166] Bluetooth: hci0: command 0x2016 tx timeout [ 120.261943][ T6793] usb 1-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 120.261988][ T6793] usb 1-1: config 1 has an invalid descriptor of length 55, skipping remainder of the config [ 120.262001][ T6793] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 120.262017][ T6793] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 55, changing to 9 [ 120.262029][ T6793] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 8496, setting to 1024 [ 120.272512][ T6793] usb 1-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 120.277723][ T6793] usb 1-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 120.277758][ T6793] usb 1-1: Product: syz [ 120.277769][ T6793] usb 1-1: Manufacturer: syz [ 120.286398][ T6793] cdc_wdm 1-1:1.0: skipping garbage [ 120.286426][ T6793] cdc_wdm 1-1:1.0: skipping garbage [ 120.297586][ T9019] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 120.298313][ T6793] cdc_wdm 1-1:1.0: cdc-wdm0: USB WDM device [ 120.298329][ T6793] cdc_wdm 1-1:1.0: Unknown control protocol [ 120.855713][ T9031] xt_CT: You must specify a L4 protocol and not use inversions on it [ 120.855829][ C1] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 120.855864][ C1] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 120.856198][ T6694] usb 1-1: USB disconnect, device number 8 [ 120.856267][ C1] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 120.856278][ C1] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 120.856286][ C1] cdc_wdm 1-1:1.0: wdm_int_callback - usb_submit_urb failed with result -19 [ 120.862908][ T8993] cdc_wdm 1-1:1.0: Tx URB error: -19 [ 120.862986][ T9032] cdc_wdm 1-1:1.0: Tx URB error: -19 [ 121.140086][ T9038] netlink: 28 bytes leftover after parsing attributes in process `syz.3.759'. [ 121.213529][ T9050] netlink: 24 bytes leftover after parsing attributes in process `syz.3.764'. [ 121.354298][ T9054] tmpfs: Unknown parameter 'fscontext' [ 122.250092][ T9069] fuse: Bad value for 'rootmode' [ 122.251559][ T9069] fuse: Bad value for 'rootmode' [ 122.263953][ T54] Bluetooth: hci0: command 0x2016 tx timeout [ 122.382014][ T9072] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 122.460356][ T9076] netlink: 28 bytes leftover after parsing attributes in process `syz.3.772'. [ 122.768491][ T54] Bluetooth: hci4: command 0x2016 tx timeout [ 123.160549][ T9098] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 123.160750][ T9098] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 123.210828][ T9102] fuse: Bad value for 'rootmode' [ 123.212302][ T9102] fuse: Bad value for 'rootmode' [ 123.268019][ T9105] binder: 9104:9105 tried to acquire reference to desc 0, got 1 instead [ 123.269886][ T9105] binder: 9104:9105 got new transaction with bad transaction stack, transaction 52 has target 9104:0 [ 123.271868][ T9105] binder: 9104:9105 transaction call to 9104:0 failed 53/29201/-71, code 0 size 0-0 line 3292 [ 123.326927][ T9105] binder: 9104:9105 got reply transaction with no transaction stack [ 123.328521][ T9105] binder: 9104:9105 transaction reply to 0:0 failed 54/29201/-71, code 0 size 0-0 line 3135 [ 123.330844][ T6682] binder: release 9104:9105 transaction 52 out, still active [ 123.332140][ T6682] binder: undelivered TRANSACTION_COMPLETE [ 123.333259][ T6682] binder: undelivered TRANSACTION_ERROR: 29201 [ 123.339924][ T6682] binder: undelivered TRANSACTION_ERROR: 29201 [ 123.341165][ T6682] binder: send failed reply for transaction 52, target dead [ 123.354999][ T9110] netlink: 28 bytes leftover after parsing attributes in process `syz.2.783'. [ 123.357830][ T9110] netlink: 28 bytes leftover after parsing attributes in process `syz.2.783'. [ 124.149203][ T9130] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 124.956813][ T9142] fuse: Bad value for 'rootmode' [ 124.957221][ T9142] fuse: Bad value for 'rootmode' [ 125.224041][ T9150] netlink: 28 bytes leftover after parsing attributes in process `syz.2.794'. [ 125.231295][ T9150] netlink: 28 bytes leftover after parsing attributes in process `syz.2.794'. [ 125.250984][ T9157] netlink: 80 bytes leftover after parsing attributes in process `syz.0.799'. [ 125.617307][ T2467] ieee802154 phy0 wpan0: encryption failed: -22 [ 125.620470][ T2467] ieee802154 phy1 wpan1: encryption failed: -22 [ 126.289898][ T9171] Set syz1 is full, maxelem 6117 reached [ 126.308732][ T9174] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 126.308911][ T9174] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 126.360123][ T9179] fuse: Unknown parameter 'use00000000000000000000' [ 126.360590][ T9179] fuse: Unknown parameter 'use00000000000000000000' [ 126.459707][ T9190] netlink: 'syz.2.810': attribute type 1 has an invalid length. [ 126.465222][ T9183] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 126.541880][ T9190] bond8: entered promiscuous mode [ 126.543535][ T9190] 8021q: adding VLAN 0 to HW filter on device bond8 [ 126.567609][ T9192] 8021q: adding VLAN 0 to HW filter on device bond8 [ 126.785520][ T9192] bond8: (slave wireguard9): The slave device specified does not support setting the MAC address [ 126.792931][ T9192] bond8: (slave wireguard9): Error -95 calling set_mac_address [ 126.802176][ T9190] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 126.802288][ T9190] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 126.813806][ T9190] bond8: (slave wireguard9): The slave device specified does not support setting the MAC address [ 126.814131][ T9190] bond8: (slave wireguard9): Error -95 calling set_mac_address [ 126.814968][ T9198] netlink: 80 bytes leftover after parsing attributes in process `syz.0.811'. [ 127.518545][ T9213] fuse: Unknown parameter 'use00000000000000000000' [ 127.520731][ T9213] fuse: Unknown parameter 'use00000000000000000000' [ 127.557047][ T9217] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 127.561274][ T9217] netlink: 'syz.1.818': attribute type 12 has an invalid length. [ 127.563052][ T9217] netlink: 'syz.1.818': attribute type 29 has an invalid length. [ 127.564751][ T9217] netlink: 148 bytes leftover after parsing attributes in process `syz.1.818'. [ 127.994419][ T9234] netlink: 80 bytes leftover after parsing attributes in process `syz.3.824'. [ 128.010562][ T9239] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 128.015898][ T9237] netlink: 28 bytes leftover after parsing attributes in process `syz.1.825'. [ 128.020411][ T9237] netlink: 28 bytes leftover after parsing attributes in process `syz.1.825'. [ 128.074068][ T9245] fuse: Unknown parameter 'use00000000000000000000' [ 128.074425][ T9245] fuse: Unknown parameter 'use00000000000000000000' [ 128.088831][ T9247] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 128.089040][ T9247] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 129.035591][ T9268] netlink: 80 bytes leftover after parsing attributes in process `syz.4.837'. [ 129.084923][ T9274] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 129.087534][ T9274] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 129.091827][ T9276] fuse: Unknown parameter 'user_i00000000000000000000' [ 129.093204][ T9276] fuse: Unknown parameter 'user_i00000000000000000000' [ 129.097405][ T9278] netlink: 28 bytes leftover after parsing attributes in process `syz.2.840'. [ 129.098500][ T9278] netlink: 28 bytes leftover after parsing attributes in process `syz.2.840'. [ 129.212758][ T9294] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 130.228465][ T9305] netlink: 80 bytes leftover after parsing attributes in process `syz.3.849'. [ 130.271605][ T9311] fuse: Unknown parameter 'user_i00000000000000000000' [ 130.273716][ T9311] fuse: Unknown parameter 'user_i00000000000000000000' [ 130.353880][ T9317] netlink: 28 bytes leftover after parsing attributes in process `syz.3.854'. [ 130.356748][ T9317] netlink: 28 bytes leftover after parsing attributes in process `syz.3.854'. [ 130.680203][ T9335] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 130.687303][ T9335] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 131.032619][ T9339] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 131.032811][ T9339] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 131.048485][ T9339] input: syz1 as /devices/virtual/input/input3 [ 131.097768][ T9342] fuse: Unknown parameter 'user_i00000000000000000000' [ 131.098753][ T9342] fuse: Unknown parameter 'user_i00000000000000000000' [ 131.296714][ T9354] syzkaller0: entered promiscuous mode [ 131.300547][ T9354] syzkaller0: entered allmulticast mode [ 132.697055][ T9401] binder: 9400:9401 tried to acquire reference to desc 0, got 1 instead [ 132.699392][ T9401] binder: 9400:9401 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 132.701487][ T9401] binder: 9401 RLIMIT_NICE not set [ 132.709294][ T9403] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 132.709554][ T9403] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 132.749640][ T9405] binder: 9400:9405 got reply transaction with no transaction stack [ 132.749681][ T9405] binder: 9400:9405 transaction reply to 0:0 failed 59/29201/-71, code 0 size 0-0 line 3135 [ 134.403865][ T6694] binder: undelivered TRANSACTION_ERROR: 29201 [ 134.958495][ T9441] __nla_validate_parse: 6 callbacks suppressed [ 134.959233][ T9441] netlink: 4 bytes leftover after parsing attributes in process `syz.1.900'. [ 135.009304][ T9443] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 135.009423][ T9443] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 135.105864][ T9447] netlink: 'syz.4.901': attribute type 11 has an invalid length. [ 135.105891][ T9447] netlink: 224 bytes leftover after parsing attributes in process `syz.4.901'. [ 135.112630][ C1] bridge0: port 2(bridge_slave_1) entered forwarding state [ 135.112663][ C1] bridge0: topology change detected, propagating [ 135.112793][ C1] bridge0: port 1(bridge_slave_0) entered forwarding state [ 135.112802][ C1] bridge0: topology change detected, propagating [ 135.366846][ T9461] netlink: 24 bytes leftover after parsing attributes in process `syz.0.907'. [ 135.518516][ T9471] binder: 9463:9471 got transaction to invalid handle, 1 [ 135.519974][ T9471] binder: 9463:9471 cannot find target node [ 135.522296][ T9471] binder: 9463:9471 transaction call to 0:0 failed 63/29201/-22, code 0 size 0-0 line 3232 [ 135.525103][ T9471] binder: 9463:9471 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 135.527439][ T9471] binder: 9471 RLIMIT_NICE not set [ 136.062512][ T9478] binder: 9463:9478 got reply transaction with no transaction stack [ 136.062557][ T9478] binder: 9463:9478 transaction reply to 0:0 failed 64/29201/-71, code 0 size 0-0 line 3135 [ 136.666043][ T6686] binder: undelivered TRANSACTION_ERROR: 29201 [ 136.666109][ T6686] binder: undelivered TRANSACTION_ERROR: 29201 [ 136.680137][ T9487] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 136.680316][ T9487] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 136.774760][ T9496] netlink: 24 bytes leftover after parsing attributes in process `syz.0.919'. [ 137.050858][ T9506] netlink: 8 bytes leftover after parsing attributes in process `syz.2.922'. [ 137.050891][ T9506] netlink: 4 bytes leftover after parsing attributes in process `syz.2.922'. [ 137.050924][ T9506] netlink: 'syz.2.922': attribute type 13 has an invalid length. [ 137.050936][ T9506] netlink: 'syz.2.922': attribute type 12 has an invalid length. [ 137.383419][ T9517] netlink: 4 bytes leftover after parsing attributes in process `syz.3.928'. [ 137.434190][ T9519] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 137.434291][ T9519] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 137.666087][ T9528] netlink: 44 bytes leftover after parsing attributes in process `syz.2.932'. [ 137.682898][ T9532] netlink: 24 bytes leftover after parsing attributes in process `syz.4.933'. [ 139.117322][ T9552] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 139.117509][ T9552] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 139.157416][ T9556] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 139.175043][ T9558] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 139.175149][ T9558] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 139.504986][ T9566] netlink: 8 bytes leftover after parsing attributes in process `syz.3.943'. [ 139.505027][ T9566] netlink: 'syz.3.943': attribute type 13 has an invalid length. [ 139.505049][ T9566] netlink: 'syz.3.943': attribute type 12 has an invalid length. [ 139.675244][ T9568] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 139.675454][ T9568] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 140.264537][ T6582] Bluetooth: hci4: unexpected event for opcode 0x1408 [ 140.702573][ T9582] netlink: 'syz.3.948': attribute type 1 has an invalid length. [ 140.737860][ T9582] __nla_validate_parse: 1 callbacks suppressed [ 140.739244][ T9582] netlink: 28 bytes leftover after parsing attributes in process `syz.3.948'. [ 141.200183][ T9603] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 141.200358][ T9603] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 141.644915][ T9612] netlink: 24 bytes leftover after parsing attributes in process `syz.1.959'. [ 141.660608][ T9614] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 141.660779][ T9614] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 141.698090][ T9619] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 141.698655][ T9619] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 141.760308][ T9621] netlink: 'syz.2.963': attribute type 1 has an invalid length. [ 141.771239][ T9621] netlink: 28 bytes leftover after parsing attributes in process `syz.2.963'. [ 142.684895][ T6166] Bluetooth: hci0: unexpected event for opcode 0x1408 [ 142.839724][ T9644] netlink: 24 bytes leftover after parsing attributes in process `syz.3.971'. [ 142.986744][ T9650] netlink: 'syz.3.974': attribute type 1 has an invalid length. [ 143.016338][ T9650] netlink: 28 bytes leftover after parsing attributes in process `syz.3.974'. [ 143.804615][ T6166] Bluetooth: hci4: command 0x2016 tx timeout [ 143.921272][ T9676] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 143.926068][ T9676] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 144.069117][ T9679] zonefs (nullb0) ERROR: Not a zoned block device [ 144.233420][ T9681] netlink: 24 bytes leftover after parsing attributes in process `syz.4.984'. [ 144.311337][ T9691] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 144.311447][ T9691] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 144.482300][ T9694] netlink: 8 bytes leftover after parsing attributes in process `syz.3.988'. [ 144.484017][ T9694] netlink: 4 bytes leftover after parsing attributes in process `syz.3.988'. [ 144.486101][ T9694] netlink: 'syz.3.988': attribute type 13 has an invalid length. [ 144.487756][ T9694] netlink: 'syz.3.988': attribute type 12 has an invalid length. [ 144.963900][ T9705] random: crng reseeded on system resumption [ 145.366125][ T54] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:0' [ 145.366867][ T54] CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT [ 145.366893][ T54] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 145.366899][ T54] Workqueue: hci0 hci_rx_work [ 145.366922][ T54] Call trace: [ 145.366926][ T54] show_stack+0x2c/0x3c (C) [ 145.366940][ T54] __dump_stack+0x30/0x40 [ 145.366948][ T54] dump_stack_lvl+0xd8/0x12c [ 145.366962][ T54] dump_stack+0x1c/0x28 [ 145.366969][ T54] sysfs_create_dir_ns+0x22c/0x24c [ 145.366979][ T54] kobject_add_internal+0x5a8/0xb48 [ 145.366991][ T54] kobject_add+0x134/0x200 [ 145.367000][ T54] device_add+0x394/0xa88 [ 145.367008][ T54] hci_conn_add_sysfs+0xc0/0x1f8 [ 145.367015][ T54] le_conn_complete_evt+0xc00/0x1064 [ 145.367021][ T54] hci_le_enh_conn_complete_evt+0x114/0x410 [ 145.367031][ T54] hci_le_meta_evt+0x2dc/0x500 [ 145.367038][ T54] hci_event_packet+0x6bc/0xf50 [ 145.367045][ T54] hci_rx_work+0x300/0xd80 [ 145.367054][ T54] process_one_work+0x7c0/0x1558 [ 145.367063][ T54] worker_thread+0x958/0xed8 [ 145.367071][ T54] kthread+0x5fc/0x75c [ 145.367078][ T54] ret_from_fork+0x10/0x20 [ 145.367252][ T54] kobject: kobject_add_internal failed for hci0:0 with -EEXIST, don't try to register things with the same name in the same directory. [ 145.367277][ T54] Bluetooth: hci0: failed to register connection device [ 145.616670][ T54] Bluetooth: hci0: unexpected event for opcode 0x1408 [ 146.206622][ T9721] netlink: 24 bytes leftover after parsing attributes in process `syz.3.995'. [ 146.308055][ T9728] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 146.309922][ T9728] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 146.374822][ T9724] cgroup: fork rejected by pids controller in /syz4 [ 146.435189][ T9762] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 146.437444][ T9762] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 146.489166][ T9711] Process accounting resumed [ 146.501609][ T9766] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 146.503605][ T9766] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 147.192341][ T9777] netlink: 'syz.4.1002': attribute type 4 has an invalid length. [ 147.205610][ T9777] netlink: 'syz.4.1002': attribute type 4 has an invalid length. [ 147.981185][ T6582] Bluetooth: hci0: command 0x2016 tx timeout [ 148.024737][ T54] Bluetooth: hci4: unexpected event for opcode 0x0c03 [ 148.041560][ T9783] netlink: 24 bytes leftover after parsing attributes in process `syz.2.1008'. [ 148.503758][ T9829] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 148.505206][ T9829] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 148.951304][ T9840] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 149.305432][ T9855] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 149.307221][ T9855] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 149.395152][ T9858] netlink: 12 bytes leftover after parsing attributes in process `syz.0.1020'. [ 149.422084][ T9862] netlink: 24 bytes leftover after parsing attributes in process `syz.0.1022'. [ 149.425918][ T9864] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 149.427594][ T9864] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 149.674255][ T24] usb 1-1: new full-speed USB device number 9 using dummy_hcd [ 149.828124][ T24] usb 1-1: config 16 interface 0 altsetting 0 endpoint 0x5 has invalid wMaxPacketSize 0 [ 149.828154][ T24] usb 1-1: config 16 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 3 [ 149.828170][ T24] usb 1-1: New USB device found, idVendor=ee8d, idProduct=db1a, bcdDevice=61.23 [ 149.828179][ T24] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 149.895400][ T6575] Bluetooth: hci0: command 0x2016 tx timeout [ 149.944778][ T9877] netlink: 28 bytes leftover after parsing attributes in process `syz.1.1027'. [ 149.995963][ T9882] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 149.997643][ T9882] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 150.082736][ T24] usb 1-1: usb_control_msg returned -32 [ 150.084035][ T24] usbtmc 1-1:16.0: can't read capabilities [ 150.185302][ T9885] lo speed is unknown, defaulting to 1000 [ 150.185611][ T9885] lo speed is unknown, defaulting to 1000 [ 150.190809][ T9885] lo speed is unknown, defaulting to 1000 [ 150.197465][ T9885] iwpm_register_pid: Unable to send a nlmsg (client = 2) [ 150.206745][ T9885] infiniband syz0: RDMA CMA: cma_listen_on_dev, error -98 [ 150.274418][ T9885] lo speed is unknown, defaulting to 1000 [ 150.278940][ T9885] lo speed is unknown, defaulting to 1000 [ 150.282118][ T9885] lo speed is unknown, defaulting to 1000 [ 150.284783][ T9885] lo speed is unknown, defaulting to 1000 [ 150.287591][ T9885] lo speed is unknown, defaulting to 1000 [ 150.649532][ T8967] usb 1-1: USB disconnect, device number 9 [ 150.979466][ T9903] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 151.397254][ T9910] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 151.397454][ T9910] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 151.670172][ T9922] 8021q: adding VLAN 0 to HW filter on device batadv1 [ 151.672163][ T9922] team0: Port device batadv1 added [ 151.722452][ T6575] Bluetooth: hci2: command 0x0406 tx timeout [ 151.723461][ T6582] Bluetooth: hci4: command 0x2016 tx timeout [ 151.748610][ T9922] hub 9-0:1.0: USB hub found [ 151.749411][ T9922] hub 9-0:1.0: 8 ports detected [ 152.186437][ T9935] netlink: 8 bytes leftover after parsing attributes in process `syz.3.1043'. [ 152.186467][ T9935] netlink: 4 bytes leftover after parsing attributes in process `syz.3.1043'. [ 152.186504][ T9935] netlink: 'syz.3.1043': attribute type 13 has an invalid length. [ 152.186515][ T9935] netlink: 'syz.3.1043': attribute type 12 has an invalid length. [ 152.782614][ T9950] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 152.782848][ T9950] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 153.187116][ T9956] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 153.787129][ T9970] netlink: 'syz.1.1057': attribute type 1 has an invalid length. [ 153.796867][ T9970] netlink: 28 bytes leftover after parsing attributes in process `syz.1.1057'. [ 153.798819][ T9] usb 1-1: new high-speed USB device number 10 using dummy_hcd [ 153.941207][ T9] usb 1-1: Using ep0 maxpacket: 8 [ 153.944247][ T9] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 153.944526][ T9] usb 1-1: New USB device found, idVendor=07c0, idProduct=1512, bcdDevice=30.22 [ 153.944549][ T9] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 153.947495][ T9] usb 1-1: config 0 descriptor?? [ 154.026786][ T9977] netlink: 'syz.1.1059': attribute type 4 has an invalid length. [ 154.329571][ T9] iowarrior 1-1:0.0: IOWarrior product=0x1512, serial= interface=0 now attached to iowarrior0 [ 154.356074][ T9982] syz.2.1061 uses old SIOCAX25GETINFO [ 154.612787][ T9991] netlink: 8 bytes leftover after parsing attributes in process `syz.3.1064'. [ 154.612821][ T9991] netlink: 4 bytes leftover after parsing attributes in process `syz.3.1064'. [ 154.612864][ T9991] netlink: 'syz.3.1064': attribute type 13 has an invalid length. [ 154.612878][ T9991] netlink: 'syz.3.1064': attribute type 12 has an invalid length. [ 154.728190][ T9] usb 1-1: USB disconnect, device number 10 [ 154.752580][ T9993] warning: `syz.1.1065' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211 [ 154.773259][ T9993] netlink: 'syz.1.1065': attribute type 8 has an invalid length. [ 154.773288][ T9993] netlink: 'syz.1.1065': attribute type 4 has an invalid length. [ 154.773536][ T9993] netlink: 164 bytes leftover after parsing attributes in process `syz.1.1065'. [ 154.797754][ T9995] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 154.797974][ T9995] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 155.217212][ T9999] netlink: 'syz.2.1068': attribute type 1 has an invalid length. [ 155.270731][T10004] binder: 10003:10004 tried to acquire reference to desc 0, got 1 instead [ 155.271242][T10004] binder: 10003:10004 got new transaction with bad transaction stack, transaction 69 has target 10003:0 [ 155.271261][T10004] binder: 10003:10004 transaction call to 10003:0 failed 70/29201/-71, code 0 size 0-0 line 3292 [ 155.276736][ T6644] binder: release 10003:10004 transaction 69 out, still active [ 155.307028][ T6644] binder: undelivered TRANSACTION_COMPLETE [ 155.307066][ T6644] binder: undelivered TRANSACTION_ERROR: 29201 [ 155.307406][ T6644] binder: send failed reply for transaction 69, target dead [ 155.386647][T10013] netlink: 28 bytes leftover after parsing attributes in process `syz.3.1073'. [ 155.678289][T10016] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 155.679923][T10016] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 155.894254][ T31] audit: type=1326 audit(925.954:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=_ pid=10024 comm="syz.0.1076" exe="/root/syz-executor" sig=9 arch=c00000b7 syscall=98 compat=0 ip=0xffffbd776b68 code=0x0 [ 156.298363][T10034] netlink: 'syz.1.1079': attribute type 10 has an invalid length. [ 156.327574][T10034] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 156.403325][T10040] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 156.405809][T10040] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 156.411902][T10042] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 156.414775][T10042] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 156.601094][ T6585] Bluetooth: hci3: command 0x2016 tx timeout [ 156.601202][ T6577] Bluetooth: hci0: command 0x2016 tx timeout [ 156.601234][ T6166] Bluetooth: hci1: command 0x0406 tx timeout [ 156.786895][T10055] netlink: 28 bytes leftover after parsing attributes in process `syz.0.1088'. [ 156.839248][T10058] netlink: 8 bytes leftover after parsing attributes in process `syz.4.1083'. [ 156.839281][T10058] netlink: 4 bytes leftover after parsing attributes in process `syz.4.1083'. [ 156.955778][T10065] validate_nla: 3 callbacks suppressed [ 156.955830][T10065] netlink: 'syz.1.1091': attribute type 10 has an invalid length. [ 157.069249][T10073] netlink: 'syz.2.1092': attribute type 1 has an invalid length. [ 157.362542][T10079] xt_connbytes: Forcing CT accounting to be enabled [ 157.362652][T10079] set match dimension is over the limit! [ 157.383770][T10079] SQUASHFS error: Failed to read block 0x0: -5 [ 158.108230][T10089] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 158.109999][T10089] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 158.328274][T10094] 8021q: adding VLAN 0 to HW filter on device bond0 [ 158.339626][T10094] bond0: (slave rose0): Enslaving as an active interface with an up link [ 158.541424][T10100] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 158.544683][T10100] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 158.547560][T10099] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 158.549476][T10099] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 159.098567][T10149] binder: BINDER_SET_CONTEXT_MGR already set [ 159.100646][T10149] binder: 10148:10149 ioctl 4018620d 20004a80 returned -16 [ 159.102516][T10149] binder: 10148:10149 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 159.105590][T10149] binder: 10149 RLIMIT_NICE not set [ 159.160494][T10153] binder: 10148:10153 got reply transaction with no transaction stack [ 159.169929][T10153] binder: 10148:10153 transaction reply to 0:0 failed 73/29201/-71, code 0 size 0-0 line 3135 [ 159.425170][ T6586] libceph: connect (1)[c::]:6789 error -22 [ 159.428358][ T6586] libceph: mon0 (1)[c::]:6789 connect error [ 159.694768][ T6644] libceph: connect (1)[c::]:6789 error -22 [ 159.696292][ T6644] libceph: mon0 (1)[c::]:6789 connect error [ 159.983116][T10156] ceph: No mds server is up or the cluster is laggy [ 159.986265][ T9] binder: undelivered TRANSACTION_ERROR: 29201 [ 160.036644][T10171] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 160.057234][T10171] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 160.664172][T10185] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 160.666592][T10185] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 160.795350][T10187] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 160.795599][T10187] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 160.852010][T10189] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 160.852184][T10189] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 161.206142][T10196] binder: BINDER_SET_CONTEXT_MGR already set [ 161.206163][T10196] binder: 10195:10196 ioctl 4018620d 20004a80 returned -16 [ 161.207619][T10196] binder: 10195:10196 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 161.207630][T10196] binder: 10196 RLIMIT_NICE not set [ 161.257829][T10197] binder: 10195:10197 got reply transaction with no transaction stack [ 161.257867][T10197] binder: 10195:10197 transaction reply to 0:0 failed 76/29201/-71, code 0 size 0-0 line 3135 [ 161.314332][T10201] netlink: 'syz.4.1123': attribute type 1 has an invalid length. [ 161.627221][T10209] 9p: Bad value for 'wfdno' [ 162.039255][ T6694] binder: undelivered TRANSACTION_ERROR: 29201 [ 162.160586][T10223] loop1: detected capacity change from 0 to 128 [ 162.161061][T10223] EXT4-fs: Ignoring removed nobh option [ 162.179463][T10223] EXT4-fs (loop1): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 162.203292][ T6574] EXT4-fs (loop1): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 162.285267][ T6683] usb 1-1: new high-speed USB device number 11 using dummy_hcd [ 162.545177][ T6683] usb 1-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 162.546785][ T6683] usb 1-1: config 1 has an invalid descriptor of length 55, skipping remainder of the config [ 162.546801][ T6683] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 162.546819][ T6683] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 55, changing to 9 [ 162.546831][ T6683] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 8496, setting to 1024 [ 162.555716][ T6683] usb 1-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 162.557750][ T6683] usb 1-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 162.559206][ T6683] usb 1-1: Product: syz [ 162.559903][ T6683] usb 1-1: Manufacturer: syz [ 162.566303][ T6683] cdc_wdm 1-1:1.0: skipping garbage [ 162.567348][ T6683] cdc_wdm 1-1:1.0: skipping garbage [ 162.569895][ T6683] cdc_wdm 1-1:1.0: cdc-wdm0: USB WDM device [ 162.571101][ T6683] cdc_wdm 1-1:1.0: Unknown control protocol [ 162.576923][T10231] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 162.577097][T10231] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 162.745802][T10233] netlink: 48 bytes leftover after parsing attributes in process `syz.3.1133'. [ 162.758835][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.758855][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.760082][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.760096][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.761232][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.761242][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.762375][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.762387][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.763386][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.763399][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.763714][T10235] netlink: 'syz.3.1134': attribute type 1 has an invalid length. [ 162.764484][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.764498][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.765484][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.765497][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.766556][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.766568][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.767591][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.767604][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.768688][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 162.768702][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 162.782075][ T6694] usb 1-1: USB disconnect, device number 11 [ 162.783037][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - usb_submit_urb failed with result -19 [ 163.272976][T10242] binder: 10241:10242 got transaction to invalid handle, 1 [ 163.273005][T10242] binder: 10241:10242 cannot find target node [ 163.273019][T10242] binder: 10241:10242 transaction call to 0:0 failed 80/29201/-22, code 0 size 0-0 line 3232 [ 163.274511][T10242] binder: 10241:10242 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 163.274521][T10242] binder: 10242 RLIMIT_NICE not set [ 163.323389][T10243] binder: 10241:10243 got reply transaction with no transaction stack [ 163.323422][T10243] binder: 10241:10243 transaction reply to 0:0 failed 81/29201/-71, code 0 size 0-0 line 3135 [ 163.707106][T10247] syzkaller0: entered promiscuous mode [ 163.707139][T10247] syzkaller0: entered allmulticast mode [ 164.066932][ T6694] binder: undelivered TRANSACTION_ERROR: 29201 [ 164.070014][ T6694] binder: undelivered TRANSACTION_ERROR: 29201 [ 164.142849][ T6575] Bluetooth: hci1: command tx timeout [ 164.207030][T10256] loop0: detected capacity change from 0 to 128 [ 164.209611][T10256] EXT4-fs: Ignoring removed nobh option [ 164.268135][T10256] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 164.298243][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 164.521876][T10258] 9p: Bad value for 'wfdno' [ 164.645897][T10269] netlink: 44 bytes leftover after parsing attributes in process `syz.3.1144'. [ 164.662343][T10271] netlink: 'syz.3.1145': attribute type 1 has an invalid length. [ 165.076713][ T9] usb 1-1: new high-speed USB device number 12 using dummy_hcd [ 165.161372][T10282] binder: 10281:10282 got transaction to invalid handle, 1 [ 165.161413][T10282] binder: 10281:10282 cannot find target node [ 165.161810][T10282] binder: 10281:10282 transaction call to 0:0 failed 85/29201/-22, code 0 size 0-0 line 3232 [ 165.162060][T10282] binder: 10281:10282 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 165.162069][T10282] binder: 10282 RLIMIT_NICE not set [ 165.183045][T10284] netlink: 184 bytes leftover after parsing attributes in process `syz.1.1150'. [ 165.211133][T10287] binder: 10281:10287 transaction reply to 0:0 failed 86/29201/-71, code 0 size 0-0 line 3135 [ 165.214655][T10286] syzkaller0: entered promiscuous mode [ 165.214683][T10286] syzkaller0: entered allmulticast mode [ 165.280527][T10275] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 165.280691][T10275] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 165.292115][ T9] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7 [ 165.294046][ T9] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 165.294070][ T9] usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 21 [ 165.294088][ T9] usb 1-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 165.294097][ T9] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 165.306663][ T9] usb 1-1: config 0 descriptor?? [ 165.707260][ T9] plantronics 0003:047F:FFFF.0002: hiddev0,hidraw0: USB HID v0.40 Device [HID 047f:ffff] on usb-dummy_hcd.0-1/input0 [ 166.146105][T10296] 9p: Bad value for 'wfdno' [ 166.161374][ T54] Bluetooth: hci1: command tx timeout [ 166.199701][ T54] Bluetooth: hci2: command tx timeout [ 166.429024][ T4238] wlan1: Trigger new scan to find an IBSS to join [ 167.469165][T10306] netlink: 'syz.1.1156': attribute type 1 has an invalid length. [ 167.485678][ T9] usb 1-1: USB disconnect, device number 12 [ 168.004001][T10316] loop3: detected capacity change from 0 to 32768 [ 168.006459][T10316] BTRFS: device fsid c9fe44da-de57-406a-8241-57ec7d4412cf devid 1 transid 8 /dev/loop3 (7:3) scanned by syz.3.1159 (10316) [ 168.013850][T10316] BTRFS info (device loop3): first mount of filesystem c9fe44da-de57-406a-8241-57ec7d4412cf [ 168.013928][T10316] BTRFS info (device loop3): using crc32c (crc32c-lib) checksum algorithm [ 168.209041][ T6575] Bluetooth: hci2: command 0x0406 tx timeout [ 168.960864][T10331] netlink: 184 bytes leftover after parsing attributes in process `syz.0.1161'. [ 168.987659][T10316] BTRFS info (device loop3): turning off barriers [ 168.990059][T10316] BTRFS info (device loop3): enabling free space tree [ 168.991418][T10316] BTRFS info (device loop3): use zlib compression, level 3 [ 169.075271][T10345] TCP: tcp_parse_options: Illegal window scaling value 150 > 14 received [ 169.259329][T10341] binder_user_error: 1 callbacks suppressed [ 169.259374][T10341] binder: 10340:10341 got transaction to invalid handle, 1 [ 169.276067][T10341] binder_debug: 2 callbacks suppressed [ 169.277166][T10341] binder: 10340:10341 cannot find target node [ 169.278290][T10341] binder: 10340:10341 transaction call to 0:0 failed 90/29201/-22, code 0 size 0-0 line 3232 [ 169.280370][T10341] binder: 10340:10341 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 169.280404][T10341] binder: 10341 RLIMIT_NICE not set [ 169.339022][ T816] wlan1: Trigger new scan to find an IBSS to join [ 169.339337][T10350] binder: 10340:10350 got reply transaction with no transaction stack [ 169.339518][T10350] binder: 10340:10350 transaction reply to 0:0 failed 91/29201/-71, code 0 size 0-0 line 3135 [ 169.511743][T10353] netlink: 294 bytes leftover after parsing attributes in process `syz.3.1159'. [ 169.511843][T10353] openvswitch: netlink: Flow actions may not be safe on all matching packets. [ 169.771301][ T2382] binder: undelivered TRANSACTION_ERROR: 29201 [ 169.799347][ T2382] binder: undelivered TRANSACTION_ERROR: 29201 [ 170.200722][T10370] netlink: 'syz.2.1168': attribute type 1 has an invalid length. [ 170.256200][ T6580] BTRFS info (device loop3): last unmount of filesystem c9fe44da-de57-406a-8241-57ec7d4412cf [ 170.289122][T10378] loop0: detected capacity change from 0 to 128 [ 170.292425][T10378] EXT4-fs: Ignoring removed nobh option [ 170.364616][T10378] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 170.668143][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 170.749571][T10390] netlink: 584 bytes leftover after parsing attributes in process `syz.1.1167'. [ 170.755450][T10390] qnx6: unable to read the first superblock [ 170.771221][T10392] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 170.773076][T10392] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 171.413072][T10399] 9p: Bad value for 'wfdno' [ 171.656527][T10405] binder: BINDER_SET_CONTEXT_MGR already set [ 171.656555][T10405] binder: 10404:10405 ioctl 4018620d 20004a80 returned -16 [ 171.661228][T10405] binder: 10404:10405 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 171.663590][T10405] binder: 10405 RLIMIT_NICE not set [ 171.713688][T10410] binder: 10404:10410 got reply transaction with no transaction stack [ 171.713728][T10410] binder: 10404:10410 transaction reply to 0:0 failed 93/29201/-71, code 0 size 0-0 line 3135 [ 172.180277][T10417] netlink: 'syz.2.1181': attribute type 1 has an invalid length. [ 172.295230][ T54] Bluetooth: hci2: command tx timeout [ 172.466766][ T6686] binder: undelivered TRANSACTION_ERROR: 29201 [ 172.481340][T10424] loop3: detected capacity change from 0 to 128 [ 172.481974][T10424] EXT4-fs: Ignoring removed nobh option [ 172.487876][T10424] EXT4-fs (loop3): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 172.598369][ T6580] EXT4-fs (loop3): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 173.068547][T10441] netlink: 44 bytes leftover after parsing attributes in process `syz.2.1189'. [ 173.123114][T10447] netlink: 'syz.3.1192': attribute type 1 has an invalid length. [ 173.133555][ T5827] wlan1: Trigger new scan to find an IBSS to join [ 173.411763][T10455] binder: BINDER_SET_CONTEXT_MGR already set [ 173.413171][T10455] binder: 10454:10455 ioctl 4018620d 20004a80 returned -16 [ 173.415387][T10455] binder: 10454:10455 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 173.417700][T10455] binder: 10455 RLIMIT_NICE not set [ 173.467437][T10458] binder: 10454:10458 got reply transaction with no transaction stack [ 173.467481][T10458] binder: 10454:10458 transaction reply to 0:0 failed 95/29201/-71, code 0 size 0-0 line 3135 [ 173.930303][T10463] tipc: Started in network mode [ 173.931249][T10463] tipc: Node identity ce09bec70793, cluster identity 4711 [ 173.931406][T10463] tipc: Enabled bearer , priority 0 [ 173.933992][T10463] syzkaller0: entered promiscuous mode [ 173.934005][T10463] syzkaller0: entered allmulticast mode [ 173.940402][T10462] tipc: Resetting bearer [ 173.946468][T10462] tipc: Disabling bearer [ 174.095522][ T816] wlan1: Creating new IBSS network, BSSID a6:10:52:47:80:a1 [ 174.102264][T10474] netlink: 44 bytes leftover after parsing attributes in process `syz.2.1202'. [ 174.117550][T10476] netlink: 'syz.2.1203': attribute type 1 has an invalid length. [ 174.272229][ T9] binder: undelivered TRANSACTION_ERROR: 29201 [ 174.285732][ T6575] Bluetooth: hci2: command 0x0406 tx timeout [ 174.310627][T10485] macvlan2: entered promiscuous mode [ 174.311832][T10485] macvlan2: entered allmulticast mode [ 174.312980][T10485] gretap0: entered allmulticast mode [ 174.357325][T10488] loop1: detected capacity change from 0 to 128 [ 174.359707][T10488] FAT-fs (loop1): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive! [ 174.362824][T10488] FAT-fs (loop1): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 174.388535][ T2579] FAT-fs (loop1): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 174.430030][ T6582] Bluetooth: hci3: command 0x2016 tx timeout [ 174.652078][T10491] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 174.652375][T10491] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 174.840631][T10497] trusted_key: encrypted_key: key user:syz not found [ 175.070495][T10501] tipc: Started in network mode [ 175.072964][T10501] tipc: Node identity 6e74f8d148c5, cluster identity 4711 [ 175.074549][T10501] tipc: Enabled bearer , priority 0 [ 175.076442][T10501] syzkaller0: entered promiscuous mode [ 175.077490][T10501] syzkaller0: entered allmulticast mode [ 175.084339][T10499] tipc: Resetting bearer [ 175.092494][T10499] tipc: Disabling bearer [ 175.158241][T10509] binder: BINDER_SET_CONTEXT_MGR already set [ 175.158268][T10509] binder: 10508:10509 ioctl 4018620d 20004a80 returned -16 [ 175.158501][T10509] binder: 10508:10509 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 175.158516][T10509] binder: 10509 RLIMIT_NICE not set [ 175.207047][T10513] binder: 10508:10513 got reply transaction with no transaction stack [ 175.207086][T10513] binder: 10508:10513 transaction reply to 0:0 failed 97/29201/-71, code 0 size 0-0 line 3135 [ 175.288628][ T6575] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci3/hci3:0' [ 175.290967][ T6575] CPU: 0 UID: 0 PID: 6575 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT [ 175.290991][ T6575] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 175.290997][ T6575] Workqueue: hci3 hci_rx_work [ 175.291015][ T6575] Call trace: [ 175.291018][ T6575] show_stack+0x2c/0x3c (C) [ 175.291029][ T6575] __dump_stack+0x30/0x40 [ 175.291037][ T6575] dump_stack_lvl+0xd8/0x12c [ 175.291044][ T6575] dump_stack+0x1c/0x28 [ 175.291050][ T6575] sysfs_create_dir_ns+0x22c/0x24c [ 175.291059][ T6575] kobject_add_internal+0x5a8/0xb48 [ 175.291070][ T6575] kobject_add+0x134/0x200 [ 175.291078][ T6575] device_add+0x394/0xa88 [ 175.291086][ T6575] hci_conn_add_sysfs+0xc0/0x1f8 [ 175.291093][ T6575] le_conn_complete_evt+0xc00/0x1064 [ 175.291099][ T6575] hci_le_enh_conn_complete_evt+0x114/0x410 [ 175.291109][ T6575] hci_le_meta_evt+0x2dc/0x500 [ 175.291116][ T6575] hci_event_packet+0x6bc/0xf50 [ 175.291122][ T6575] hci_rx_work+0x300/0xd80 [ 175.291131][ T6575] process_one_work+0x7c0/0x1558 [ 175.291140][ T6575] worker_thread+0x958/0xed8 [ 175.291148][ T6575] kthread+0x5fc/0x75c [ 175.291155][ T6575] ret_from_fork+0x10/0x20 [ 175.292723][ T6575] kobject: kobject_add_internal failed for hci3:0 with -EEXIST, don't try to register things with the same name in the same directory. [ 175.292753][ T6575] Bluetooth: hci3: failed to register connection device [ 175.502241][ T6575] Bluetooth: hci3: unexpected event for opcode 0x1408 [ 176.419291][T10535] zonefs (nullb0) ERROR: Not a zoned block device [ 176.735162][ T24] binder: undelivered TRANSACTION_ERROR: 29201 [ 177.391059][T10556] loop0: detected capacity change from 0 to 128 [ 177.395185][T10556] FAT-fs (loop0): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive! [ 177.401172][T10556] FAT-fs (loop0): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 177.420000][ T3930] FAT-fs (loop0): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 177.608944][T10559] trusted_key: encrypted_key: key user:syz not found [ 177.713571][T10567] netlink: 'syz.0.1236': attribute type 1 has an invalid length. [ 177.721595][T10567] bond5: entered promiscuous mode [ 177.721718][T10567] 8021q: adding VLAN 0 to HW filter on device bond5 [ 177.743511][T10567] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 177.746192][T10567] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 177.779154][T10572] binder: 10571:10572 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 177.782400][T10572] binder: 10571:10572 got transaction to invalid handle, 1 [ 177.782419][T10572] binder: 10571:10572 cannot find target node [ 177.782436][T10572] binder: 10571:10572 transaction call to 0:0 failed 100/29201/-22, code 0 size 0-0 line 3232 [ 177.782543][T10572] binder: 10571:10572 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 177.782556][T10572] binder: 10572 RLIMIT_NICE not set [ 177.831390][T10574] binder: 10571:10574 got reply transaction with no transaction stack [ 177.831424][T10574] binder: 10571:10574 transaction reply to 0:0 failed 101/29201/-71, code 0 size 0-0 line 3135 [ 177.919661][ T6575] Bluetooth: hci4: unexpected event for opcode 0x1408 [ 178.573154][ T9] binder: undelivered TRANSACTION_ERROR: 29201 [ 178.587625][ T9] binder: undelivered TRANSACTION_ERROR: 29201 [ 178.710197][ T6575] Bluetooth: hci3: command 0x2016 tx timeout [ 178.934805][T10593] zonefs (nullb0) ERROR: Not a zoned block device [ 179.271350][T10602] netlink: 44 bytes leftover after parsing attributes in process `syz.3.1250'. [ 179.282698][T10606] binder: 10604:10606 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 179.283767][T10606] binder: 10604:10606 got transaction to invalid handle, 1 [ 179.283785][T10606] binder: 10604:10606 cannot find target node [ 179.283804][T10606] binder: 10604:10606 transaction call to 0:0 failed 104/29201/-22, code 0 size 0-0 line 3232 [ 179.333818][T10610] binder: 10604:10610 transaction reply to 0:0 failed 105/29201/-71, code 0 size 0-0 line 3135 [ 179.755015][T10622] netlink: 'syz.0.1257': attribute type 8 has an invalid length. [ 179.756602][T10622] netlink: 'syz.0.1257': attribute type 4 has an invalid length. [ 179.758234][T10622] netlink: 164 bytes leftover after parsing attributes in process `syz.0.1257'. [ 180.079585][ T9] binder: undelivered TRANSACTION_ERROR: 29201 [ 180.084402][ T9] binder: undelivered TRANSACTION_ERROR: 29201 [ 180.116576][T10631] loop4: detected capacity change from 0 to 256 [ 180.325198][ T24] usb 1-1: new high-speed USB device number 13 using dummy_hcd [ 180.695270][ T6575] Bluetooth: hci3: command 0x2016 tx timeout [ 180.801399][T10647] zonefs (nullb0) ERROR: Not a zoned block device [ 180.973745][ T24] usb 1-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 180.973777][ T24] usb 1-1: config 1 has an invalid descriptor of length 55, skipping remainder of the config [ 180.973786][ T24] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 180.973800][ T24] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 55, changing to 9 [ 180.973809][ T24] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 8496, setting to 1024 [ 180.986186][ T24] usb 1-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 180.986218][ T24] usb 1-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 180.986226][ T24] usb 1-1: Product: syz [ 180.986232][ T24] usb 1-1: Manufacturer: syz [ 180.996400][ T24] cdc_wdm 1-1:1.0: skipping garbage [ 180.996431][ T24] cdc_wdm 1-1:1.0: skipping garbage [ 180.998557][ T24] cdc_wdm 1-1:1.0: cdc-wdm0: USB WDM device [ 180.998579][ T24] cdc_wdm 1-1:1.0: Unknown control protocol [ 181.028228][T10651] tipc: Enabled bearer , priority 0 [ 181.030035][T10651] syzkaller0: entered promiscuous mode [ 181.030058][T10651] syzkaller0: entered allmulticast mode [ 181.037044][T10650] tipc: Resetting bearer [ 181.045732][T10650] tipc: Disabling bearer [ 181.076348][T10653] netlink: 'syz.4.1268': attribute type 8 has an invalid length. [ 181.076375][T10653] netlink: 'syz.4.1268': attribute type 4 has an invalid length. [ 181.076701][T10653] netlink: 164 bytes leftover after parsing attributes in process `syz.4.1268'. [ 181.193176][ T24] usb 1-1: USB disconnect, device number 13 [ 181.487880][T10669] netlink: 'syz.1.1274': attribute type 10 has an invalid length. [ 181.685060][T10675] 9p: Bad value for 'wfdno' [ 181.722221][ T54] Bluetooth: hci4: command 0x2016 tx timeout [ 182.244020][T10686] loop0: detected capacity change from 0 to 128 [ 182.244435][T10686] EXT4-fs: Ignoring removed nobh option [ 182.250011][T10684] netlink: 'syz.3.1280': attribute type 8 has an invalid length. [ 182.250056][T10684] netlink: 'syz.3.1280': attribute type 4 has an invalid length. [ 182.250068][T10684] netlink: 164 bytes leftover after parsing attributes in process `syz.3.1280'. [ 182.256573][T10686] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 182.347039][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 182.524267][T10695] zonefs (nullb0) ERROR: Not a zoned block device [ 182.757514][T10697] netlink: 'syz.3.1285': attribute type 10 has an invalid length. [ 182.835682][T10697] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 183.336217][T10722] netlink: 'syz.0.1293': attribute type 8 has an invalid length. [ 183.336250][T10722] netlink: 'syz.0.1293': attribute type 4 has an invalid length. [ 183.336274][T10722] netlink: 164 bytes leftover after parsing attributes in process `syz.0.1293'. [ 183.345980][T10724] loop3: detected capacity change from 0 to 128 [ 183.347650][T10724] EXT4-fs: Ignoring removed nobh option [ 183.362097][T10724] EXT4-fs (loop3): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 183.386939][ T6580] EXT4-fs (loop3): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 183.402015][T10730] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 183.402194][T10730] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 183.753031][T10740] netlink: 'syz.4.1300': attribute type 10 has an invalid length. [ 183.776261][T10740] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 183.878178][ T2467] ieee802154 phy0 wpan0: encryption failed: -22 [ 183.879752][ T2467] ieee802154 phy1 wpan1: encryption failed: -22 [ 183.952612][T10744] zonefs (nullb0) ERROR: Not a zoned block device [ 184.137422][T10748] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 184.139272][T10748] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 184.182765][ T54] Bluetooth: hci2: command tx timeout [ 184.252021][T10759] loop1: detected capacity change from 0 to 128 [ 184.256515][T10759] EXT4-fs: Ignoring removed nobh option [ 184.277706][T10759] EXT4-fs (loop1): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 184.326156][ T6574] EXT4-fs (loop1): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 184.801859][T10774] loop4: detected capacity change from 0 to 256 [ 184.836864][T10779] tipc: Enabled bearer , priority 0 [ 184.838400][T10779] syzkaller0: entered promiscuous mode [ 184.842371][T10779] syzkaller0: entered allmulticast mode [ 184.851266][T10778] tipc: Resetting bearer [ 184.856568][T10778] tipc: Disabling bearer [ 184.931520][T10784] netlink: 'syz.2.1315': attribute type 1 has an invalid length. [ 184.951583][T10784] netlink: 28 bytes leftover after parsing attributes in process `syz.2.1315'. [ 184.952121][T10784] 8021q: adding VLAN 0 to HW filter on device bond15 [ 185.024643][T10789] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 185.024822][T10789] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 185.387410][ T6575] Bluetooth: hci3: command 0x2016 tx timeout [ 185.775369][T10798] netlink: 'syz.3.1319': attribute type 1 has an invalid length. [ 185.812013][T10798] netlink: 28 bytes leftover after parsing attributes in process `syz.3.1319'. [ 185.815391][T10798] 8021q: adding VLAN 0 to HW filter on device bond14 [ 185.988355][T10811] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 185.990745][T10811] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 186.209423][ T54] Bluetooth: hci2: command 0x0406 tx timeout [ 186.239032][ T54] Bluetooth: hci1: command 0x2016 tx timeout [ 186.355706][T10816] 9p: Bad value for 'wfdno' [ 186.575491][T10818] netlink: 'syz.1.1326': attribute type 10 has an invalid length. [ 187.382548][ T6582] Bluetooth: hci3: command 0x2016 tx timeout [ 188.056499][T10848] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 188.056694][T10848] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 188.074245][T10850] netlink: 'syz.0.1337': attribute type 1 has an invalid length. [ 188.093272][T10852] netlink: 'syz.3.1338': attribute type 10 has an invalid length. [ 188.248989][ T6575] Bluetooth: hci1: command 0x2016 tx timeout [ 188.535598][T10864] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 188.537494][T10864] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 189.040378][T10873] loop4: detected capacity change from 0 to 128 [ 189.041657][T10873] EXT4-fs: Ignoring removed nobh option [ 189.044023][T10873] EXT4-fs (loop4): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 189.155257][ T6581] EXT4-fs (loop4): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 189.396847][ T44] usb 1-1: new high-speed USB device number 14 using dummy_hcd [ 189.525102][ T44] usb 1-1: device descriptor read/64, error -71 [ 189.644099][T10893] loop1: detected capacity change from 0 to 256 [ 189.782151][ T44] usb 1-1: new high-speed USB device number 15 using dummy_hcd [ 190.134456][ T44] usb 1-1: device descriptor read/64, error -71 [ 190.240044][ T44] usb usb1-port1: attempt power cycle [ 190.317900][T10901] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 190.319753][T10901] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 190.572607][ T44] usb 1-1: new high-speed USB device number 16 using dummy_hcd [ 190.649048][T10907] 9p: Bad value for 'wfdno' [ 190.796512][ T44] usb 1-1: device descriptor read/8, error -71 [ 190.854043][T10909] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 190.855810][T10909] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 190.963088][ T54] Bluetooth: hci4: command 0x2016 tx timeout [ 191.052368][ T44] usb 1-1: new high-speed USB device number 17 using dummy_hcd [ 191.078442][ T44] usb 1-1: device descriptor read/8, error -71 [ 191.184002][ T44] usb usb1-port1: unable to enumerate USB device [ 191.350070][T10914] loop2: detected capacity change from 0 to 128 [ 191.350410][T10914] EXT4-fs: Ignoring removed nobh option [ 191.355519][T10914] EXT4-fs (loop2): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 191.380377][ T6573] EXT4-fs (loop2): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 192.866579][T10945] loop3: detected capacity change from 0 to 128 [ 192.867821][T10945] EXT4-fs: Ignoring removed nobh option [ 192.882589][T10945] EXT4-fs (loop3): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 192.944857][ T6575] Bluetooth: hci4: command 0x2016 tx timeout [ 192.958162][T10950] set match dimension is over the limit! [ 193.204171][ T6580] EXT4-fs (loop3): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 193.334908][ T54] Bluetooth: hci0: command 0x2016 tx timeout [ 193.390586][T10961] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 193.390759][T10961] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 194.626155][T10983] loop3: detected capacity change from 0 to 128 [ 194.627845][T10983] EXT4-fs: Ignoring removed nobh option [ 194.680437][T10983] EXT4-fs (loop3): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 194.685240][ T54] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci3/hci3:0' [ 194.685278][ T54] CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT [ 194.685289][ T54] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 194.685294][ T54] Workqueue: hci3 hci_rx_work [ 194.685316][ T54] Call trace: [ 194.685319][ T54] show_stack+0x2c/0x3c (C) [ 194.685332][ T54] __dump_stack+0x30/0x40 [ 194.685343][ T54] dump_stack_lvl+0xd8/0x12c [ 194.685350][ T54] dump_stack+0x1c/0x28 [ 194.685356][ T54] sysfs_create_dir_ns+0x22c/0x24c [ 194.685367][ T54] kobject_add_internal+0x5a8/0xb48 [ 194.685378][ T54] kobject_add+0x134/0x200 [ 194.685387][ T54] device_add+0x394/0xa88 [ 194.685395][ T54] hci_conn_add_sysfs+0xc0/0x1f8 [ 194.685402][ T54] le_conn_complete_evt+0xc00/0x1064 [ 194.685408][ T54] hci_le_conn_complete_evt+0x114/0x410 [ 194.685418][ T54] hci_le_meta_evt+0x2dc/0x500 [ 194.685425][ T54] hci_event_packet+0x6bc/0xf50 [ 194.685432][ T54] hci_rx_work+0x300/0xd80 [ 194.685441][ T54] process_one_work+0x7c0/0x1558 [ 194.685450][ T54] worker_thread+0x958/0xed8 [ 194.685458][ T54] kthread+0x5fc/0x75c [ 194.685465][ T54] ret_from_fork+0x10/0x20 [ 194.685485][ T54] kobject: kobject_add_internal failed for hci3:0 with -EEXIST, don't try to register things with the same name in the same directory. [ 194.685501][ T54] Bluetooth: hci3: failed to register connection device [ 194.756667][T10987] loop4: detected capacity change from 0 to 128 [ 194.760357][T10987] FAT-fs (loop4): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive! [ 194.772567][T10987] FAT-fs (loop4): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 194.778589][ T6580] EXT4-fs (loop3): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 194.804578][ T4238] FAT-fs (loop4): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 194.858675][ T54] Bluetooth: hci3: command 0x2016 tx timeout [ 195.615906][ T6166] Bluetooth: hci0: command 0x2016 tx timeout [ 195.928489][T11006] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 195.928746][T11006] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 196.709597][T11026] loop0: detected capacity change from 0 to 128 [ 196.713948][T11026] EXT4-fs: Ignoring removed nobh option [ 196.715341][T11028] loop4: detected capacity change from 0 to 128 [ 196.715804][T11028] FAT-fs (loop4): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive! [ 196.721125][T11028] FAT-fs (loop4): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 196.727033][T11026] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 196.733574][T11027] binder_user_error: 3 callbacks suppressed [ 196.734689][T11027] binder: 11023:11027 tried to acquire reference to desc 0, got 1 instead [ 196.742468][T11027] binder_alloc: 11023: binder_alloc_buf, no vma [ 196.743710][T11027] binder: cannot allocate buffer: vma cleared, target dead or dying [ 196.743777][T11027] binder: 11023:11027 transaction async to 11023:0 failed 110/29189/-3, code 0 size 72-24 line 3389 [ 196.747686][T11027] binder: 11023:11027 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 196.747716][T11027] binder: 11027 RLIMIT_NICE not set [ 196.773731][ T339] FAT-fs (loop4): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 196.795441][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 196.870729][ T6582] Bluetooth: hci3: command 0x2016 tx timeout [ 197.213482][T11039] siw: device registration error -23 [ 197.565252][ T1544] binder: undelivered TRANSACTION_ERROR: 29189 [ 197.645221][T11045] binder: tried to use weak ref as strong ref [ 197.645328][T11045] binder: 11044:11045 Acquire 1 refcount change on invalid ref 0 ret -22 [ 197.645564][T11045] binder: 11044:11045 got transaction to invalid handle, 1 [ 197.645572][T11045] binder: 11044:11045 cannot find target node [ 197.645584][T11045] binder: 11044:11045 transaction async to 0:0 failed 113/29201/-22, code 0 size 72-24 line 3232 [ 197.645910][T11045] binder: 11044:11045 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 197.645919][T11045] binder: 11045 RLIMIT_NICE not set [ 197.646191][ T1544] binder: undelivered TRANSACTION_ERROR: 29201 [ 198.181740][T11057] loop0: detected capacity change from 0 to 256 [ 198.334409][T11062] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 198.341130][T11062] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 198.735240][ T6582] Bluetooth: hci2: command tx timeout [ 198.811462][ T6166] Bluetooth: hci3: command 0x2016 tx timeout [ 199.284533][T11077] loop0: detected capacity change from 0 to 128 [ 199.287097][T11077] EXT4-fs: Ignoring removed nobh option [ 199.314260][T11077] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 200.048794][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 200.718712][ T54] Bluetooth: hci2: command 0x0406 tx timeout [ 200.792436][ T54] Bluetooth: hci3: command 0x2016 tx timeout [ 200.833642][T11106] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 200.835889][T11106] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 200.995564][T11114] siw: device registration error -23 [ 202.268015][T11134] loop0: detected capacity change from 0 to 128 [ 202.268391][T11134] EXT4-fs: Ignoring removed nobh option [ 203.267312][T11134] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 203.271456][T11143] netlink: 'syz.1.1428': attribute type 1 has an invalid length. [ 203.291275][T11143] netlink: 28 bytes leftover after parsing attributes in process `syz.1.1428'. [ 203.305247][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 204.493699][T11181] netlink: 'syz.0.1440': attribute type 1 has an invalid length. [ 204.542668][T11184] netlink: 8 bytes leftover after parsing attributes in process `syz.0.1440'. [ 204.543676][T11181] bond7: entered promiscuous mode [ 204.543791][T11181] 8021q: adding VLAN 0 to HW filter on device bond7 [ 204.546969][T11184] netlink: 4 bytes leftover after parsing attributes in process `syz.0.1440'. [ 204.554258][T11181] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 204.554932][T11181] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 204.555000][T11181] netlink: 8 bytes leftover after parsing attributes in process `syz.0.1440'. [ 204.555009][T11181] netlink: 4 bytes leftover after parsing attributes in process `syz.0.1440'. [ 204.991993][T11191] netlink: 'syz.3.1441': attribute type 1 has an invalid length. [ 205.003189][T11190] loop0: detected capacity change from 0 to 128 [ 205.003577][T11190] EXT4-fs: Ignoring removed nobh option [ 205.012537][T11190] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 205.031556][T11191] netlink: 28 bytes leftover after parsing attributes in process `syz.3.1441'. [ 205.063048][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 205.092905][T11196] loop4: detected capacity change from 0 to 256 [ 205.095676][T11197] netlink: 'syz.3.1445': attribute type 8 has an invalid length. [ 205.098197][T11197] netlink: 176 bytes leftover after parsing attributes in process `syz.3.1445'. [ 205.746911][T11215] netlink: 8 bytes leftover after parsing attributes in process `syz.2.1447'. [ 205.747000][T11215] netlink: 4 bytes leftover after parsing attributes in process `syz.2.1447'. [ 205.747116][T11215] netlink: 'syz.2.1447': attribute type 13 has an invalid length. [ 205.747165][T11215] netlink: 'syz.2.1447': attribute type 12 has an invalid length. [ 205.850169][ T3267] wlan1: No active IBSS STAs - trying to scan for other IBSS networks with same SSID (merge) [ 206.282845][T11226] zonefs (nullb0) ERROR: Not a zoned block device [ 206.562604][T11229] netlink: 'syz.1.1453': attribute type 1 has an invalid length. [ 206.630687][T11233] netlink: 8 bytes leftover after parsing attributes in process `syz.1.1453'. [ 206.664066][T11229] bond11: entered promiscuous mode [ 206.667559][T11229] 8021q: adding VLAN 0 to HW filter on device bond11 [ 206.669547][T11236] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 206.669641][T11236] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 206.673742][T11237] loop0: detected capacity change from 0 to 128 [ 206.675691][T11237] EXT4-fs: Ignoring removed nobh option [ 206.692268][T11237] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 206.769218][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 206.905117][T11244] netlink: 'syz.2.1454': attribute type 13 has an invalid length. [ 206.905154][T11244] netlink: 'syz.2.1454': attribute type 12 has an invalid length. [ 207.114245][T11247] netlink: 'syz.0.1456': attribute type 8 has an invalid length. [ 208.025876][T11266] 9p: Bad value for 'wfdno' [ 208.256925][T11274] __nla_validate_parse: 6 callbacks suppressed [ 208.258413][T11274] netlink: 8 bytes leftover after parsing attributes in process `syz.3.1465'. [ 208.263178][T11274] bridge0: port 2(bridge_slave_1) entered disabled state [ 208.263270][T11274] bridge0: port 1(bridge_slave_0) entered disabled state [ 208.286340][T11278] loop0: detected capacity change from 0 to 128 [ 208.286698][T11278] EXT4-fs: Ignoring removed nobh option [ 208.301740][T11278] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 208.321514][T11284] netlink: 'syz.3.1467': attribute type 1 has an invalid length. [ 208.333259][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 208.349625][T11284] bond16: entered promiscuous mode [ 208.356991][T11284] 8021q: adding VLAN 0 to HW filter on device bond16 [ 208.373282][T11284] netlink: 8 bytes leftover after parsing attributes in process `syz.3.1467'. [ 208.373331][T11284] netlink: 4 bytes leftover after parsing attributes in process `syz.3.1467'. [ 208.445288][T11293] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 208.445398][T11293] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 208.445455][T11293] netlink: 8 bytes leftover after parsing attributes in process `syz.3.1467'. [ 208.445463][T11293] netlink: 4 bytes leftover after parsing attributes in process `syz.3.1467'. [ 208.458461][T11296] netlink: 'syz.4.1470': attribute type 8 has an invalid length. [ 208.458492][T11296] netlink: 176 bytes leftover after parsing attributes in process `syz.4.1470'. [ 208.991233][T11311] zonefs (nullb0) ERROR: Not a zoned block device [ 209.708655][T11328] netlink: 'syz.3.1478': attribute type 10 has an invalid length. [ 209.778463][T11337] netlink: 'syz.3.1481': attribute type 8 has an invalid length. [ 209.780001][T11337] netlink: 176 bytes leftover after parsing attributes in process `syz.3.1481'. [ 209.919786][T11343] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 209.919902][T11343] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 210.196980][T11355] loop3: detected capacity change from 0 to 256 [ 210.351538][ T6580] FAT-fs (loop3): error, corrupted directory (invalid entries) [ 210.351583][ T6580] FAT-fs (loop3): Filesystem has been set read-only [ 210.352795][ T6580] FAT-fs (loop3): error, corrupted directory (invalid entries) [ 211.155391][T11373] netlink: 'syz.2.1492': attribute type 8 has an invalid length. [ 211.155426][T11373] netlink: 176 bytes leftover after parsing attributes in process `syz.2.1492'. [ 211.415214][ T6166] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 211.416401][ T6166] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 211.417178][ T6166] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 211.418183][ T6166] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 211.418435][ T6166] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 211.548246][T11399] zonefs (nullb0) ERROR: Not a zoned block device [ 211.846543][ T339] netdevsim netdevsim3 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 211.897402][T11394] lo speed is unknown, defaulting to 1000 [ 211.946547][ T339] netdevsim netdevsim3 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 212.004975][T11412] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 212.008402][T11412] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 212.015648][ T339] netdevsim netdevsim3 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 212.037786][T11394] chnl_net:caif_netlink_parms(): no params data found [ 212.071253][T11416] netlink: 'syz.1.1504': attribute type 8 has an invalid length. [ 212.072786][T11416] netlink: 176 bytes leftover after parsing attributes in process `syz.1.1504'. [ 212.079729][ T339] netdevsim netdevsim3 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 212.186923][T11394] bridge0: port 1(bridge_slave_0) entered blocking state [ 212.188710][T11394] bridge0: port 1(bridge_slave_0) entered disabled state [ 212.190303][T11394] bridge_slave_0: entered allmulticast mode [ 212.192132][T11394] bridge_slave_0: entered promiscuous mode [ 212.194565][T11394] bridge0: port 2(bridge_slave_1) entered blocking state [ 212.196038][T11394] bridge0: port 2(bridge_slave_1) entered disabled state [ 212.346482][T11394] bridge_slave_1: entered allmulticast mode [ 212.434279][T11394] bridge_slave_1: entered promiscuous mode [ 212.455097][T11394] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 212.458603][T11394] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 212.466851][T11425] netlink: 'syz.0.1506': attribute type 1 has an invalid length. [ 212.477209][T11425] bond8: entered promiscuous mode [ 212.478500][T11425] 8021q: adding VLAN 0 to HW filter on device bond8 [ 212.482589][T11394] team0: Port device team_slave_0 added [ 212.486428][T11394] team0: Port device team_slave_1 added [ 212.512302][T11394] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 212.513674][T11394] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 212.518682][T11394] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 212.534159][T11394] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 212.535472][T11394] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 212.535489][T11394] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 212.578243][ T339] bridge_slave_1: left allmulticast mode [ 212.580327][ T339] bridge_slave_1: left promiscuous mode [ 212.583680][ T339] bridge0: port 2(bridge_slave_1) entered disabled state [ 212.587802][ T339] bridge_slave_0: left allmulticast mode [ 212.589426][ T339] bridge_slave_0: left promiscuous mode [ 212.589527][ T339] bridge0: port 1(bridge_slave_0) entered disabled state [ 212.634189][T11427] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 212.636253][T11427] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 213.163533][T11436] binder: BINDER_SET_CONTEXT_MGR already set [ 213.163555][T11436] binder: 11435:11436 ioctl 4018620d 20004a80 returned -16 [ 213.168722][T11436] binder: 11435:11436 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 213.168748][T11436] binder: 11436 RLIMIT_NICE not set [ 213.192167][ T339] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 213.413015][ T6166] Bluetooth: hci3: command tx timeout [ 213.446232][T11439] binder: 11435:11439 got reply transaction with no transaction stack [ 213.446270][T11439] binder: 11435:11439 transaction reply to 0:0 failed 115/29201/-71, code 0 size 0-0 line 3135 [ 213.450235][ T339] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 213.499807][ T339] bond0 (unregistering): (slave wlan1): Releasing backup interface [ 213.528409][ T339] bond0 (unregistering): Released all slaves [ 213.531617][ T339] bond1 (unregistering): Released all slaves [ 213.570151][ T339] bond2 (unregistering): (slave wireguard0): Releasing backup interface [ 213.570181][ T339] wireguard0: left promiscuous mode [ 213.595691][ T339] bond2 (unregistering): Released all slaves [ 213.632317][ T339] bond3 (unregistering): (slave wireguard1): Releasing backup interface [ 213.632348][ T339] wireguard1: left promiscuous mode [ 213.671426][ T339] bond3 (unregistering): Released all slaves [ 213.674857][ T339] bond4 (unregistering): Released all slaves [ 213.707417][ T339] bond5 (unregistering): (slave wireguard2): Releasing backup interface [ 213.707475][ T339] wireguard2: left promiscuous mode [ 213.718645][ T339] bond5 (unregistering): Released all slaves [ 213.752560][ T339] bond6 (unregistering): Released all slaves [ 213.787349][ T339] bond7 (unregistering): Released all slaves [ 213.818635][ T339] bond8 (unregistering): Released all slaves [ 213.824910][ T339] bond9 (unregistering): Released all slaves [ 213.828157][ T339] bond10 (unregistering): Released all slaves [ 213.831688][ T339] bond11 (unregistering): Released all slaves [ 213.834857][ T339] bond12 (unregistering): Released all slaves [ 213.838306][ T339] bond13 (unregistering): Released all slaves [ 213.878097][ T339] bond14 (unregistering): Released all slaves [ 213.881796][ T339] bond15 (unregistering): Released all slaves [ 213.954250][ T339] bond16 (unregistering): Released all slaves [ 213.968141][ T6686] binder: undelivered TRANSACTION_ERROR: 29201 [ 213.997693][T11425] workqueue: Failed to create a rescuer kthread for wq "wg-crypt-wireguard%d": -EINTR [ 214.040161][T11394] hsr_slave_0: entered promiscuous mode [ 214.040518][T11394] hsr_slave_1: entered promiscuous mode [ 214.040713][T11394] debugfs: 'hsr0' already exists in 'hsr' [ 214.040723][T11394] Cannot create hsr debugfs directory [ 214.423562][ T339] tipc: Left network mode [ 214.425467][T11464] netlink: 'syz.0.1514': attribute type 8 has an invalid length. [ 214.425496][T11464] netlink: 176 bytes leftover after parsing attributes in process `syz.0.1514'. [ 215.422334][ T6166] Bluetooth: hci3: command tx timeout [ 215.539453][T11489] binder: BINDER_SET_CONTEXT_MGR already set [ 215.539481][T11489] binder: 11486:11489 ioctl 4018620d 20004a80 returned -16 [ 215.539903][T11489] binder: 11486:11489 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 215.539919][T11489] binder: 11489 RLIMIT_NICE not set [ 215.591859][T11491] binder: 11486:11491 got reply transaction with no transaction stack [ 215.591897][T11491] binder: 11486:11491 transaction reply to 0:0 failed 117/29201/-71, code 0 size 0-0 line 3135 [ 217.057643][ T10] binder: undelivered TRANSACTION_ERROR: 29201 [ 217.451614][T11505] netlink: 8 bytes leftover after parsing attributes in process `syz.4.1522'. [ 217.451689][T11505] netlink: 24 bytes leftover after parsing attributes in process `syz.4.1522'. [ 217.502110][ T6166] Bluetooth: hci3: command tx timeout [ 217.594836][T11509] netlink: 'syz.0.1525': attribute type 1 has an invalid length. [ 217.597832][T11511] netlink: 'syz.1.1526': attribute type 8 has an invalid length. [ 217.597860][T11511] netlink: 176 bytes leftover after parsing attributes in process `syz.1.1526'. [ 217.735065][T11525] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 217.735165][T11525] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 217.769972][T11394] netdevsim netdevsim5 netdevsim0: renamed from eth0 [ 218.565785][T11394] netdevsim netdevsim5 netdevsim1: renamed from eth1 [ 218.590692][T11509] bond9: entered promiscuous mode [ 218.591915][T11509] 8021q: adding VLAN 0 to HW filter on device bond9 [ 218.660893][T11538] binder: BINDER_SET_CONTEXT_MGR already set [ 218.660922][T11538] binder: 11537:11538 ioctl 4018620d 20004a80 returned -16 [ 218.661137][T11538] binder: 11537:11538 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 218.661154][T11538] binder: 11538 RLIMIT_NICE not set [ 218.678202][ T339] hsr_slave_0: left promiscuous mode [ 218.678697][ T339] hsr_slave_1: left promiscuous mode [ 218.679007][ T339] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 218.679031][ T339] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 218.693191][ T339] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 218.693224][ T339] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 218.704896][ T339] veth1_macvtap: left promiscuous mode [ 218.704979][ T339] veth0_macvtap: left promiscuous mode [ 218.705687][ T339] veth1_vlan: left promiscuous mode [ 218.705756][ T339] veth0_vlan: left promiscuous mode [ 218.709546][T11540] binder: 11537:11540 got reply transaction with no transaction stack [ 218.709578][T11540] binder: 11537:11540 transaction reply to 0:0 failed 119/29201/-71, code 0 size 0-0 line 3135 [ 218.805888][T11542] loop4: detected capacity change from 0 to 128 [ 218.810248][T11542] EXT4-fs: Ignoring removed nobh option [ 218.816739][T11542] EXT4-fs (loop4): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 218.845459][ T6581] EXT4-fs (loop4): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 219.275786][ T339] team0 (unregistering): Port device team_slave_1 removed [ 219.289511][ T339] team0 (unregistering): Port device team_slave_0 removed [ 219.417676][T11394] netdevsim netdevsim5 netdevsim2: renamed from eth2 [ 219.421654][T11394] netdevsim netdevsim5 netdevsim3: renamed from eth3 [ 219.470382][ T6166] Bluetooth: hci3: command tx timeout [ 219.475750][ T26] binder: undelivered TRANSACTION_ERROR: 29201 [ 219.572308][T11394] 8021q: adding VLAN 0 to HW filter on device bond0 [ 219.592673][T11394] 8021q: adding VLAN 0 to HW filter on device team0 [ 219.598065][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.598125][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 219.610933][T11563] netlink: 'syz.0.1536': attribute type 8 has an invalid length. [ 219.610978][T11563] netlink: 176 bytes leftover after parsing attributes in process `syz.0.1536'. [ 219.617880][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.617905][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 220.090873][T11591] syzkaller0: entered promiscuous mode [ 220.090922][T11591] syzkaller0: entered allmulticast mode [ 220.158840][T11394] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 220.256613][T11599] loop2: detected capacity change from 0 to 128 [ 220.265564][T11599] EXT4-fs: Ignoring removed nobh option [ 220.272725][T11599] EXT4-fs (loop2): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 220.359185][ T6573] EXT4-fs (loop2): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 220.379714][T11609] netlink: 'syz.0.1545': attribute type 1 has an invalid length. [ 220.398108][T11609] netlink: 28 bytes leftover after parsing attributes in process `syz.0.1545'. [ 220.411563][T11609] 8021q: adding VLAN 0 to HW filter on device bond10 [ 220.428371][T11394] veth0_vlan: entered promiscuous mode [ 220.434310][T11394] veth1_vlan: entered promiscuous mode [ 220.575999][T11394] veth0_macvtap: entered promiscuous mode [ 220.577119][T11394] veth1_macvtap: entered promiscuous mode [ 220.580169][T11394] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 220.581117][T11394] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 220.670583][ T41] netdevsim netdevsim5 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 220.718801][ T4380] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 220.720234][ T4380] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 220.721765][ T4380] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 220.723353][ T4380] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 220.733975][ T41] netdevsim netdevsim5 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 220.737801][ T41] netdevsim netdevsim5 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 220.739611][ T41] netdevsim netdevsim5 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 221.268308][T11649] zonefs (nullb0) ERROR: Not a zoned block device [ 221.577333][T11656] loop0: detected capacity change from 0 to 128 [ 221.593922][T11656] EXT4-fs: Ignoring removed nobh option [ 221.620899][T11657] netlink: 'syz.2.1556': attribute type 1 has an invalid length. [ 221.628264][T11661] netlink: 'syz.1.1555': attribute type 1 has an invalid length. [ 221.628959][T11656] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 221.650452][T11657] netlink: 28 bytes leftover after parsing attributes in process `syz.2.1556'. [ 221.657899][T11657] 8021q: adding VLAN 0 to HW filter on device bond16 [ 221.673887][T11659] syzkaller0: entered promiscuous mode [ 221.674934][T11659] syzkaller0: entered allmulticast mode [ 221.688864][T11667] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 221.690548][T11667] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 221.732117][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 222.391633][T11695] netlink: 'syz.1.1561': attribute type 8 has an invalid length. [ 222.391670][T11695] netlink: 176 bytes leftover after parsing attributes in process `syz.1.1561'. [ 223.404211][T11716] netlink: 8 bytes leftover after parsing attributes in process `syz.2.1564'. [ 223.404247][T11716] netlink: 4 bytes leftover after parsing attributes in process `syz.2.1564'. [ 223.404278][T11716] netlink: 'syz.2.1564': attribute type 13 has an invalid length. [ 223.404289][T11716] netlink: 'syz.2.1564': attribute type 12 has an invalid length. [ 223.704567][T11719] netlink: 'syz.5.1567': attribute type 1 has an invalid length. [ 223.715348][T11719] netlink: 28 bytes leftover after parsing attributes in process `syz.5.1567'. [ 223.717780][T11723] loop0: detected capacity change from 0 to 128 [ 223.807830][T11723] EXT4-fs: Ignoring removed nobh option [ 223.811385][T11727] syzkaller0: entered promiscuous mode [ 223.812343][T11727] syzkaller0: entered allmulticast mode [ 223.860985][T11723] EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 223.917620][T11732] netlink: 'syz.5.1571': attribute type 1 has an invalid length. [ 223.927726][T11732] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 223.927762][T11732] IPv6: NLM_F_CREATE should be set when creating new route [ 223.927768][T11732] IPv6: NLM_F_CREATE should be set when creating new route [ 223.928293][T11732] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 223.963620][ T6579] EXT4-fs (loop0): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 224.111907][T11741] netlink: 8 bytes leftover after parsing attributes in process `syz.2.1574'. [ 224.112025][T11741] netlink: 4 bytes leftover after parsing attributes in process `syz.2.1574'. [ 224.112060][T11741] netlink: 'syz.2.1574': attribute type 13 has an invalid length. [ 224.512191][T11755] faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2 [ 224.512224][T11755] faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db [ 225.656342][T11773] validate_nla: 1 callbacks suppressed [ 225.657553][T11773] netlink: 'syz.5.1581': attribute type 1 has an invalid length. [ 225.669616][T11773] netlink: 28 bytes leftover after parsing attributes in process `syz.5.1581'. [ 225.674808][T11776] loop4: detected capacity change from 0 to 128 [ 225.677609][T11776] EXT4-fs: Ignoring removed nobh option [ 225.698366][T11776] EXT4-fs (loop4): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 225.769308][T11783] netlink: 'syz.5.1584': attribute type 1 has an invalid length. [ 225.808987][T11783] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 225.809091][T11783] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 225.812800][ T6581] EXT4-fs (loop4): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 225.861521][ T6166] Bluetooth: hci2: command 0x2016 tx timeout [ 227.073770][T11816] netlink: 'syz.5.1594': attribute type 1 has an invalid length. [ 227.078777][T11816] netlink: 28 bytes leftover after parsing attributes in process `syz.5.1594'. [ 227.230270][T11820] siw: device registration error -23 [ 227.335904][T11823] loop1: detected capacity change from 0 to 128 [ 227.346496][T11823] EXT4-fs: Ignoring removed nobh option [ 227.358746][T11823] EXT4-fs (loop1): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 227.364227][T11826] netlink: 'syz.5.1598': attribute type 1 has an invalid length. [ 227.485422][T11826] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 227.486978][T11826] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 227.556101][T11832] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 227.556583][T11832] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 227.618368][ T6574] EXT4-fs (loop1): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 227.690148][ T54] Bluetooth: hci4: command 0x2016 tx timeout [ 228.332216][ T54] Bluetooth: hci2: command 0x2016 tx timeout [ 228.461999][T11850] 9p: Bad value for 'wfdno' [ 229.056893][T11855] netlink: 'syz.5.1605': attribute type 1 has an invalid length. [ 229.068938][T11855] netlink: 28 bytes leftover after parsing attributes in process `syz.5.1605'. [ 229.448572][ T6166] Bluetooth: hci1: command 0x2016 tx timeout [ 229.680430][ T54] Bluetooth: hci4: command 0x2016 tx timeout [ 229.715659][T11870] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 229.717608][T11870] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 230.008976][T11881] netlink: 12 bytes leftover after parsing attributes in process `syz.0.1614'. [ 230.018429][T11882] netlink: 'syz.5.1615': attribute type 1 has an invalid length. [ 230.096400][T11889] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 230.096500][T11889] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 230.107701][T11891] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 230.107796][T11891] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 230.304138][T11896] netlink: 8 bytes leftover after parsing attributes in process `syz.4.1617'. [ 230.304219][T11896] netlink: 4 bytes leftover after parsing attributes in process `syz.4.1617'. [ 230.304346][T11896] netlink: 'syz.4.1617': attribute type 13 has an invalid length. [ 230.304385][T11896] netlink: 'syz.4.1617': attribute type 12 has an invalid length. [ 231.425911][ T6582] Bluetooth: hci1: command 0x2016 tx timeout [ 231.479647][T11914] netlink: 'syz.2.1622': attribute type 1 has an invalid length. [ 231.528783][T11919] netlink: 4 bytes leftover after parsing attributes in process `syz.2.1622'. [ 231.559441][T11914] bond17: entered promiscuous mode [ 231.560564][T11914] 8021q: adding VLAN 0 to HW filter on device bond17 [ 231.597304][T11914] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 231.597411][T11914] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 231.597471][T11914] netlink: 4 bytes leftover after parsing attributes in process `syz.2.1622'. [ 232.133485][T11935] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 232.136888][T11935] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 232.350177][T11941] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 232.350360][T11941] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 233.259025][T11955] netlink: 'syz.5.1636': attribute type 1 has an invalid length. [ 233.259534][T11955] netlink: 4 bytes leftover after parsing attributes in process `syz.5.1636'. [ 233.259823][T11955] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 233.259893][T11955] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 233.259949][T11955] netlink: 4 bytes leftover after parsing attributes in process `syz.5.1636'. [ 233.296044][T11954] bond12: entered promiscuous mode [ 233.297910][T11954] 8021q: adding VLAN 0 to HW filter on device bond12 [ 233.368285][T11954] 8021q: adding VLAN 0 to HW filter on device bond12 [ 233.368563][T11954] bond12: (slave wireguard4): The slave device specified does not support setting the MAC address [ 233.369087][T11954] bond12: (slave wireguard4): Error -95 calling set_mac_address [ 233.382608][T11965] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 233.382746][T11965] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 233.389247][T11965] bond12: (slave wireguard4): The slave device specified does not support setting the MAC address [ 233.392278][T11965] bond12: (slave wireguard4): Error -95 calling set_mac_address [ 233.530140][T11971] netlink: 8 bytes leftover after parsing attributes in process `syz.4.1637'. [ 233.530174][T11971] netlink: 4 bytes leftover after parsing attributes in process `syz.4.1637'. [ 233.530205][T11971] netlink: 'syz.4.1637': attribute type 13 has an invalid length. [ 233.530217][T11971] netlink: 'syz.4.1637': attribute type 12 has an invalid length. [ 233.635275][T11973] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 233.637062][T11973] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 234.342636][T12005] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 234.342804][T12005] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 234.492622][T12009] netlink: 'syz.2.1648': attribute type 1 has an invalid length. [ 234.496439][T12007] netlink: 'syz.1.1649': attribute type 1 has an invalid length. [ 234.511845][T12009] bond18: entered promiscuous mode [ 234.513005][T12009] 8021q: adding VLAN 0 to HW filter on device bond18 [ 234.521789][T12007] bond13: entered promiscuous mode [ 234.522874][T12007] 8021q: adding VLAN 0 to HW filter on device bond13 [ 234.527585][T12007] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 234.529678][T12007] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 234.533525][T12009] 8021q: adding VLAN 0 to HW filter on device bond18 [ 234.533715][T12009] bond18: (slave wireguard9): The slave device specified does not support setting the MAC address [ 234.534213][T12009] bond18: (slave wireguard9): Error -95 calling set_mac_address [ 234.538460][ T26] usb 1-1: new high-speed USB device number 18 using dummy_hcd [ 234.580000][T12015] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 234.581637][T12015] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 234.599398][T12015] bond18: (slave wireguard9): The slave device specified does not support setting the MAC address [ 234.601838][T12015] bond18: (slave wireguard9): Error -95 calling set_mac_address [ 234.954219][ T26] usb 1-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 234.954262][ T26] usb 1-1: config 1 has an invalid descriptor of length 55, skipping remainder of the config [ 234.954274][ T26] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 234.954292][ T26] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 14129, setting to 64 [ 234.956564][ T26] usb 1-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 234.956579][ T26] usb 1-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 234.956590][ T26] usb 1-1: Product: syz [ 234.956597][ T26] usb 1-1: Manufacturer: syz [ 234.961095][ T26] cdc_wdm 1-1:1.0: skipping garbage [ 234.961106][ T26] cdc_wdm 1-1:1.0: skipping garbage [ 234.961132][ T26] cdc_wdm 1-1:1.0: probe with driver cdc_wdm failed with error -22 [ 235.175500][T12041] netlink: 8 bytes leftover after parsing attributes in process `syz.2.1652'. [ 235.175566][T12041] netlink: 4 bytes leftover after parsing attributes in process `syz.2.1652'. [ 235.175687][T12041] netlink: 'syz.2.1652': attribute type 13 has an invalid length. [ 235.175727][T12041] netlink: 'syz.2.1652': attribute type 12 has an invalid length. [ 235.451468][T12044] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 235.461076][ T2382] usb 1-1: USB disconnect, device number 18 [ 235.520905][T12049] netlink: 'syz.1.1656': attribute type 8 has an invalid length. [ 235.522338][T12049] netlink: 176 bytes leftover after parsing attributes in process `syz.1.1656'. [ 235.556069][T12052] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 235.557736][T12052] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 236.330550][T12088] netlink: 'syz.1.1660': attribute type 1 has an invalid length. [ 236.387798][T12088] bond14: entered promiscuous mode [ 236.387944][T12088] 8021q: adding VLAN 0 to HW filter on device bond14 [ 236.400457][T12088] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 236.400551][T12088] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 236.419961][T12097] loop5: detected capacity change from 0 to 256 [ 236.918752][T12106] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 236.918944][T12106] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 237.288220][T12112] netlink: 'syz.4.1667': attribute type 8 has an invalid length. [ 237.288256][T12112] netlink: 176 bytes leftover after parsing attributes in process `syz.4.1667'. [ 237.341854][T12118] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 237.342035][T12118] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 237.548748][ T3930] wlan1: No active IBSS STAs - trying to scan for other IBSS networks with same SSID (merge) [ 237.714731][T12123] binder: 12122:12123 tried to acquire reference to desc 0, got 1 instead [ 237.715435][T12123] binder: 12122:12123 ioctl c0306201 0 returned -14 [ 237.740459][T12125] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 237.740651][T12125] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 238.212350][T12132] netlink: 'syz.5.1674': attribute type 1 has an invalid length. [ 238.218058][T12132] bond1: entered promiscuous mode [ 238.219271][T12132] 8021q: adding VLAN 0 to HW filter on device bond1 [ 238.227553][T12132] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 238.229064][T12132] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 238.357062][T12138] xt_NFQUEUE: number of queues (63489) out of range (got 96768) [ 238.751415][T12152] netlink: 'syz.2.1680': attribute type 8 has an invalid length. [ 238.752941][T12152] netlink: 176 bytes leftover after parsing attributes in process `syz.2.1680'. [ 238.778363][T12154] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 238.778577][T12154] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 239.272616][T12160] binder: 12159:12160 tried to acquire reference to desc 0, got 1 instead [ 239.274758][T12160] binder_alloc: 12159: binder_alloc_buf, no vma [ 239.275939][T12160] binder: cannot allocate buffer: vma cleared, target dead or dying [ 239.275993][T12160] binder: 12159:12160 transaction call to 12159:0 failed 130/29189/-3, code 0 size 0-0 line 3389 [ 239.279580][T12160] binder: 12159:12160 ERROR: Thread waiting for process work before calling BC_REGISTER_LOOPER or BC_ENTER_LOOPER (state 10) [ 239.281827][T12160] binder: 12160 RLIMIT_NICE not set [ 239.355209][T12163] binder: 12159:12163 got reply transaction with no transaction stack [ 239.356964][T12163] binder: 12159:12163 transaction reply to 0:0 failed 131/29201/-71, code 0 size 0-0 line 3135 [ 239.369587][T12165] netlink: 'syz.5.1685': attribute type 1 has an invalid length. [ 239.394220][T12165] bond2: entered promiscuous mode [ 239.394401][T12165] 8021q: adding VLAN 0 to HW filter on device bond2 [ 239.511418][ T6166] Bluetooth: hci4: unexpected event for opcode 0x1408 [ 240.258654][T12165] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 240.258765][T12165] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 240.259270][ T6683] binder: undelivered TRANSACTION_ERROR: 29201 [ 240.259313][ T6683] binder: undelivered TRANSACTION_ERROR: 29189 [ 240.298268][T12174] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 240.298434][T12174] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 240.524410][T12186] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 240.526751][T12186] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 241.268788][T12199] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 241.269068][T12199] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 242.052417][T12212] netlink: 8 bytes leftover after parsing attributes in process `syz.4.1698'. [ 242.052487][T12212] netlink: 4 bytes leftover after parsing attributes in process `syz.4.1698'. [ 242.052613][T12212] netlink: 'syz.4.1698': attribute type 13 has an invalid length. [ 242.052643][T12212] netlink: 'syz.4.1698': attribute type 12 has an invalid length. [ 242.365755][T12218] netlink: 'syz.5.1700': attribute type 1 has an invalid length. [ 242.396352][ T2467] ieee802154 phy0 wpan0: encryption failed: -22 [ 242.397680][ T2467] ieee802154 phy1 wpan1: encryption failed: -22 [ 242.401712][T12218] bond3: entered promiscuous mode [ 242.404282][T12218] 8021q: adding VLAN 0 to HW filter on device bond3 [ 242.420769][T12218] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 242.422277][T12218] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 242.897561][T12234] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 242.900870][T12234] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 243.234264][ T6166] Bluetooth: hci4: command 0x2016 tx timeout [ 243.717218][T12256] netlink: 'syz.0.1716': attribute type 1 has an invalid length. [ 244.209417][T12256] bond11: entered promiscuous mode [ 244.225367][T12256] 8021q: adding VLAN 0 to HW filter on device bond11 [ 244.226159][T12261] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 244.226250][T12261] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 244.299976][T12268] loop5: detected capacity change from 0 to 256 [ 245.226132][T12280] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 245.226476][T12280] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 246.247258][ T6582] Bluetooth: hci4: unexpected event for opcode 0x1408 [ 246.743608][T12302] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 246.756380][T12304] netlink: 'syz.1.1731': attribute type 1 has an invalid length. [ 246.760886][T12302] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 246.789433][T12304] bond15: entered promiscuous mode [ 246.789568][T12304] 8021q: adding VLAN 0 to HW filter on device bond15 [ 246.807046][T12304] netlink: 32 bytes leftover after parsing attributes in process `syz.1.1731'. [ 246.847207][T12304] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 246.847356][T12304] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 246.847614][T12304] netlink: 32 bytes leftover after parsing attributes in process `syz.1.1731'. [ 247.499504][T12315] zonefs (nullb0) ERROR: Not a zoned block device [ 247.720217][T12319] loop2: detected capacity change from 0 to 256 [ 248.825353][T12347] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 248.827163][T12347] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 249.814203][ T6582] Bluetooth: hci4: command 0x2016 tx timeout [ 249.846090][T12351] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 249.846272][T12351] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 249.992377][T12364] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 249.997624][T12364] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 251.196352][ T6634] usb 1-1: new high-speed USB device number 19 using dummy_hcd [ 251.385476][ T6634] usb 1-1: config 1 has too many interfaces: 66, using maximum allowed: 32 [ 251.387653][ T6634] usb 1-1: config 1 has an invalid descriptor of length 55, skipping remainder of the config [ 251.389619][ T6634] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 66 [ 251.391543][ T6634] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 55, changing to 9 [ 251.393746][ T6634] usb 1-1: config 1 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 8496, setting to 1024 [ 251.398070][ T6634] usb 1-1: New USB device found, idVendor=7d25, idProduct=a415, bcdDevice= 0.40 [ 251.400456][ T6634] usb 1-1: New USB device strings: Mfr=1, Product=4, SerialNumber=0 [ 251.402579][ T6634] usb 1-1: Product: syz [ 251.404258][ T6634] usb 1-1: Manufacturer: syz [ 251.424079][ T6634] cdc_wdm 1-1:1.0: skipping garbage [ 251.425618][ T6634] cdc_wdm 1-1:1.0: skipping garbage [ 251.427445][ T6634] cdc_wdm 1-1:1.0: cdc-wdm0: USB WDM device [ 251.429142][ T6634] cdc_wdm 1-1:1.0: Unknown control protocol [ 251.759389][ C0] wdm_int_callback: 16 callbacks suppressed [ 251.759411][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.759420][ C0] wdm_int_callback: 16 callbacks suppressed [ 251.759427][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.759581][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.759590][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.759735][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.759741][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.759886][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.759894][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.760038][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.760046][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.760189][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.760197][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.760337][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.760342][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.760510][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.760524][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.760687][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.760697][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.760849][ C0] cdc_wdm 1-1:1.0: nonzero urb status received: -71 [ 251.760857][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes [ 251.783475][ T6634] usb 1-1: USB disconnect, device number 19 [ 251.783496][ C0] cdc_wdm 1-1:1.0: wdm_int_callback - usb_submit_urb failed with result -19 [ 252.062201][T12398] loop5: detected capacity change from 0 to 256 [ 252.553961][T12401] loop4: detected capacity change from 0 to 32768 [ 252.638703][T12401] XFS (loop4): Mounting V5 Filesystem 986211a9-7d00-4ebf-a576-e3de63fa2cbd [ 252.665661][T12401] XFS (loop4): Ending clean mount [ 252.668658][T12401] XFS (loop4): Quotacheck needed: Please wait. [ 252.684593][T12401] XFS (loop4): Quotacheck: Done. [ 253.045934][T12427] netlink: 'syz.1.1766': attribute type 1 has an invalid length. [ 253.067047][T12427] bond16: entered promiscuous mode [ 253.067201][T12427] 8021q: adding VLAN 0 to HW filter on device bond16 [ 253.070914][T12427] netlink: 32 bytes leftover after parsing attributes in process `syz.1.1766'. [ 253.071517][T12427] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 253.071587][T12427] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 253.071639][T12427] netlink: 32 bytes leftover after parsing attributes in process `syz.1.1766'. [ 253.541762][ T6581] XFS (loop4): Unmounting Filesystem 986211a9-7d00-4ebf-a576-e3de63fa2cbd [ 253.726872][T12438] zonefs (nullb0) ERROR: Not a zoned block device [ 253.737110][T12440] 9p: Bad value for 'wfdno' [ 254.375142][T12455] loop1: detected capacity change from 0 to 128 [ 254.382405][T12455] EXT4-fs: Ignoring removed nobh option [ 254.424001][T12455] EXT4-fs (loop1): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 254.479650][ T6574] EXT4-fs (loop1): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 254.557856][T12462] bond17: entered promiscuous mode [ 254.561335][T12462] 8021q: adding VLAN 0 to HW filter on device bond17 [ 254.588251][T12462] 8021q: adding VLAN 0 to HW filter on device bond17 [ 254.590898][T12462] bond17: (slave wireguard4): The slave device specified does not support setting the MAC address [ 254.596941][T12462] bond17: (slave wireguard4): Error -95 calling set_mac_address [ 254.694612][T12469] netlink: 'syz.0.1777': attribute type 1 has an invalid length. [ 254.711486][T12469] bond12: entered promiscuous mode [ 254.711637][T12469] 8021q: adding VLAN 0 to HW filter on device bond12 [ 254.845280][T12474] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 254.846940][T12474] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 254.849469][T12474] netlink: 32 bytes leftover after parsing attributes in process `syz.0.1777'. [ 254.873141][T12469] netlink: 32 bytes leftover after parsing attributes in process `syz.0.1777'. [ 255.094399][T12482] netlink: 8 bytes leftover after parsing attributes in process `syz.4.1781'. [ 255.094445][T12482] netlink: 4 bytes leftover after parsing attributes in process `syz.4.1781'. [ 255.094499][T12482] netlink: 'syz.4.1781': attribute type 13 has an invalid length. [ 255.094515][T12482] netlink: 'syz.4.1781': attribute type 12 has an invalid length. [ 255.568066][ T6166] Bluetooth: hci3: unexpected event for opcode 0x1408 [ 255.635278][ T6686] usb 1-1: new high-speed USB device number 20 using dummy_hcd [ 256.097541][T12494] loop1: detected capacity change from 0 to 128 [ 256.097903][T12494] EXT4-fs: Ignoring removed nobh option [ 256.117266][T12494] EXT4-fs (loop1): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 256.215371][ T6575] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci1/hci1:0' [ 256.218181][ T6575] CPU: 0 UID: 0 PID: 6575 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT [ 256.218201][ T6575] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 256.218208][ T6575] Workqueue: hci1 hci_rx_work [ 256.218228][ T6575] Call trace: [ 256.218231][ T6575] show_stack+0x2c/0x3c (C) [ 256.218245][ T6575] __dump_stack+0x30/0x40 [ 256.218254][ T6575] dump_stack_lvl+0xd8/0x12c [ 256.218263][ T6575] dump_stack+0x1c/0x28 [ 256.218270][ T6575] sysfs_create_dir_ns+0x22c/0x24c [ 256.218279][ T6575] kobject_add_internal+0x5a8/0xb48 [ 256.218291][ T6575] kobject_add+0x134/0x200 [ 256.218299][ T6575] device_add+0x394/0xa88 [ 256.218308][ T6575] hci_conn_add_sysfs+0xc0/0x1f8 [ 256.218315][ T6575] le_conn_complete_evt+0xc00/0x1064 [ 256.218321][ T6575] hci_le_conn_complete_evt+0x114/0x410 [ 256.218332][ T6575] hci_le_meta_evt+0x2dc/0x500 [ 256.218339][ T6575] hci_event_packet+0x6bc/0xf50 [ 256.218346][ T6575] hci_rx_work+0x300/0xd80 [ 256.218355][ T6575] process_one_work+0x7c0/0x1558 [ 256.218364][ T6575] worker_thread+0x958/0xed8 [ 256.218373][ T6575] kthread+0x5fc/0x75c [ 256.218380][ T6575] ret_from_fork+0x10/0x20 [ 256.218397][ T6575] kobject: kobject_add_internal failed for hci1:0 with -EEXIST, don't try to register things with the same name in the same directory. [ 256.218418][ T6575] Bluetooth: hci1: failed to register connection device [ 256.317381][T12500] zonefs (nullb0) ERROR: Not a zoned block device [ 256.518990][ T6575] Bluetooth: hci1: command 0x2016 tx timeout [ 256.574754][ T6574] EXT4-fs (loop1): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 256.625416][ T6686] usb 1-1: Using ep0 maxpacket: 32 [ 256.627769][ T6686] usb 1-1: config index 0 descriptor too short (expected 35577, got 27) [ 256.628106][ T6686] usb 1-1: config 1 has too many interfaces: 92, using maximum allowed: 32 [ 256.628127][ T6686] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 92 [ 256.628136][ T6686] usb 1-1: config 1 has no interface number 0 [ 256.628150][ T6686] usb 1-1: config 1 interface 1 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 256.628161][ T6686] usb 1-1: config 1 interface 1 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 17 [ 256.628176][ T6686] usb 1-1: New USB device found, idVendor=0e41, idProduct=5051, bcdDevice=d5.e8 [ 256.628184][ T6686] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 256.647384][ T6686] snd_usb_pod 1-1:1.1: Line 6 Pocket POD found [ 256.807883][T12510] netlink: 'syz.5.1790': attribute type 1 has an invalid length. [ 256.827782][T12510] bond4: entered promiscuous mode [ 256.827937][T12510] 8021q: adding VLAN 0 to HW filter on device bond4 [ 256.831015][T12510] netlink: 32 bytes leftover after parsing attributes in process `syz.5.1790'. [ 256.834092][T12510] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 256.835682][T12510] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [ 256.835785][T12510] netlink: 32 bytes leftover after parsing attributes in process `syz.5.1790'. [ 256.846714][ T6686] snd_usb_pod 1-1:1.1: Line 6 Pocket POD now attached [ 256.903690][T12513] xt_connbytes: Forcing CT accounting to be enabled [ 256.903834][T12513] set match dimension is over the limit! [ 257.638366][ T7748] usb 1-1: USB disconnect, device number 20 [ 257.638958][ T7748] snd_usb_pod 1-1:1.1: Line 6 Pocket POD now disconnected [ 258.233104][T12535] loop4: detected capacity change from 0 to 128 [ 258.234623][T12535] EXT4-fs: Ignoring removed nobh option [ 258.265293][T12535] EXT4-fs (loop4): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 258.287229][ T6581] EXT4-fs (loop4): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 258.403315][T12545] loop4: detected capacity change from 0 to 128 [ 258.409489][T12545] EXT4-fs: Ignoring removed nobh option [ 258.464565][T12545] EXT4-fs (loop4): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 258.473522][ T6575] Bluetooth: hci1: command 0x2016 tx timeout [ 258.515311][ T6581] EXT4-fs (loop4): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 259.100035][ T6575] Bluetooth: hci3: command 0x2016 tx timeout [ 259.506157][T12566] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 259.511598][T12566] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 259.922646][T12573] loop5: detected capacity change from 0 to 128 [ 259.926611][T12573] EXT4-fs: Ignoring removed nobh option [ 259.932010][T12573] EXT4-fs (loop5): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. [ 259.966339][T11394] EXT4-fs (loop5): unmounting filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09. [ 260.191117][T12588] trusted_key: encrypted_key: key user:syz not found [ 260.235441][ T54] Bluetooth: hci4: command 0x2016 tx timeout [ 260.238013][ T6166] ================================================================== [ 260.238022][ T6166] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a4 [ 260.238044][ T6166] Write of size 4 at addr ffff0000cd084010 by task kworker/u9:1/6166 [ 260.238051][ T6166] [ 260.238056][ T6166] CPU: 1 UID: 0 PID: 6166 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT [ 260.238063][ T6166] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 260.238067][ T6166] Workqueue: hci4 hci_cmd_sync_work [ 260.238075][ T6166] Call trace: [ 260.238078][ T6166] show_stack+0x2c/0x3c (C) [ 260.238087][ T6166] __dump_stack+0x30/0x40 [ 260.238093][ T6166] dump_stack_lvl+0xd8/0x12c [ 260.238098][ T6166] print_address_description+0xa8/0x238 [ 260.238104][ T6166] print_report+0x68/0x84 [ 260.238108][ T6166] kasan_report+0xb0/0x110 [ 260.238114][ T6166] kasan_check_range+0x264/0x2a4 [ 260.238120][ T6166] __kasan_check_write+0x20/0x30 [ 260.238126][ T6166] hci_conn_drop+0x34/0x2a4 [ 260.238132][ T6166] le_read_features_complete+0x54/0xec [ 260.238138][ T6166] hci_cmd_sync_work+0x204/0x38c [ 260.238143][ T6166] process_one_work+0x7c0/0x1558 [ 260.238149][ T6166] worker_thread+0x958/0xed8 [ 260.238156][ T6166] kthread+0x5fc/0x75c [ 260.238161][ T6166] ret_from_fork+0x10/0x20 [ 260.238167][ T6166] [ 260.238169][ T6166] Allocated by task 6575: [ 260.238172][ T6166] kasan_save_track+0x40/0x78 [ 260.238176][ T6166] kasan_save_alloc_info+0x44/0x54 [ 260.238181][ T6166] __kasan_kmalloc+0x9c/0xb4 [ 260.238185][ T6166] __kmalloc_cache_noprof+0x3b8/0x698 [ 260.238189][ T6166] __hci_conn_add+0x2f8/0x1630 [ 260.238194][ T6166] hci_conn_add_unset+0x80/0x128 [ 260.238197][ T6166] le_conn_complete_evt+0x5fc/0x1064 [ 260.238201][ T6166] hci_le_conn_complete_evt+0x114/0x410 [ 260.238208][ T6166] hci_le_meta_evt+0x2dc/0x500 [ 260.238212][ T6166] hci_event_packet+0x6bc/0xf50 [ 260.238216][ T6166] hci_rx_work+0x300/0xd80 [ 260.238221][ T6166] process_one_work+0x7c0/0x1558 [ 260.238226][ T6166] worker_thread+0x958/0xed8 [ 260.238232][ T6166] kthread+0x5fc/0x75c [ 260.238236][ T6166] ret_from_fork+0x10/0x20 [ 260.238241][ T6166] [ 260.238242][ T6166] Freed by task 6575: [ 260.238245][ T6166] kasan_save_track+0x40/0x78 [ 260.238248][ T6166] kasan_save_free_info+0x58/0x70 [ 260.238253][ T6166] __kasan_slab_free+0x74/0xa4 [ 260.238257][ T6166] kfree+0x1c4/0x5fc [ 260.238260][ T6166] bt_link_release+0x20/0x30 [ 260.238264][ T6166] device_release+0x8c/0x1ac [ 260.238271][ T6166] kobject_put+0x2c8/0x4f4 [ 260.238277][ T6166] device_unregister+0x3c/0xf4 [ 260.238282][ T6166] hci_conn_del_sysfs+0xf0/0x198 [ 260.238286][ T6166] hci_conn_del+0xa40/0xfb0 [ 260.238289][ T6166] hci_disconn_complete_evt+0x548/0x858 [ 260.238294][ T6166] hci_event_packet+0x704/0xf50 [ 260.238298][ T6166] hci_rx_work+0x300/0xd80 [ 260.238303][ T6166] process_one_work+0x7c0/0x1558 [ 260.238308][ T6166] worker_thread+0x958/0xed8 [ 260.238313][ T6166] kthread+0x5fc/0x75c [ 260.238317][ T6166] ret_from_fork+0x10/0x20 [ 260.238322][ T6166] [ 260.238323][ T6166] The buggy address belongs to the object at ffff0000cd084000 [ 260.238323][ T6166] which belongs to the cache kmalloc-8k of size 8192 [ 260.238328][ T6166] The buggy address is located 16 bytes inside of [ 260.238328][ T6166] freed 8192-byte region [ffff0000cd084000, ffff0000cd086000) [ 260.238333][ T6166] [ 260.238335][ T6166] The buggy address belongs to the physical page: [ 260.238338][ T6166] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d080 [ 260.238344][ T6166] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 260.238349][ T6166] ksm flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 260.238355][ T6166] page_type: f5(slab) [ 260.238360][ T6166] raw: 05ffc00000000040 ffff0000c0002280 fffffdffc3811a00 dead000000000003 [ 260.238364][ T6166] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 260.238368][ T6166] head: 05ffc00000000040 ffff0000c0002280 fffffdffc3811a00 dead000000000003 [ 260.238372][ T6166] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 260.238376][ T6166] head: 05ffc00000000003 fffffdffc3342001 00000000ffffffff 00000000ffffffff [ 260.238380][ T6166] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 260.238382][ T6166] page dumped because: kasan: bad access detected [ 260.238384][ T6166] [ 260.238385][ T6166] Memory state around the buggy address: [ 260.238388][ T6166] ffff0000cd083f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 260.238391][ T6166] ffff0000cd083f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 260.238394][ T6166] >ffff0000cd084000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 260.238397][ T6166] ^ [ 260.238399][ T6166] ffff0000cd084080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 260.238402][ T6166] ffff0000cd084100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 260.238404][ T6166] ================================================================== [ 260.238427][ T6166] Disabling lock debugging due to kernel taint [ 260.238452][ T6166] ------------[ cut here ]------------ [ 260.238455][ T6166] ODEBUG: assert_init not available (active state 0) object: 000000004a600016 object type: timer_list hint: hci_conn_idle+0x0/0x47c [ 260.238581][ T6166] WARNING: lib/debugobjects.c:615 at debug_print_object+0x168/0x1e0, CPU#1: kworker/u9:1/6166 [ 260.311440][ T6166] Modules linked in: [ 260.311997][ T6166] CPU: 1 UID: 0 PID: 6166 Comm: kworker/u9:1 Tainted: G B syzkaller #0 PREEMPT [ 260.313530][ T6166] Tainted: [B]=BAD_PAGE [ 260.314103][ T6166] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 260.315538][ T6166] Workqueue: hci4 hci_cmd_sync_work [ 260.316296][ T6166] pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 260.317425][ T6166] pc : debug_print_object+0x168/0x1e0 [ 260.318196][ T6166] lr : debug_print_object+0x168/0x1e0 [ 260.319035][ T6166] sp : ffff8000a4627750 [ 260.319625][ T6166] x29: ffff8000a4627750 x28: dfff800000000000 x27: 0000000000000000 [ 260.320787][ T6166] x26: ffff80008f871000 x25: dfff800000000000 x24: ffff0000cd084bd8 [ 260.321993][ T6166] x23: ffff80008b5aa820 x22: ffff80008a193b48 x21: ffff80008b079660 [ 260.323177][ T6166] x20: 0000000000000000 x19: ffff80008b5aa300 x18: 1fffe00033781890 [ 260.324344][ T6166] x17: ffff80008f86e000 x16: ffff800082e5e68c x15: 0000000000000001 [ 260.325520][ T6166] x14: 1ffff0001229b888 x13: 0000000000000000 x12: 0000000000000000 [ 260.326748][ T6166] x11: 0000000000001742 x10: 0000000000ff0100 x9 : 26d3cc1b20e86700 [ 260.327910][ T6166] x8 : 26d3cc1b20e86700 x7 : 0000000000000001 x6 : ffff8000805761f8 [ 260.329032][ T6166] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807f1034 [ 260.330162][ T6166] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000 [ 260.331319][ T6166] Call trace: [ 260.331751][ T6166] debug_print_object+0x168/0x1e0 (P) [ 260.332514][ T6166] debug_object_assert_init+0x250/0x2c8 [ 260.333308][ T6166] __timer_delete+0x48/0x354 [ 260.333988][ T6166] timer_delete+0x24/0x34 [ 260.334618][ T6166] work_grab_pending+0xc0/0x830 [ 260.335324][ T6166] __cancel_work+0x50/0x218 [ 260.335991][ T6166] cancel_delayed_work+0x24/0x38 [ 260.336775][ T6166] hci_conn_drop+0xb0/0x2a4 [ 260.337405][ T6166] le_read_features_complete+0x54/0xec [ 260.338233][ T6166] hci_cmd_sync_work+0x204/0x38c [ 260.339002][ T6166] process_one_work+0x7c0/0x1558 [ 260.339719][ T6166] worker_thread+0x958/0xed8 [ 260.340407][ T6166] kthread+0x5fc/0x75c [ 260.341002][ T6166] ret_from_fork+0x10/0x20 [ 260.341620][ T6166] irq event stamp: 77745 [ 260.342312][ T6166] hardirqs last enabled at (77745): [] finish_lock_switch+0xb0/0x1c0 [ 260.343715][ T6166] hardirqs last disabled at (77744): [] __schedule+0x2f8/0x2a7c [ 260.345061][ T6166] softirqs last enabled at (77686): [] local_bh_enable+0x10/0x34 [ 260.346434][ T6166] softirqs last disabled at (77684): [] local_bh_disable+0x10/0x34 [ 260.347814][ T6166] ---[ end trace 0000000000000000 ]--- [ 260.359008][ T6166] ------------[ cut here ]------------ [ 260.359021][ T6166] ODEBUG: assert_init not available (active state 0) object: 000000004bcbf954 object type: timer_list hint: hci_conn_timeout+0x0/0x210 [ 260.359164][ T6166] WARNING: lib/debugobjects.c:615 at debug_print_object+0x168/0x1e0, CPU#1: kworker/u9:1/6166 [ 260.363677][ T6166] Modules linked in: [ 260.364267][ T6166] CPU: 1 UID: 0 PID: 6166 Comm: kworker/u9:1 Tainted: G B W syzkaller #0 PREEMPT [ 260.365996][ T6166] Tainted: [B]=BAD_PAGE, [W]=WARN [ 260.366793][ T6166] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 260.368450][ T6166] Workqueue: hci4 hci_cmd_sync_work [ 260.369227][ T6166] pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 260.370442][ T6166] pc : debug_print_object+0x168/0x1e0 [ 260.371220][ T6166] lr : debug_print_object+0x168/0x1e0 [ 260.372005][ T6166] sp : ffff8000a4627750 [ 260.372580][ T6166] x29: ffff8000a4627750 x28: dfff800000000000 x27: 0000000000000001 [ 260.373776][ T6166] x26: ffff80008f871000 x25: dfff800000000000 x24: ffff0000cd084a88 [ 260.375004][ T6166] x23: ffff80008b5aa820 x22: ffff80008a1938e0 x21: ffff80008b079660 [ 260.376162][ T6166] x20: 0000000000000000 x19: ffff80008b5aa300 x18: 1fffe00033781890 [ 260.377394][ T6166] x17: ffff80008f86e000 x16: ffff800082e5e68c x15: 0000000000000001 [ 260.378578][ T6166] x14: 1ffff0001229b888 x13: 0000000000000000 x12: 0000000000000000 [ 260.379763][ T6166] x11: 000000000000178e x10: 0000000000ff0100 x9 : 26d3cc1b20e86700 [ 260.380916][ T6166] x8 : 26d3cc1b20e86700 x7 : 0000000000000001 x6 : ffff8000805761f8 [ 260.382094][ T6166] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807f1034 [ 260.383315][ T6166] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000 [ 260.384484][ T6166] Call trace: [ 260.384951][ T6166] debug_print_object+0x168/0x1e0 (P) [ 260.385739][ T6166] debug_object_assert_init+0x250/0x2c8 [ 260.386520][ T6166] __timer_delete+0x48/0x354 [ 260.387183][ T6166] timer_delete+0x24/0x34 [ 260.387804][ T6166] work_grab_pending+0xc0/0x830 [ 260.388500][ T6166] __cancel_work+0x50/0x218 [ 260.389164][ T6166] cancel_delayed_work+0x24/0x38 [ 260.389874][ T6166] hci_conn_drop+0x128/0x2a4 [ 260.390562][ T6166] le_read_features_complete+0x54/0xec [ 260.391347][ T6166] hci_cmd_sync_work+0x204/0x38c [ 260.392036][ T6166] process_one_work+0x7c0/0x1558 [ 260.392707][ T6166] worker_thread+0x958/0xed8 [ 260.393341][ T6166] kthread+0x5fc/0x75c [ 260.393904][ T6166] ret_from_fork+0x10/0x20 [ 260.394498][ T6166] irq event stamp: 77745 [ 260.395102][ T6166] hardirqs last enabled at (77745): [] finish_lock_switch+0xb0/0x1c0 [ 260.396442][ T6166] hardirqs last disabled at (77744): [] __schedule+0x2f8/0x2a7c [ 260.397778][ T6166] softirqs last enabled at (77686): [] local_bh_enable+0x10/0x34 [ 260.399045][ T6166] softirqs last disabled at (77684): [] local_bh_disable+0x10/0x34 [ 260.400323][ T6166] ---[ end trace 0000000000000000 ]--- [ 260.454146][ T54] Bluetooth: hci1: command 0x2016 tx timeout [ 261.902345][ T6575] ------------[ cut here ]------------ [ 261.902360][ T6575] ODEBUG: assert_init not available (active state 0) object: 000000007926cd92 object type: timer_list hint: hci_conn_idle+0x0/0x47c [ 261.902505][ T6575] WARNING: lib/debugobjects.c:615 at debug_print_object+0x168/0x1e0, CPU#0: kworker/u9:2/6575 [ 261.905124][ T6582] Bluetooth: hci3: command 0x2016 tx timeout [ 261.907539][ T6575] Modules linked in: [ 261.908071][ T6575] CPU: 0 UID: 0 PID: 6575 Comm: kworker/u9:2 Tainted: G B W syzkaller #0 PREEMPT [ 261.909477][ T6575] Tainted: [B]=BAD_PAGE, [W]=WARN [ 261.910153][ T6575] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 261.911491][ T6575] Workqueue: hci3 hci_cmd_sync_work [ 261.912253][ T6575] pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 261.913339][ T6575] pc : debug_print_object+0x168/0x1e0 [ 261.914084][ T6575] lr : debug_print_object+0x168/0x1e0 [ 261.914822][ T6575] sp : ffff8000a0ba7750 [ 261.915414][ T6575] x29: ffff8000a0ba7750 x28: dfff800000000000 x27: 0000000000000000 [ 261.916535][ T6575] x26: ffff80008f871000 x25: dfff800000000000 x24: ffff0000d07b0bd8 [ 261.917661][ T6575] x23: ffff80008b5aa820 x22: ffff80008a193b48 x21: ffff80008b079660 [ 261.918772][ T6575] x20: 0000000000000000 x19: ffff80008b5aa300 x18: 1fffe0003377d090 [ 261.919862][ T6575] x17: ffff80008f86e000 x16: ffff800082e5e68c x15: 0000000000000001 [ 261.920975][ T6575] x14: 1fffe0003377d0fa x13: 0000000000000000 x12: 0000000000000000 [ 261.922086][ T6575] x11: ffff60003377d0fb x10: 0000000000ff0100 x9 : 59c76cbf8938b200 [ 261.923167][ T6575] x8 : 59c76cbf8938b200 x7 : 0000000000000001 x6 : ffff8000805761f8 [ 261.924262][ T6575] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807f1034 [ 261.925379][ T6575] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000 [ 261.926494][ T6575] Call trace: [ 261.926940][ T6575] debug_print_object+0x168/0x1e0 (P) [ 261.927683][ T6575] debug_object_assert_init+0x250/0x2c8 [ 261.928448][ T6575] __timer_delete+0x48/0x354 [ 261.929089][ T6575] timer_delete+0x24/0x34 [ 261.929687][ T6575] work_grab_pending+0xc0/0x830 [ 261.930352][ T6575] __cancel_work+0x50/0x218 [ 261.930975][ T6575] cancel_delayed_work+0x24/0x38 [ 261.931660][ T6575] hci_conn_drop+0xb0/0x2a4 [ 261.932279][ T6575] le_read_features_complete+0x54/0xec [ 261.933025][ T6575] hci_cmd_sync_work+0x204/0x38c [ 261.933704][ T6575] process_one_work+0x7c0/0x1558 [ 261.934368][ T6575] worker_thread+0x958/0xed8 [ 261.935000][ T6575] kthread+0x5fc/0x75c [ 261.935548][ T6575] ret_from_fork+0x10/0x20 [ 261.936213][ T6575] irq event stamp: 11532 [ 261.936780][ T6575] hardirqs last enabled at (11531): [] _raw_spin_unlock_irqrestore+0x38/0x98 [ 261.938146][ T6575] hardirqs last disabled at (11532): [] __schedule+0x2f8/0x2a7c [ 261.939361][ T6575] softirqs last enabled at (11510): [] local_bh_enable+0x10/0x34 [ 261.940609][ T6575] softirqs last disabled at (11508): [] local_bh_disable+0x10/0x34 [ 261.941872][ T6575] ---[ end trace 0000000000000000 ]--- [ 261.942875][ T6575] ------------[ cut here ]------------ [ 261.942882][ T6575] ODEBUG: assert_init not available (active state 0) object: 00000000c431e008 object type: timer_list hint: hci_conn_timeout+0x0/0x210 [ 261.943016][ T6575] WARNING: lib/debugobjects.c:615 at debug_print_object+0x168/0x1e0, CPU#0: kworker/u9:2/6575 [ 261.946942][ T6575] Modules linked in: [ 261.947482][ T6575] CPU: 0 UID: 0 PID: 6575 Comm: kworker/u9:2 Tainted: G B W syzkaller #0 PREEMPT [ 261.948923][ T6575] Tainted: [B]=BAD_PAGE, [W]=WARN [ 261.949605][ T6575] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 261.951027][ T6575] Workqueue: hci3 hci_cmd_sync_work [ 261.951774][ T6575] pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 261.952881][ T6575] pc : debug_print_object+0x168/0x1e0 [ 261.953642][ T6575] lr : debug_print_object+0x168/0x1e0 [ 261.954416][ T6575] sp : ffff8000a0ba7750 [ 261.954992][ T6575] x29: ffff8000a0ba7750 x28: dfff800000000000 x27: 0000000000000001 [ 261.956129][ T6575] x26: ffff80008f871000 x25: dfff800000000000 x24: ffff0000d07b0a88 [ 261.957281][ T6575] x23: ffff80008b5aa820 x22: ffff80008a1938e0 x21: ffff80008b079660 [ 261.958460][ T6575] x20: 0000000000000000 x19: ffff80008b5aa300 x18: 1fffe0003377d090 [ 261.959611][ T6575] x17: ffff80008f86e000 x16: ffff800082e5e68c x15: 0000000000000001 [ 261.960771][ T6575] x14: 1ffff0001229b888 x13: 0000000000000000 x12: 0000000000000000 [ 261.961937][ T6575] x11: 0000000000001d0e x10: 0000000000ff0100 x9 : 59c76cbf8938b200 [ 261.963102][ T6575] x8 : 59c76cbf8938b200 x7 : 0000000000000001 x6 : ffff8000805761f8 [ 261.964236][ T6575] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807f1034 [ 261.965379][ T6575] x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000 [ 261.966543][ T6575] Call trace: [ 261.967015][ T6575] debug_print_object+0x168/0x1e0 (P) [ 261.967843][ T6575] debug_object_assert_init+0x250/0x2c8 [ 261.968711][ T6575] __timer_delete+0x48/0x354 [ 261.969419][ T6575] timer_delete+0x24/0x34 [ 261.970035][ T6575] work_grab_pending+0xc0/0x830 [ 261.970749][ T6575] __cancel_work+0x50/0x218 [ 261.971445][ T6575] cancel_delayed_work+0x24/0x38 [ 261.972127][ T6575] hci_conn_drop+0x128/0x2a4 [ 261.972776][ T6575] le_read_features_complete+0x54/0xec [ 261.973616][ T6575] hci_cmd_sync_work+0x204/0x38c [ 261.974344][ T6575] process_one_work+0x7c0/0x1558 [ 261.975051][ T6575] worker_thread+0x958/0xed8 [ 261.975703][ T6575] kthread+0x5fc/0x75c [ 261.976268][ T6575] ret_from_fork+0x10/0x20 [ 261.976892][ T6575] irq event stamp: 11532 [ 261.977472][ T6575] hardirqs last enabled at (11531): [] _raw_spin_unlock_irqrestore+0x38/0x98 [ 261.978924][ T6575] hardirqs last disabled at (11532): [] __schedule+0x2f8/0x2a7c [ 261.980207][ T6575] softirqs last enabled at (11510): [] local_bh_enable+0x10/0x34 [ 261.981515][ T6575] softirqs last disabled at (11508): [] local_bh_disable+0x10/0x34 [ 261.982809][ T6575] ---[ end trace 0000000000000000 ]--- [ 262.359171][ T6575] Bluetooth: hci4: command 0x2016 tx timeout [ 264.340249][ T6166] Bluetooth: hci4: command 0x2016 tx timeout [ 267.998044][ T5827] wlan1: No active IBSS STAs - trying to scan for other IBSS networks with same SSID (merge)