Extracting prog: 1m23.396088458s Minimizing prog: 1h8m47.870331177s Simplifying prog options: 5m17.2217954s Extracting C: 36.78080373s Simplifying C: 0s extracting reproducer from 45 programs first checking the prog from the crash report single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-syz_usb_connect-capset-openat$nvram-ioctl$BTRFS_IOC_SNAP_CREATE_V2-syz_init_net_socket$netrom-setsockopt$inet_sctp6_SCTP_EVENTS-ioctl$sock_SIOCGIFINDEX_80211 detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r3 = userfaultfd(0x80001) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r4 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r4, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r2, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r2, 0x800c5011, &(0x7f00000001c0)) r5 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r5, 0x10000000) r6 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r6) tkill(r6, 0xf) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000340)={r1, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84) syz_usb_connect(0x4, 0x5a, &(0x7f0000000400)=ANY=[], 0x0) capset(&(0x7f0000000300)={0x20071026, r6}, &(0x7f0000000340)={0x0, 0x0, 0x100000}) r7 = openat$nvram(0xffffffffffffff9c, &(0x7f0000006bc0), 0x0, 0x0) ioctl$BTRFS_IOC_SNAP_CREATE_V2(r7, 0x7041, 0x0) r8 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) setsockopt$inet_sctp6_SCTP_EVENTS(0xffffffffffffffff, 0x84, 0xb, &(0x7f0000000400)={0x8, 0x9, 0x3b, 0x4, 0x9, 0x1, 0x9, 0x83, 0x0, 0x8, 0xb, 0x8, 0x9, 0xe}, 0xe) ioctl$sock_SIOCGIFINDEX_80211(r8, 0x8933, &(0x7f0000000040)={'wlan1\x00'}) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM single: successfully extracted reproducer found reproducer with 30 syscalls minimizing guilty program testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-syz_usb_connect-capset-openat$nvram-ioctl$BTRFS_IOC_SNAP_CREATE_V2-syz_init_net_socket$netrom-setsockopt$inet_sctp6_SCTP_EVENTS detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r3 = userfaultfd(0x80001) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r4 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r4, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r2, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r2, 0x800c5011, &(0x7f00000001c0)) r5 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r5, 0x10000000) r6 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r6) tkill(r6, 0xf) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000340)={r1, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84) syz_usb_connect(0x4, 0x5a, &(0x7f0000000400)=ANY=[], 0x0) capset(&(0x7f0000000300)={0x20071026, r6}, &(0x7f0000000340)={0x0, 0x0, 0x100000}) r7 = openat$nvram(0xffffffffffffff9c, &(0x7f0000006bc0), 0x0, 0x0) ioctl$BTRFS_IOC_SNAP_CREATE_V2(r7, 0x7041, 0x0) syz_init_net_socket$netrom(0x6, 0x5, 0x0) setsockopt$inet_sctp6_SCTP_EVENTS(0xffffffffffffffff, 0x84, 0xb, &(0x7f0000000400)={0x8, 0x9, 0x3b, 0x4, 0x9, 0x1, 0x9, 0x83, 0x0, 0x8, 0xb, 0x8, 0x9, 0xe}, 0xe) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-syz_usb_connect-capset-openat$nvram-ioctl$BTRFS_IOC_SNAP_CREATE_V2-syz_init_net_socket$netrom detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r3 = userfaultfd(0x80001) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r4 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r4, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r2, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r2, 0x800c5011, &(0x7f00000001c0)) r5 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r5, 0x10000000) r6 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r6) tkill(r6, 0xf) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000340)={r1, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84) syz_usb_connect(0x4, 0x5a, &(0x7f0000000400)=ANY=[], 0x0) capset(&(0x7f0000000300)={0x20071026, r6}, &(0x7f0000000340)={0x0, 0x0, 0x100000}) r7 = openat$nvram(0xffffffffffffff9c, &(0x7f0000006bc0), 0x0, 0x0) ioctl$BTRFS_IOC_SNAP_CREATE_V2(r7, 0x7041, 0x0) syz_init_net_socket$netrom(0x6, 0x5, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-syz_usb_connect-capset-openat$nvram-ioctl$BTRFS_IOC_SNAP_CREATE_V2 detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r3 = userfaultfd(0x80001) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r4 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r4, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r2, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r2, 0x800c5011, &(0x7f00000001c0)) r5 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r5, 0x10000000) r6 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r6) tkill(r6, 0xf) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000340)={r1, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84) syz_usb_connect(0x4, 0x5a, &(0x7f0000000400)=ANY=[], 0x0) capset(&(0x7f0000000300)={0x20071026, r6}, &(0x7f0000000340)={0x0, 0x0, 0x100000}) r7 = openat$nvram(0xffffffffffffff9c, &(0x7f0000006bc0), 0x0, 0x0) ioctl$BTRFS_IOC_SNAP_CREATE_V2(r7, 0x7041, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-syz_usb_connect-capset-openat$nvram detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r3 = userfaultfd(0x80001) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r4 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r4, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r2, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r2, 0x800c5011, &(0x7f00000001c0)) r5 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r5, 0x10000000) r6 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r6) tkill(r6, 0xf) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000340)={r1, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84) syz_usb_connect(0x4, 0x5a, &(0x7f0000000400)=ANY=[], 0x0) capset(&(0x7f0000000300)={0x20071026, r6}, &(0x7f0000000340)={0x0, 0x0, 0x100000}) openat$nvram(0xffffffffffffff9c, &(0x7f0000006bc0), 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-syz_usb_connect-capset detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r3 = userfaultfd(0x80001) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r4 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r4, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r2, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r2, 0x800c5011, &(0x7f00000001c0)) r5 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r5, 0x10000000) r6 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r6) tkill(r6, 0xf) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000340)={r1, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84) syz_usb_connect(0x4, 0x5a, &(0x7f0000000400)=ANY=[], 0x0) capset(&(0x7f0000000300)={0x20071026, r6}, &(0x7f0000000340)={0x0, 0x0, 0x100000}) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-syz_usb_connect detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r3 = userfaultfd(0x80001) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r4 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r4, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r2, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r2, 0x800c5011, &(0x7f00000001c0)) r5 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r5, 0x10000000) r6 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r6) tkill(r6, 0xf) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000340)={r1, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84) syz_usb_connect(0x4, 0x5a, &(0x7f0000000400)=ANY=[], 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r3 = userfaultfd(0x80001) ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r4 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r4, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r2, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r2, 0x800c5011, &(0x7f00000001c0)) r5 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r5, 0x10000000) r6 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r6) tkill(r6, 0xf) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000340)={r1, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace-tkill detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r1, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r1, 0x800c5011, &(0x7f00000001c0)) r4 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r4, 0x10000000) r5 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r5) tkill(r5, 0xf) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone-ptrace detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r1, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r1, 0x800c5011, &(0x7f00000001c0)) r4 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r4, 0x10000000) r5 = syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x4206, r5) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r1, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r1, 0x800c5011, &(0x7f00000001c0)) r4 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r4, 0x10000000) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-mmap$IORING_OFF_SQES detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r1, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r1, 0x800c5011, &(0x7f00000001c0)) r4 = syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) mmap$IORING_OFF_SQES(&(0x7f00004f6000/0x4000)=nil, 0x4000, 0x4000001, 0x11, r4, 0x10000000) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_io_uring_setup-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r1, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r1, 0x800c5011, &(0x7f00000001c0)) syz_io_uring_setup(0x50ba, &(0x7f0000000240)={0x0, 0x62f2, 0x10, 0x3, 0x2f3}, &(0x7f00000002c0), &(0x7f0000000300)) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-ioctl$SNDCTL_DSP_GETISPACE-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r1, 0x5300}], 0x1, 0x0, 0x0, 0x0) ioctl$SNDCTL_DSP_GETISPACE(r1, 0x800c5011, &(0x7f00000001c0)) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-ppoll-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) ppoll(&(0x7f0000000080)=[{r1, 0x5300}], 0x1, 0x0, 0x0, 0x0) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-madvise-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x15) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-madvise-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) socket$xdp(0x2c, 0x3, 0x0) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_API-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-userfaultfd-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-madvise-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(0xffffffffffffffff, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-prlimit64-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8000000000008b}, 0x0) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-ioctl$SNDCTL_DSP_SETFRAGMENT-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) r1 = openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f00000000c0)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r2 = userfaultfd(0x80001) ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r3 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r3, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r2, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-openat$audio-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r1 = userfaultfd(0x80001) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r1, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r1 = userfaultfd(0x80001) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r1, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-shutdown-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r0, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r1 = userfaultfd(0x80001) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r1, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: r0 = socket$inet6_sctp(0xa, 0x5, 0x84) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r1 = userfaultfd(0x80001) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r2 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r1, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, 0x0) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, 0x0) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, 0x0) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, 0x0, 0x0) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={0x0, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, 0x0) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash extracting C reproducer testing compiled C program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz-executor a never seen crash title: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz-executor, ignore simplifying guilty program options testing program (duration=45.436458406s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program did not crash testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM validation run: crashed=true testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM validation run: crashed=true testing program (duration=45.436458406s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-ioctl$UFFDIO_COPY-syz_clone detailed listing: executing program 0: getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140)) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x19) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ffd000/0x3000)=nil, 0x3000}, 0x1}) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000480)={&(0x7f0000000000)=""/59, 0x304000, 0x800, 0x0, 0x2}, 0x20) ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000100)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000013000/0x4000)=nil, 0x3000, 0x3}) syz_clone(0x80000400, 0x0, 0x0, 0x0, 0x0, 0x0) program crashed: WARNING: lib/refcount.c:LINE at 0x0, CPU: syz.NUM.NUM/NUM validation run: crashed=true reproducing took 1h20m52.271285062s repro crashed as (corrupted=false): ------------[ cut here ]------------ refcount_t: saturated; leaking memory. WARNING: lib/refcount.c:19 at 0x0, CPU#0: syz.2.19/6053 Modules linked in: CPU: 0 UID: 0 PID: 6053 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:refcount_warn_saturate+0xc5/0x110 lib/refcount.c:19 Code: 91 0e 33 0b 67 48 0f b9 3a eb 37 e8 95 1c 2b fd 48 8d 3d 8e 0e 33 0b 67 48 0f b9 3a eb 24 e8 82 1c 2b fd 48 8d 3d 8b 0e 33 0b <67> 48 0f b9 3a eb 11 e8 6f 1c 2b fd 48 8d 3d 88 0e 33 0b 67 48 0f RSP: 0018:ffffc9000257f568 EFLAGS: 00010293 RAX: ffffffff8496c3fe RBX: 0000000000000000 RCX: ffff888033c41e80 RDX: 0000000000000000 RSI: ffffffff8ea87240 RDI: ffffffff8fc9d290 RBP: ffffc9000257f690 R08: ffff888033c41e80 R09: 0000000000000005 R10: 0000000000000004 R11: 0000000000000000 R12: ffff888078f791c0 R13: ffff888078f79140 R14: ffff888078f791c0 R15: 0000000000000000 FS: 00007f327bfda6c0(0000) GS:ffff888125a41000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5790cc1f98 CR3: 000000007f8fe000 CR4: 00000000003526f0 Call Trace: __refcount_add_not_zero include/linux/refcount.h:187 [inline] refcount_add_not_zero include/linux/refcount.h:212 [inline] __vma_enter_locked+0x62e/0x6a0 mm/mmap_lock.c:69 __vma_start_write+0x23/0x140 mm/mmap_lock.c:96 vma_start_write include/linux/mmap_lock.h:213 [inline] vma_merge_existing_range mm/vma.c:900 [inline] vma_modify+0xf62/0x1a70 mm/vma.c:1611 vma_modify_flags_uffd+0x204/0x250 mm/vma.c:1704 userfaultfd_clear_vma mm/userfaultfd.c:1995 [inline] userfaultfd_release_all+0x34c/0x5d0 mm/userfaultfd.c:2114 userfaultfd_release+0xe7/0x1b0 fs/userfaultfd.c:887 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:233 get_signal+0x11ec/0x1340 kernel/signal.c:2807 arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x87/0x4f0 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x2e3/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f327b18f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f327bfda038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: fffffffffffffffc RBX: 00007f327b3e6090 RCX: 00007f327b18f749 RDX: 0000200000000100 RSI: 00000000c028aa05 RDI: 0000000000000003 RBP: 00007f327b213f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f327b3e6128 R14: 00007f327b3e6090 R15: 00007fff113a25c8 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: 33 0b xor (%rbx),%ecx 2: 67 48 0f b9 3a ud1 (%edx),%rdi 7: eb 37 jmp 0x40 9: e8 95 1c 2b fd call 0xfd2b1ca3 e: 48 8d 3d 8e 0e 33 0b lea 0xb330e8e(%rip),%rdi # 0xb330ea3 15: 67 48 0f b9 3a ud1 (%edx),%rdi 1a: eb 24 jmp 0x40 1c: e8 82 1c 2b fd call 0xfd2b1ca3 21: 48 8d 3d 8b 0e 33 0b lea 0xb330e8b(%rip),%rdi # 0xb330eb3 * 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2d: eb 11 jmp 0x40 2f: e8 6f 1c 2b fd call 0xfd2b1ca3 34: 48 8d 3d 88 0e 33 0b lea 0xb330e88(%rip),%rdi # 0xb330ec3 3b: 67 addr32 3c: 48 rex.W 3d: 0f .byte 0xf final repro crashed as (corrupted=false): ------------[ cut here ]------------ refcount_t: saturated; leaking memory. WARNING: lib/refcount.c:19 at 0x0, CPU#0: syz.2.19/6053 Modules linked in: CPU: 0 UID: 0 PID: 6053 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:refcount_warn_saturate+0xc5/0x110 lib/refcount.c:19 Code: 91 0e 33 0b 67 48 0f b9 3a eb 37 e8 95 1c 2b fd 48 8d 3d 8e 0e 33 0b 67 48 0f b9 3a eb 24 e8 82 1c 2b fd 48 8d 3d 8b 0e 33 0b <67> 48 0f b9 3a eb 11 e8 6f 1c 2b fd 48 8d 3d 88 0e 33 0b 67 48 0f RSP: 0018:ffffc9000257f568 EFLAGS: 00010293 RAX: ffffffff8496c3fe RBX: 0000000000000000 RCX: ffff888033c41e80 RDX: 0000000000000000 RSI: ffffffff8ea87240 RDI: ffffffff8fc9d290 RBP: ffffc9000257f690 R08: ffff888033c41e80 R09: 0000000000000005 R10: 0000000000000004 R11: 0000000000000000 R12: ffff888078f791c0 R13: ffff888078f79140 R14: ffff888078f791c0 R15: 0000000000000000 FS: 00007f327bfda6c0(0000) GS:ffff888125a41000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5790cc1f98 CR3: 000000007f8fe000 CR4: 00000000003526f0 Call Trace: __refcount_add_not_zero include/linux/refcount.h:187 [inline] refcount_add_not_zero include/linux/refcount.h:212 [inline] __vma_enter_locked+0x62e/0x6a0 mm/mmap_lock.c:69 __vma_start_write+0x23/0x140 mm/mmap_lock.c:96 vma_start_write include/linux/mmap_lock.h:213 [inline] vma_merge_existing_range mm/vma.c:900 [inline] vma_modify+0xf62/0x1a70 mm/vma.c:1611 vma_modify_flags_uffd+0x204/0x250 mm/vma.c:1704 userfaultfd_clear_vma mm/userfaultfd.c:1995 [inline] userfaultfd_release_all+0x34c/0x5d0 mm/userfaultfd.c:2114 userfaultfd_release+0xe7/0x1b0 fs/userfaultfd.c:887 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:233 get_signal+0x11ec/0x1340 kernel/signal.c:2807 arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x87/0x4f0 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x2e3/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f327b18f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f327bfda038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: fffffffffffffffc RBX: 00007f327b3e6090 RCX: 00007f327b18f749 RDX: 0000200000000100 RSI: 00000000c028aa05 RDI: 0000000000000003 RBP: 00007f327b213f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f327b3e6128 R14: 00007f327b3e6090 R15: 00007fff113a25c8 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: 33 0b xor (%rbx),%ecx 2: 67 48 0f b9 3a ud1 (%edx),%rdi 7: eb 37 jmp 0x40 9: e8 95 1c 2b fd call 0xfd2b1ca3 e: 48 8d 3d 8e 0e 33 0b lea 0xb330e8e(%rip),%rdi # 0xb330ea3 15: 67 48 0f b9 3a ud1 (%edx),%rdi 1a: eb 24 jmp 0x40 1c: e8 82 1c 2b fd call 0xfd2b1ca3 21: 48 8d 3d 8b 0e 33 0b lea 0xb330e8b(%rip),%rdi # 0xb330eb3 * 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2d: eb 11 jmp 0x40 2f: e8 6f 1c 2b fd call 0xfd2b1ca3 34: 48 8d 3d 88 0e 33 0b lea 0xb330e88(%rip),%rdi # 0xb330ec3 3b: 67 addr32 3c: 48 rex.W 3d: 0f .byte 0xf