Extracting prog: 5m36.708556991s
Minimizing prog: 48m53.236015331s
Simplifying prog options: 0s
Extracting C: 35.151622992s
Simplifying C: 14m36.803005565s


extracting reproducer from 21 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf-syz_usb_connect-syz_usb_disconnect-syz_usb_connect$uac3-syz_usb_control_io$hid-socket$nl_route-sendmsg$nl_route-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
r5 = syz_usb_connect(0x0, 0x1de, 0x0, 0x0)
syz_usb_disconnect(r5)
r6 = syz_usb_connect$uac3(0x5, 0x80, &(0x7f0000000000)=ANY=[@ANYBLOB="12010102000000408205820540000102030109026e0003017f0006080b0002012030230904000000010130000a2401100a00090000000904010000010230000904010101010230000905810960"], &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r6, 0x0, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r7, &(0x7f0000000580)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="160000006800e978"], 0x18}}, 0x0)
syz_usb_control_io$hid(r5, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 21 programs with base timeout 30s
testing program (duration=35s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [25, 9, 30, 30, 10, 8, 19, 7, 5, 30, 28, 30, 27, 30, 30, 30, 15, 4, 29, 20, 30]
detailed listing:
executing program 0:
sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0)
syz_usb_connect(0x0, 0x24, &(0x7f0000000140)=ANY=[@ANYBLOB="12010000cc1ef420890b070064ef000000010902120001000000000904"], 0x0)
syz_emit_ethernet(0x40, &(0x7f0000000100)={@local, @link_local, @void, {@x25={0x805, {0x1, 0x53, 0x5, "a8e890af2a92e50100000000000000180f96da1a653bf5030000000000b001c2fcde25088c00"/47}}}}, 0x0)
syz_open_dev$char_usb(0xc, 0xb4, 0x0)
syz_open_dev$video(0x0, 0x0, 0x10b200)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000003, 0x4008032, 0xffffffffffffffff, 0x2000)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x15)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f0000000000)=@abs={0x0, 0x0, 0x4e21}, 0x6e)
r2 = syz_open_dev$sg(0x0, 0xf9ba, 0x501)
tee(r2, r2, 0x9, 0xb)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x20040, 0x0)
ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x8)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f00000004c0), 0x60600, 0x0)
syz_open_dev$loop(&(0x7f0000000240), 0x7, 0x180862)
openat$proc_mixer(0xffffffffffffff9c, &(0x7f0000000180)='/proc/asound/card3/oss_mixer\x00', 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r5, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_PRE_FAULT_MEMORY(r6, 0xc040aed5, &(0x7f00000000c0)={0x100000, 0x21d000})
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x802, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000100))
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r2 = dup3(r1, r0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x20, 0x0, &(0x7f0000000500)=[@request_death, @clear_death], 0x50, 0x0, &(0x7f0000001040)="305036fca5995765dc12a4d9dac26d7aefec64178d3006bdc6e7e21a4b43bb1cc0f8474f0225ede05848e3ca1601c4223212d4b740575953125a2134f147e789f2f6f62131708cd9c30341924ef84980"})
r3 = syz_open_dev$vim2m(&(0x7f0000000000), 0x802, 0x2)
syz_usb_connect$uac2(0x0, 0x80, &(0x7f0000002200)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x19b5, 0x21, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6e, 0x3, 0x1, 0x3, 0xc0, 0x21, {0x8, 0xb, 0x2, 0x0, 0x1, 0x2, 0x20, 0x4}, {{{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x20, 0x0, {{0x9, 0x24, 0x1, 0xc63, 0x1, 0xe, 0x84}, [@selector_unit={0x5}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x20, 0x0, {}, {{0x9, 0x5, 0x1, 0x9, 0x30, 0x80, 0x84, 0x6, {0x8, 0x25, 0x1, 0x81, 0xf, 0x0, 0x3}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x20, 0x0, {}, {{0x9, 0x5, 0x82, 0x9, 0x40, 0x8, 0x91, 0x2, {0x8, 0x25, 0x1, 0x2, 0x33, 0x0, 0xffff}}}}}}}}]}}, 0x0)
ioctl$vim2m_VIDIOC_S_FMT(r3, 0xc0d05605, &(0x7f0000000540)={0x2, @pix_mp={0x3, 0x7, 0x3136564e, 0x0, 0x0, [{0x80, 0x5}, {0x8f, 0x468}, {0x4, 0x2}, {0x1, 0x3}, {0xb5, 0x6}, {0x0, 0x3523}, {0x6, 0x3ff}, {0x2, 0x5}], 0x8, 0x19, 0x1, 0x0, 0x6}})
executing program 2:
r0 = userfaultfd(0x801)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x3})
syz_io_uring_setup(0x400048ba, &(0x7f0000000340)={0x0, 0xfffffffd, 0x20, 0xfffffff7, 0x182}, &(0x7f0000000300), &(0x7f0000ff4000), &(0x7f0000000000))
ioctl$UFFDIO_WRITEPROTECT(r0, 0xc018aa06, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000080)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
sendmsg$inet(r1, 0x0, 0x8000)
syz_open_dev$vim2m(0x0, 0x7, 0x2)
connect$unix(r1, 0x0, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x10000010, 0x8001, 0x0, 0x4, 0x0, 0x1000, 0xfa11, 0xffffffff}, 0x0)
sendto(r2, 0x0, 0x0, 0x2000c000, &(0x7f0000000200)=@nl=@proc={0x10, 0x0, 0x25dfdbfe, 0x200}, 0x80)
r3 = syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0)
io_uring_setup(0x5d09, &(0x7f0000000100)={0x0, 0x2881, 0x10, 0x0, 0x59})
r4 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f0000000d40)={'wlan0\x00', <r5=>0x0})
r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001100), r4)
sendmsg$NL80211_CMD_SET_MULTICAST_TO_UNICAST(r4, &(0x7f0000001200)={0x0, 0x0, &(0x7f00000011c0)={&(0x7f0000001140)={0x1c, r6, 0x1, 0x70bd27, 0x25dfdbfb, {{}, {@val={0x8, 0x3, r5}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x800}, 0x4004000)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000340)=[0x0], 0x0, 0x0, 0x0, 0x1})
r7 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x161283, 0x0)
ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0x4008ae89, &(0x7f00000000c0)={0x1, 0x0, [{0x40000073, 0x0, 0xfff}]})
r8 = ioctl$KVM_CREATE_VM(r7, 0xae01, 0x0)
r9 = ioctl$KVM_CREATE_VCPU(r8, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r9, 0xc008ae88, &(0x7f0000000040)={0x10000000000000cf, 0x0, [{}]})
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(r3, 0xc01864c6, &(0x7f00000001c0)={0x0, 0x0, 0x80800})
executing program 4:
r0 = socket$kcm(0x2, 0x5, 0x84)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000240)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f00000004c0)=@file={0x1, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000340)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x3, 0x0, 0x7, 0xfa11, 0xffffffff}, 0x0)
r3 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_add_memb(r2, 0x107, 0x1, &(0x7f0000000100)={0x0, 0x2, 0xfffffde1, @multicast}, 0x10)
setsockopt$packet_add_memb(r3, 0x107, 0x1, &(0x7f0000000280)={0x0, 0x2, 0x6, @local}, 0x10) (async)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000200)={'pim6reg\x00'}) (async)
r4 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x11, 0x800000000004, @tid=r4}, &(0x7f0000bbdffc)) (async)
ioctl$sock_SIOCSPGRP(r2, 0x8902, &(0x7f00000001c0)=r4)
setsockopt$packet_add_memb(r3, 0x107, 0x1, 0x0, 0x0)
openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
r5 = syz_open_dev$video4linux(&(0x7f0000000040), 0x7fffffffffffffde, 0x161041)
ioctl$VIDIOC_SUBDEV_S_FMT(r5, 0xc0585605, &(0x7f0000000080)={0x1, 0x0, {0x0, 0x0, 0x1004, 0x0, 0xa, 0x410}})
r6 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r6, 0x10e, 0xc, &(0x7f0000000280)={0x29e9c934, 0x5, 0x0, 0x4}, 0x10)
sendmsg$nl_generic(r6, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000000c0)=ANY=[@ANYBLOB="200000001600010800000000000000000a", @ANYRES16], 0x20}, 0x1, 0x0, 0x0, 0x240c0811}, 0x0) (async)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(0xffffffffffffffff, 0x84, 0x7b, &(0x7f0000000300)={0x0, 0x5}, &(0x7f0000000380)=0x8) (async)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000080), 0xffffffffffffffff) (async)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000480)={'veth1_virt_wifi\x00'}) (async)
sendmsg$ETHTOOL_MSG_PAUSE_GET(r7, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000340)={0x0}, 0x1, 0x0, 0x0, 0x80}, 0x4041800)
syz_usb_connect(0x0, 0x12, 0x0, 0x0) (async)
r8 = socket$nl_route(0x10, 0x3, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'veth0_vlan\x00', <r9=>0x0})
sendmsg$nl_route_sched(r8, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000003c0)=@getchain={0x2c, 0x11, 0x43d, 0x70bd2a, 0x0, {0x0, 0x0, 0x0, r9, {}, {0xc, 0xfff3}}, [{0x8, 0xb, 0x777}]}, 0x2c}}, 0x200080c4)
executing program 3:
r0 = socket$inet6(0xa, 0x4, 0x4985)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e22, 0xe27d, @mcast1, 0x1}, 0x1c)
sendmsg$inet6(r0, &(0x7f00000000c0)={&(0x7f00000001c0)={0xa, 0x4e20, 0x80000, @dev={0xfe, 0x80, '\x00', 0x3a}, 0xfffe}, 0x1b, 0x0, 0x0, &(0x7f0000000200)=ANY=[@ANYBLOB="2800000000f94833e1c8dbc953e3cf99676f140000002900000032000000ff01000000000000c20400000fc5040180000000000000007de1c3fbb983de4c2f560085706d7d0011833eb9ad1bdcabec1dbc55fcb8dfc3ffc3f90a2223646a211d27"], 0x28}, 0x40)
r1 = creat(0x0, 0x101)
r2 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000280)=ANY=[@ANYRESDEC=r0], 0x0)
syz_usb_control_io$hid(r2, 0x0, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_ipv4_tunnel_SIOCGETTUNNEL(r1, 0x89f0, &(0x7f00000000c0)={'erspan0\x00', &(0x7f0000000040)={'tunl0\x00', <r4=>0x0, 0x10, 0x10, 0x0, 0xff, {{0x16, 0x4, 0x0, 0x15, 0x58, 0x65, 0x0, 0x95, 0x29, 0x0, @remote, @dev={0xac, 0x14, 0x14, 0x36}, {[@end, @rr={0x7, 0x27, 0xa8, [@initdev={0xac, 0x1e, 0x0, 0x0}, @rand_addr=0x64010101, @private=0xa010100, @initdev={0xac, 0x1e, 0x0, 0x0}, @loopback, @local, @multicast1, @remote, @rand_addr=0x64010101]}, @timestamp_prespec={0x44, 0x1c, 0x24, 0x3, 0x8, [{@broadcast, 0x759}, {@private=0xa010102, 0x6}, {@dev={0xac, 0x14, 0x14, 0x26}, 0xfffff684}]}]}}}}})
sendmsg$nl_route(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000580)=@dellinkprop={0x28, 0x6d, 0x8, 0x70bd2c, 0x25dfdbfd, {0x0, 0x0, 0x0, r4, 0x8000, 0x2c0}, [@IFLA_PROTO_DOWN={0x5, 0x27, 0x2}]}, 0x28}, 0x1, 0x0, 0x0, 0x20000041}, 0x24004004)
syz_usb_control_io(r2, &(0x7f0000000400)={0x2c, &(0x7f0000000180)=ANY=[@ANYBLOB="0006410000004106a1c2a445e329fc25"], 0x0, 0x0, 0x0, 0x0}, 0x0)
executing program 1:
r0 = socket(0x2a, 0x2, 0x0)
r1 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0), r0)
r2 = openat$vimc0(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
ioctl$VIDIOC_PREPARE_BUF(r2, 0xc058565d, &(0x7f0000000140)=@fd={0x2, 0xd, 0x4, 0x0, 0xa00, {0x0, 0x2710}, {0x4, 0x8, 0xab, 0x5b, 0xb5, 0x3, "83358140"}, 0x3000000, 0x4, {}, 0x80})
sendmsg$TIPC_CMD_GET_BEARER_NAMES(r0, &(0x7f0000000180)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x1c, r1, 0x200, 0x70bd25, 0x25dfdbff, {}, ["", "", "", "", "", "", "", ""]}, 0x1c}}, 0x1)
sendmsg$ETHTOOL_MSG_RINGS_GET(r0, &(0x7f0000000540)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x55fbdf88846573b}, 0xc, &(0x7f00000003c0)={0x0}, 0x1, 0x0, 0x0, 0x20008000}, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_int(r3, 0x0, 0x18, &(0x7f0000000080)=0x7fffff7e, 0x4)
executing program 1:
r0 = syz_mount_image$fuse(0x0, &(0x7f0000000280)='./file1\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
r1 = inotify_init1(0x80800)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f00004cb000/0x4000)=nil, &(0x7f0000ffa000/0x3000)=nil, &(0x7f0000400000/0xc00000)=nil, &(0x7f000067c000/0x1000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000778000/0x2000)=nil, &(0x7f0000ffb000/0x2000)=nil, &(0x7f0000ba1000/0x1000)=nil, &(0x7f0000eb4000/0x2000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000dc1000/0x2000)=nil, 0x0}, 0x68)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x0)
ioctl$NILFS_IOCTL_SET_ALLOC_RANGE(r0, 0x40106e8c, &(0x7f0000000140)=[0x2, 0x10])
r2 = io_uring_setup(0x7, &(0x7f0000000040)={0x0, 0x30bd, 0xc000, 0x8, 0x40000185})
bpf$PROG_LOAD(0x5, &(0x7f0000000000)={0x12, 0x3, 0x0, &(0x7f0000000240)='syzkaller\x00', 0x80000000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="16"], 0x50)
r3 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000100), 0x2, 0x0)
ioctl$UI_GET_SYSNAME(r3, 0x8040552c, 0x0)
io_uring_enter(r2, 0x2219, 0x7721, 0x16, 0x0, 0x0)
inotify_add_watch(r1, &(0x7f0000000040)='.\x00', 0x800007a1)
renameat2(0xffffffffffffff9c, &(0x7f0000000000)='./file1\x00', 0xffffffffffffff9c, &(0x7f00000004c0)='./file0\x00', 0x0)
r4 = socket(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'ip6tnl0\x00', <r5=>0x0})
sendmsg$nl_route_sched(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000001c80)=@newqdisc={0x294, 0x24, 0x3fe3aa0262d8c583, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_gred={{0x9}, {0x264, 0x2, [@TCA_GRED_LIMIT={0x4, 0x5, 0xb96}, @TCA_GRED_PARMS={0x0, 0x1, {0x1, 0x0, 0xfffffff9, 0x5, 0x3ff, 0x8, 0x148, 0x8, 0x2, 0x6c6, 0xc, 0x1c, 0xa, 0x9, 0x3, 0xfffffffd}}, @TCA_GRED_LIMIT={0x8, 0x5, 0x9}, @TCA_GRED_LIMIT={0x8, 0x5, 0x9}, @TCA_GRED_PARMS={0x38, 0x1, {0xfffffffe, 0x40, 0x5, 0x8, 0x5, 0x1005, 0x7, 0x9, 0x3d, 0xc88a, 0x20, 0x16, 0x1, 0x1, 0x5, 0x5}}, @TCA_GRED_STAB={0xfffffffffffffe93, 0x2, "00559446a386a6437f9b8e0b240a39da782ff0f4d94bc93cf96924149ce0daab8c929f675a06bb6f8c3b5d7c255f2aea9eb0bb26b7813e99f62f1c3a448051f2795358ca7deea38bc54f318137f4e0dcb8638368f710005fefbce63cc4558556cbe799ba955e7350cc37aa572ce87310b2612eeffe4cd38bf8b4318bb73db294a108330d0534ef7679b8365253821be0d2f419761499165762da9eb2b8f7db0cad2b6ae42d340bd631fca1a59b71fdc4ab63aaba4787601311c280d25ba58d6de1257ed22599757a49fd3be6371d096fe15115d8d68f1132dd29eb8a5afb8a709fb88f161127e9806600d3fdce7324c2a0d6c02a1a289afb3ac7ebfeac2f3dd4"}, @TCA_GRED_LIMIT={0x8, 0x5, 0x51d}]}}]}, 0x294}}, 0x0)
r6 = syz_usb_connect(0x0, 0x24, &(0x7f0000000a00)=ANY=[@ANYBLOB="120100007856bb40da0b53023de20102030109021200010000000009040000000206"], 0x0)
openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000100)='./cgroup/syz0\x00', 0x200002, 0x0)
syz_usb_control_io$printer(r6, 0x0, &(0x7f0000000400)={0x34, &(0x7f0000000480)=ANY=[@ANYBLOB="20160b000000002717f0"], 0x0, 0x0, 0x0, 0x0, 0x0})
executing program 0:
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
sendmmsg$inet6(r0, &(0x7f0000019680)=[{{&(0x7f0000000100)={0xa, 0x0, 0x0, @loopback={0x0, 0xac141414}}, 0x1c, 0x0}}], 0x1, 0x20004855)
mprotect(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1)
mprotect(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3)
setsockopt$sock_int(r0, 0x1, 0x9, &(0x7f0000000480)=0x7, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000000c0)={&(0x7f0000000000), 0xc, &(0x7f0000000080)={&(0x7f0000000040)=@getspdinfo={0x14, 0x25, 0x100, 0x70bd28, 0x25dfdbfc, 0x6, ["", "", "", "", "", "", "", "", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x4040010}, 0x90)
executing program 4:
r0 = fsopen(&(0x7f0000000040)='afs\x00', 0x0)
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000240)='/proc/timer_list\x00', 0x0, 0x0)
r2 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/tcp_dsack\x00', 0x1, 0x0)
sendfile(r2, r1, &(0x7f00000000c0)=0x8b, 0x100000500)
fsconfig$FSCONFIG_SET_STRING(r0, 0x1, &(0x7f0000000000)='source', &(0x7f0000000080)='#(:.', 0x0)
executing program 0:
syz_genetlink_get_family_id$tipc2(0x0, 0xffffffffffffffff)
r0 = syz_genetlink_get_family_id$fou(&(0x7f0000000340), 0xffffffffffffffff)
sendmsg$FOU_CMD_ADD(0xffffffffffffffff, &(0x7f0000000400)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x1c, r0, 0x1, 0x70bd2d, 0x25dfdbff, {}, [@FOU_ATTR_PEER_PORT={0x6, 0xa, 0x4e20}]}, 0x1c}, 0x1, 0x0, 0x0, 0x40d1}, 0x4000)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sendmsg$IPVS_CMD_SET_INFO(0xffffffffffffffff, 0x0, 0x8000)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0xc, 0x8001, 0x0, 0x9, 0x4f, 0x8, 0xfa11, 0x1}, 0x0)
write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, 0x0, 0x0)
fcntl$getownex(r1, 0x10, &(0x7f0000000040))
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000002c0)=ANY=[@ANYBLOB="3400000040000701fcffffff00000100017c0000040042800c0001800600060065580000100002800c000b"], 0x34}, 0x1, 0x0, 0x0, 0x4048011}, 0x8800)
mknod$loop(&(0x7f00000190c0)='./file0\x00', 0xfff, 0x0)
execve(&(0x7f0000019100)='./file0\x00', 0x0, 0x0)
syz_open_procfs(0xffffffffffffffff, &(0x7f0000002f00)='fdinfo\x00')
syz_open_procfs$namespace(0x0, &(0x7f0000000000)='ns/pid\x00')
r4 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r4, 0x107, 0x3, 0x0, 0x0)
kexec_load(0x0, 0x0, 0x0, 0x0)
syz_io_uring_setup(0xcaf, &(0x7f0000000100)={0x0, 0xb601, 0x859, 0x5, 0x32c}, &(0x7f00000002c0), &(0x7f00000000c0), &(0x7f0000000000))
ioctl$CEC_RECEIVE(0xffffffffffffffff, 0xc0386106, &(0x7f0000000180)={0x1, 0x1, 0x0, 0x6, 0x0, 0x0, "5debca561a5fbf61048955f6f876b2ff"})
r5 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_XFRM_POLICY(r5, 0x29, 0x23, &(0x7f00000004c0)={{{@in=@multicast1, @in6=@ipv4={'\x00', '\xff\xff', @remote}, 0x40, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x4f}, {0x0, 0x80000000, 0x2}}, {{@in6=@rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', 0x404d3, 0x2b}, 0x0, @in=@empty, 0x0, 0x0, 0x0, 0x0, 0x40000000}}, 0xe8)
r6 = socket$key(0xf, 0x3, 0x2)
setsockopt$sock_int(r6, 0x1, 0x8, &(0x7f00000001c0), 0x4)
sendmsg$key(r6, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000005c0)=ANY=[], 0x10}}, 0x0)
sendmsg$key(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="0212000002"], 0x10}}, 0x0)
socket$nl_xfrm(0x10, 0x3, 0x6)
executing program 4:
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(0xffffffffffffffff, 0x6, 0xe, &(0x7f00000002c0)={@in6={{0xa, 0x4e24, 0x89, @private2={0xfc, 0x2, '\x00', 0x1}, 0xffffcb91}}, 0x0, 0x0, 0xc, 0x0, "3f114438efdaca16d374b49a08003535d5bd9db3c8572560f4d1be5cd41f771666fd81baadb27900"}, 0xd8)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
pipe2$9p(0x0, 0x80180)
ioctl$KVM_CREATE_IRQCHIP(r3, 0xae60)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000001c0)=[@text16={0x10, 0x0}], 0x1, 0x4, 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000100)=[@text64={0x40, &(0x7f0000000200)="f7790066baa00066b86b4266ef66ba420066b8e20066ef0f29902cbb0000c4e2b1ba8c88d9000000666666440f38826b410f7842280f07b8010000000f01d9c4033921820f47a753fd", 0x49}], 0x1, 0x43, 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_SET_VAPIC_ADDR(r5, 0x4008ae93, &(0x7f0000000040)=0x1000)
r6 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r6, &(0x7f0000001e00)={0x0, 0x0, &(0x7f0000001d80)=[{&(0x7f0000000600)={0x2c, 0x2e, 0x503, 0x0, 0x0, "", [@nested={0x1c, 0x0, 0x0, 0x1, [@typed={0x8, 0x0, 0x0, 0x0, @u32}, @typed={0x8, 0x0, 0x0, 0x0, @fd}, @typed={0x5, 0xf, 0x0, 0x0, @str='\x00'}]}]}, 0x2c}], 0x1, 0x0, 0x0, 0x4009074}, 0x0)
ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f0000000280)={0x1, 0x0, [{0x40000073, 0x0, 0x81}]})
ioctl$KVM_SET_VCPU_EVENTS(r4, 0x4400ae8f, &(0x7f0000000140)=@x86={0x4, 0x21, 0x5, 0x0, 0x75, 0x81, 0x30, 0x0, 0x0, 0x82, 0x9, 0x0, 0x0, 0x0, 0x8, 0x0, 0xe, 0xff, 0x1, '\x00', 0x7})
r7 = socket(0x2, 0x80805, 0x0)
r8 = socket$inet6_sctp(0xa, 0x5, 0x84)
shutdown(r8, 0x0)
close(0x3)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r8, 0x84, 0x6f, &(0x7f0000000200)={<r9=>0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10)
getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r8, 0x84, 0x7a, &(0x7f0000000340)={r9, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r7, 0x84, 0x7d, &(0x7f0000000280)=@assoc_value, &(0x7f0000000240)=0x8)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
executing program 2:
socket$nl_generic(0x10, 0x3, 0x10)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000600)='blkio.bfq.io_serviced\x00', 0x275a, 0x0)
syz_open_dev$vbi(0x0, 0x1, 0x2)
syz_open_dev$tty1(0xc, 0x4, 0x1)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000140)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
eventfd(0x3)
ioctl$KVM_IOEVENTFD(0xffffffffffffffff, 0x4040ae79, 0x0)
setsockopt$inet6_IPV6_RTHDR(0xffffffffffffffff, 0x29, 0x39, &(0x7f0000000400)=ANY=[@ANYBLOB="8f506370d700de40390d6ff5d310592b608bdc93e7f6e8aee03f6ac56a5c3c"], 0x18)
writev(0xffffffffffffffff, &(0x7f00000000c0)=[{&(0x7f0000000100)}], 0x1)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000001c0)='net/ip6_tables_targets\x00')
socket$unix(0x1, 0x1, 0x0)
r2 = socket$unix(0x1, 0x1, 0x0)
r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
r4 = socket(0x400000000010, 0x3, 0x1)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000180)={'syzkaller0\x00', <r5=>0x0})
sendmsg$nl_route_sched(r4, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000600)=@newqdisc={0x34, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r5, {0x0, 0xfff1}, {0xffff, 0xffff}, {0x0, 0xb}}, [@qdisc_kind_options=@q_cake={{0x9}, {0x4}}]}, 0x34}}, 0x0)
sendmsg$nl_route_sched(r4, &(0x7f0000000580)={0x0, 0x0, &(0x7f00000006c0)={&(0x7f0000000280)=@newtfilter={0x90, 0x2c, 0xd27, 0x30bd29, 0x25dfdc00, {0x0, 0x0, 0x0, r5, {0xffff, 0x5}, {}, {0x7, 0x3}}, [@filter_kind_options=@f_matchall={{0xd}, {0x5c, 0x2, [@TCA_MATCHALL_ACT={0x58, 0x2, [@m_ife={0x54, 0x1, 0x0, 0x0, {{0x8}, {0x2c, 0x2, 0x0, 0x1, [@TCA_IFE_PARMS={0x1c, 0x1, {{0x8, 0x8, 0x4, 0xa, 0x3}, 0x1}}, @TCA_IFE_METALST={0xc, 0x6, [@IFE_META_TCINDEX={0x6, 0x5, @val=0x56}]}]}, {0x4}, {0xc}, {0xc, 0x8, {0x2, 0x3}}}}]}]}}]}, 0x90}}, 0x0)
r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r6)
socket$kcm(0x11, 0x3, 0x0)
mremap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000001000/0x1000)=nil)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)=ANY=[@ANYBLOB="4800000010003b1500"/20, @ANYRES32=0x0, @ANYBLOB="0000000000000000280012800b00010065727370616e00001800028005a330aee5bb661c762a6e0917ca29c000160002000000050017000000000004001200"], 0x48}}, 0x0)
executing program 0:
r0 = syz_usb_connect(0x0, 0x24, &(0x7f0000000780)=ANY=[@ANYBLOB="12010000cf8bed20d90f25004029000000010902120001000000000904"], 0x0)
syz_usb_control_io$uac1(r0, 0x0, &(0x7f0000000580)={0x24, &(0x7f0000000700)=ANY=[@ANYBLOB="201109"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) (async)
getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000001c0)={<r1=>0x0}, &(0x7f00000003c0)=0xc)
r2 = syz_open_procfs(r1, &(0x7f0000000400)='net/nfsfs\x00') (async)
r3 = epoll_create1(0x0)
epoll_ctl$EPOLL_CTL_ADD(r3, 0x1, r2, &(0x7f0000000040))
epoll_ctl$EPOLL_CTL_MOD(r3, 0x3, r2, &(0x7f0000000c40)={0xc0000000}) (async)
sendmsg$NFQNL_MSG_VERDICT(r2, &(0x7f0000000240)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000200)={&(0x7f0000000280)=ANY=[@ANYBLOB="280000000103050000000000000000000000000408000340000100000c0056ba0800034000000001ca43bf1d8baff38be64d26c1a9876f4fbad26d36d6cb49c107bc0088ff80df4a03efc3bec94d27423f0d97dfeceebb432202f68b75a326a6115b31540b7801817dc831e355d9d96a9630c75252b54b93ad10a3346f747d8ddad2c4709be5be653113793b400e3ef21a1f61cd9f53a8a343f766d3e08d9573bea7b5506fa2878ffa45b635c8bf4918e0e7e0e4c6208cbdfc1e8d6f4798ef5bae072485c78cee058994514820baf630c59725c192a64300e6c61d5e3678dab6d798db7e6d53a9d9def4"], 0x28}, 0x1, 0x0, 0x0, 0x8000}, 0x6)
syz_usb_control_io$uac3(r0, 0x0, 0x0)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r5 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$NFT_BATCH(r5, &(0x7f0000000a00)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000540)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_DELOBJ={0x14, 0x14, 0xa, 0x101, 0x0, 0x0, {0x7, 0x0, 0x8}}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x3}}}, 0x3c}, 0x1, 0x0, 0x0, 0x8801}, 0x10) (async)
r6 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x1) (async)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r8, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000d80)=@newsa={0x140, 0x10, 0x1, 0x0, 0x25dfdbfd, {{@in=@local, @in6=@empty, 0x4000, 0x0, 0x3, 0x3}, {@in=@broadcast, 0x0, 0x33}, @in6=@mcast2, {0x0, 0x0, 0x0, 0x401, 0x0, 0x0, 0x4}, {}, {}, 0x0, 0x0, 0xa, 0x1}, [@tfcpad={0x8, 0x23, 0xd19}, @algo_auth={0x48, 0x1, {{'cmac-aes-ce\x00'}}}]}, 0x140}}, 0x20000000) (async)
ioctl$KVM_SET_MSRS(r7, 0x4008ae89, &(0x7f0000000080)={0x1, 0x0, [{0x28d}]}) (async)
syz_open_dev$sg(&(0x7f00000060c0), 0x0, 0x8002)
r9 = fcntl$dupfd(r2, 0x406, r4)
write$tun(r9, &(0x7f00000000c0)={@void, @val={0x2, 0x1, 0x3, 0xc43, 0x5, 0x800}, @mpls={[], @ipv6=@tipc_packet={0x3, 0x6, "460ba0", 0x1a, 0x6, 0x0, @empty, @loopback, {[], @payload_conn={{{0x1a, 0x0, 0x1, 0x0, 0x1, 0x6, 0x1, 0x2, 0x6, 0x0, 0x1, 0x5, 0x2, 0x0, 0x2, 0xb5, 0x4, 0x4e21, 0x4e21}}, [0x0, 0x0]}}}}}, 0x4c) (async)
r10 = syz_open_dev$dri(&(0x7f0000000040), 0x1, 0x0)
ioctl$KVM_SET_IRQCHIP(r2, 0x8208ae63, &(0x7f00000007c0)={0x1, 0x0, @ioapic={0x6000, 0x8, 0x2, 0x40, 0x0, [{0x98, 0x18, 0x8, '\x00', 0xa1}, {0x5, 0xf6, 0x0, '\x00', 0x5}, {0x8, 0x80, 0x81, '\x00', 0xf}, {0x6, 0x9, 0x9, '\x00', 0x5}, {0x15, 0x4, 0xf7, '\x00', 0x57}, {0x9, 0x9, 0x8, '\x00', 0x2}, {0x1, 0x9, 0x4, '\x00', 0x8}, {0x5, 0x67, 0x1}, {0x1, 0x8, 0x5, '\x00', 0x9}, {0x7, 0x0, 0x0, '\x00', 0x65}, {0x4, 0xf, 0x9, '\x00', 0x8}, {0x80, 0x7, 0x9, '\x00', 0x7}, {0x91, 0x4, 0x8, '\x00', 0xe}, {0x4, 0xff, 0x47, '\x00', 0x81}, {0x7, 0x7, 0x80}, {0x9, 0x7, 0x9, '\x00', 0x10}, {0x3, 0x5b, 0x0, '\x00', 0x7}, {0x7, 0x60, 0x62, '\x00', 0x3}, {0x0, 0x6, 0x3, '\x00', 0x7}, {0x3, 0xf, 0x2d, '\x00', 0x8b}, {0xd, 0xdb, 0x7, '\x00', 0x5}, {0x10, 0x9, 0x42, '\x00', 0x2}, {0xf7, 0x6, 0x81, '\x00', 0x9}, {0x2, 0x0, 0xb9, '\x00', 0x5}]}}) (async)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r10, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r11=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_SETCRTC(r10, 0xc06864a2, &(0x7f0000000700)={0x0, 0x0, r11, r11, 0xd, 0x81, 0xa, 0x9, {0x4, 0x2, 0x2, 0x4, 0x6, 0xebe9, 0x8, 0x8000, 0x5, 0x10, 0xaf36, 0x7, 0x2, 0x8, "fe27c227cf20ed8235e99238a9b12ef0d295d0e6bf8580808779e7cd8966615d"}})
ioctl$BLKTRACESTART(r9, 0x1274, 0x0)
openat$fuse(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0)
executing program 3:
socket$nl_generic(0x10, 0x3, 0x10)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
bpf$OBJ_GET_PROG(0x7, 0x0, 0x0)
connect$unix(0xffffffffffffffff, 0x0, 0x0)
r2 = socket$inet6_sctp(0xa, 0x1, 0x84)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000380)={0x40000000, 0x0, &(0x7f00000000c0)={&(0x7f0000000600)=ANY=[@ANYBLOB="0218000e0c000000000000000000000005001700000000000a0000000000000000000000000000000000000000000000000000000005001a00ff020000000000000000000000000001fc020000000000000000000000000000d238e9edfee429001010", @ANYRESDEC=r3], 0x60}}, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r2, 0x84, 0x6f, &(0x7f0000000340)={0x0, 0x1c, &(0x7f0000000240)=[@in6={0xa, 0x4e24, 0x40, @local, 0x1}]}, &(0x7f0000000100)=0xc)
socket$nl_route(0x10, 0x3, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x15, 0x0, 0x0, &(0x7f0000000080)='GPL\x00', 0x5, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sk_reuseport, 0xffffffffffffffff, 0x6}, 0x94)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff7000/0x1000)=nil, &(0x7f0000ff1000/0xf000)=nil, &(0x7f0000ff1000/0x2000)=nil, &(0x7f0000ff5000/0x3000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ff5000/0x1000)=nil, &(0x7f0000768000/0x10000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0}, 0x68)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x24004045)
r4 = io_uring_setup(0x524, &(0x7f0000000040)={0x0, 0x3cb1, 0x1c080, 0xa, 0x20002f7})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000100)=ANY=[], 0x30}, 0x1, 0x0, 0x0, 0x4040000}, 0x0)
sendmsg$netlink(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000480)=[{&(0x7f0000000500)=ANY=[@ANYBLOB="e80000002800010000000000fcdbdf25d800f28008001800640101011400010000000000000000000000ffff7f00000150bb2d6f67b79d6fabadb107d0def49c88ea04abde1d5e8d3fb22a1b5046778bdafefc46b0449ade68bf84b36ec72dd71265fc2e882348c26c2126237d4bacc890d7761d569367d5b37f5ae655b1086cda40e00aec58754734be31d750351dc076eb43d9621dc08c029d1608a46cf26fbe816b89f7cb81bff81a8b9482565856555ee923c65973deb0a99b96445f3399f1cd026e683dd6832bc0fe94a3fcae3697bd7b85b3a682167c43dbf137115a40ebddcad74875ec58e9a3ddb9ad02a078cf0d972d"], 0xe8}], 0x1, 0x0, 0x0, 0x1}, 0x0)
io_uring_enter(r4, 0x2219, 0x7721, 0x16, 0x0, 0x0)
r5 = fsopen(&(0x7f0000000280)='ceph\x00', 0x0)
fsconfig$FSCONFIG_SET_STRING(r5, 0x1, 0x0, 0x0, 0x0)
r6 = syz_open_dev$video4linux(&(0x7f0000000080), 0x5d7, 0x0)
r7 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r7, &(0x7f0000000380)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb(serpent)\x00'}, 0x32)
setsockopt$ALG_SET_KEY(r7, 0x117, 0x1, 0x0, 0x0)
r8 = accept4(r7, 0x0, 0x0, 0x800)
sendmmsg$alg(r8, &(0x7f0000000040)=[{0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000080)="f7", 0x1}], 0x1, &(0x7f0000000380)=[@op={0x18, 0x117, 0x3, 0x1}], 0x18, 0x4044855}], 0x1, 0x40800)
recvmsg(r8, &(0x7f00000005c0)={0x0, 0x0, &(0x7f00000001c0)=[{&(0x7f00000000c0)=""/81, 0x51}], 0x1}, 0x0)
ioctl$VIDIOC_QUERY_EXT_CTRL(r6, 0xc038563c, &(0x7f0000000340)={0x180000000, 0x0, "119f04669489f733dcaa932034233bff3aba43d2103e2984dea6e200", 0x0, 0x0, 0x0, 0x0, 0x3})
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
r0 = syz_usb_connect(0x2, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000041436120410e5150e8d5000000010902f98a5c01000000090401001186eee20009058a"], 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000880)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x3, 0x9, 0x8001, 0x0, 0xb, 0x8000000000000003, 0x4, 0x8, 0xfffffffb}, 0x0)
openat$tun(0xffffffffffffff9c, 0x0, 0x0, 0x0)
openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000800), 0xc000, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r3, 0x0, 0x4000040)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = gettid()
timer_create(0x7, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r4}, &(0x7f0000bbdffc)=<r5=>0x0)
timer_settime(r5, 0x1, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x3938700}}, 0x0)
open(0x0, 0x4800, 0x1a1)
memfd_create(&(0x7f00000002c0)='[\v\xdbX\xae[\x1a\xa9\xfd\xfa\xad\xd1md\xc8\x85HX\xa9%\f\x1ae\xe0\x00\x00\x00\x00\xfb\xff\x00\x00\x81\x9eG\xd9\xd6\x1c\x1b*\x9a!?\x7f\xa5\xad\x9a,\xe2\xc6a\x9f\xe8\xf1\xb3\x86\xe2+Op\xd0\xa2\x82\x1eb;(\xb5\xe1jS\xd6\x91%||\xa0\x8ez\xadT\xc8\f\xe5\x89\xbf#2\x99\x1e\xa1`\xc3\xcf\xd3\xae\xd2\a\x11\xa9\xa5^\xff\xf5\x95\f<\x8f\xc1\x99\x89r\xe1?\xbdu\x98\xc3\xf8\xd2Q#\xc6g\xa0\x85\xd6G\x85\x11X\x8d,\x02\xd45\xb8\xca\x97\x9d\xcb\x1e\x80\xd6\xd5>N&\xf8#\x80z8Z\xd2}\xf5\xe4\x9f5\x9b\x01\xf9t\xbb\x1er\x14\xdb\xd3\xcd\xfd\xbdnC\xec\x8aog\x87BR\x9d\xad\xd4FcB\xda\x95\xc3\xdd\x9d\x8f\x1a\xce\x18\x80\"j\xe1\xba\x1e\x97uX\xccv\xd6\vcz\x92A^\xbc\xceF\xf7\xe5:\xaf\xc5~\xbcJ e\r\x88c\x9d\xb92\xb6i4zq\xb3c\x0f\xb2t\x93\xf2E6b\xfa\xcdJ5\xe3W]`4\xd8D\x05\v\xfc)\xca\xedQ\xd0]Ot\'\xc2tDF\xf9\xa7\xb5(\x83\xa5\x0f\x1d\x1d\x06Dg\x13>\x19\xe85#\aaT\x89=\x104\xd5\x85Q\x96\x91\xea\x172P\xb3:\xadZ\xbc\xbe\x00\xf0\x14\x96\xd9M\xd7\x88QZs\xb2\xe1+$jfQodH\x05/y`~Mx\x02\x00(v\xe6`\x026\xfcgC\xb5\xf0\x13.zb\xc5bj+@\x00\x00\x00\x00\x00\x8e[\xb3\xa3\x87\xb9\xe2_Z\x11\xef\xc2]V\xf3\x03\x94\xb9\xe1\xa68\x8d\\\xe5\xef\xacpM\xf0\xa6\x04\x10\xb7\xc0t\x83\\\xf7\x12k\x9f\x10\xd5Z\x19\xc1\xc1\x80\\o\x97\xce=U\xdd\xaa\x1b\x05\x14\x13\xa6\xbd#\xde\x04\xe6$\xec$3\xf6\x97\xc6\xeaSL\xb7A72M\x88k@\xe5\xa3\n&\x1e\xc84\xa9\xe2\xccM\x906\x95xQ-2p\xd62\'\xec\x0f\x13;I\x95fE_\r\xe7\t!A\x05\xe4\x8f\x9e0\xf8/T\x18\xf7\xa1\x9f\xde1\xd5\x80<\xf5\b\xa9\xec\x85\xaeW\xb3\xd8#)bn \xfb\xf2\x88\xfaR\xff\xdd\x80\x96_\xec5\xf0\x1c\a\x8a\x80\x00@=\r8u+%f:\x1e\x82\xfap\xf6\x89\xea\xba\xe3\xbbM%F\xdb\\\xd1eJJ*\xc67\xca\x03\xa3\xf7(\xbb\xecN\xd4\xe7\xf2:u\x8a\b\xd5\v\xca\xfd\\\xd6\xe3\x05\xb3\x03\xd5\xe0\xd2\xf2{&\x8b\xdf\xa1\xbe}\xb2\xe4y\xbb\xe6\x1f\x10c\xf5WQ\x82\x04\x01C\x83,\x90\x1a\xfa\x8e\x17\x89\xe2\xedX\x8d\rmq\t\xb5$\xb4\x9b\x92z\xd6/-\x13,\xb5%\x8eM/\x04\xa7\x7f\x1b\x85\xf1\xa4X\x17\xbb\x1cR14\xfb!\b\x10\xe8\xb2\xd41gK\xe4\xea\xe39d\bL\xe5\x1b\xbd[\x9bWD:\r&\xe9\vn^\xcc\x86\xe3\xce1>3{\xaa{\xbd0P\x9f\xa68\xf5\x82\xb8\x9aD\x9c{\xe6\xf8\xcbD\xb5aJ\xb0\x92\x89\xbc\x80\x1ch\x89\xe7\xdd]q\x0e,>/\xaf|\xf0\x01V\x7f\xc9?\xba\x16\xe4$+\x02\x00\x00\x00\x00\x00\x00\x00\xa5\x94d9\xaf\xcfq\x8b=\x026\xef\r\x91\x18\xc5\xb6\xb9fM\x8ayZ\xbcd\xa5\x8a\x88\x98\xc3\xfc`\xa6\xba\x1f\x17\v$\x88g\xb4\xad\b\xc1\xddW\xa6\xc1\xb7\xb0\xa3\x84Q\x13GoU\xe2\xb7\x03\x9c\xd5\x0f\xa8\x0ef\"\x15\x82\xe7\xbd\xf8\xca\x10f\xfe6h\xe9\xc3\xc2\xa0O:\xac~\x1a\xf7\xbeF\xbe\xe5\xf0\x81\xd6&\xc0<Q8\xbeX\xde\xd6 \xef\x0e\xc2.\x9c=1\x15d\xddIv\x0fh\xe6M(D\xad\xeb\xcfX8\xb9\x8d\xbe(\xd3\x16?x\xbd@\x0f\xf5\xdb\xeb\xd7i*\xea\x86JX\xff;\x96\xbb\xa7\xa8u5R\xa2,\xba\xbc\x01\x12\xb3q,\x9d\xf8\xbdb`\xb3\xc6\x0f\xb3\xac\xc7\xa4O@\x81\xfc\x1a4$\x885\x97\xa9|\x99\x86*.\xda\x96RQ\xe5\xb1\xef\xb7\x10\x99\xd4\xa7\b\xcd\xe9\xa5\xf6wR\xc1\xdfH).\a\x9a\xab\x9e&+\xc4#\x90\xc9%\xb9\xd7o\x86\x13\a\xc0\x01w9u6\xdd\x9fJ^o\x1d\xda\x11?\xc1\xf5\xf7\xff\xec\x916\xceQ\xcfU\x035\x96\x8f\xc7\x84\"2\xef\x02\xcf\a+\x8a\xd1\x11\xb5\xa8\x92\f\xb3R\",\xfc!_&pD\xeb5\xc6\xc8\xff2\xee\x14\x83\x14l\x04\x80\xaa7\x80\xf1\x18\xf5\xa5\xd23\xe5\b\x00\xe8\x9c\xd4\xd0\a\x93#\xb9Z\xc0y\x97<\xe5i\xe9\xe4\xb02Cu\xe1d\r\x0e\xc1\xf1\x81^\xa7\xffz)\x19U\xe5\xd4\xf5@O#W\x8a\xbb3c+\n\x97\xa6\xf7\x90$\xd6*\xd0\x1b\x10\xe4HM:XO\x1b\rx\xc7\x12|\x7fN\xc9\xf9i\xe4\xe5-\x9b\xe407\x9d\xe8\xc6\x90\x9f_Jf\x05\r\x1b\x9af\v\xbcv\x83\xf3j\xaf\xd0F91 ^x\x85\x80[\xa3B\n#!\xc2R\xdd\xf4)\xba\x1e\xfb6U\xabc\xda\x9a)\xc3\x9a\x06\xc5\xccP)\xdf.\xa7-\x84\xdf8\xbf\xfc1^}B\xee\xccR/z\x1e\xe8\x1e\x99\x99\n\xf4u\xd4\xbd^L\xb2j\xda\xff\x1d\x10\xc8\xad\xbd_OI\xb1\xe8y\x003\a\x06\x92\x8e\n\x8b\xf3\xd4G\x85\xbd\x1a\x81+3\x99jq\xd1\xacK^\xef\xb6!8\xcd?\x1e\\\x16W2\xbd4$zn\xa9\x7f\x9dE\xaf\x0f\xdb\xe0\xfa\x10\xc3\xb2\xf8\x80\x8c\xec$\xda\xc0\x94y1\t\xc5', 0x2)
r6 = landlock_create_ruleset(&(0x7f0000000040)={0x0, 0x3}, 0x10, 0x0)
landlock_restrict_self(r6, 0x0)
landlock_restrict_self(r6, 0x0)
landlock_restrict_self(r6, 0x0)
landlock_restrict_self(r6, 0x0)
landlock_restrict_self(r6, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
prlimit64(0x0, 0x7, &(0x7f0000000180)={0x1, 0x8}, 0x0)
syz_io_uring_setup(0x3b48, &(0x7f0000000280)={0x0, 0xc5ba, 0x1, 0x1, 0xc3}, 0x0, 0x0, 0x0)
clock_gettime(0x0, &(0x7f0000000000)={<r7=>0x0, <r8=>0x0})
timer_settime(0x0, 0x1, &(0x7f00000000c0)={{0x77359400}, {r7, r8+10000000}}, &(0x7f0000000100))
futex(&(0x7f0000000080)=0x2, 0x0, 0x2, 0x0, 0x0, 0x0)
executing program 1:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19)
sendfile(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000000300), 0x7)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x80)
socket$packet(0x11, 0x2, 0x300)
socket$kcm(0x11, 0x3, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x4)
write(r2, &(0x7f0000005c00)="2700000014000707030e0000120f0a0011000100f5fe0012ff000000078a151f75080039000500", 0x27)
r3 = socket$kcm(0x10, 0x2, 0x10)
sendmsg$kcm(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000300)=[{&(0x7f0000000100)="1400000016000b63d25a", 0xa}, {&(0x7f0000000240)="637bced613dbc7f70836", 0xa}], 0x2, 0x0, 0x0, 0x600}, 0x0)
syz_genetlink_get_family_id$smc(&(0x7f00000001c0), r2)
sendmmsg(0xffffffffffffffff, &(0x7f0000000000), 0x400000000000136, 0x20008000)
mremap(&(0x7f0000000000/0x9000)=nil, 0x600002, 0x600002, 0x7, &(0x7f0000a00000/0x600000)=nil)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil)
r4 = socket$xdp(0x2c, 0x3, 0x0)
r5 = socket$inet6_sctp(0xa, 0x1, 0x84)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000200)={'bond0\x00', <r6=>0x0})
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000180)={'geneve0\x00', <r7=>0x0})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB, @ANYRES32=0x0, @ANYBLOB="400d000000000000300012800800", @ANYRES32=r7, @ANYBLOB="080001", @ANYRES32=r6], 0x50}, 0x1, 0x0, 0x0, 0x40000}, 0x8000)
sendmsg$xdp(r4, &(0x7f0000000240)={&(0x7f0000000000)={0x2c, 0x3, r7, 0x5}, 0x10, &(0x7f0000000040)=[{&(0x7f0000000400)="022cd36c9170e954ec93ef97f6dcc6efc3b33c62555ffe260cf036c139fb3af8a7aa8cff031fadb78520886bea6e0cf9e8d1bd7adb963c3c2293af1c6839c5dc1e1a6d565febb0f051191909c0f64025aa0aa2a263dd7d7a8ff49a48f13bc488b8379d984f7abd995f5f6ce78c8a0919ab00fda88c760e192a683db296ce67ec524fd1402ccd727c84237f7906bfc372f10bfa4e34", 0x95}, {&(0x7f00000001c0)}, {&(0x7f0000000380)="f835e3b4a736b36e0276d5f794f639d2f056ddcd9fa88726fb672b7eb8afdc3644be53a9700cbac4b2fc9f9eb5c47a1362d19ac771aa9f5990265790212cc552fb4453b1dad57e624c497b6f9bd8e883ef5ec3bc6413436a101ef022a0ce9c1111b6b0bb25", 0x65}], 0x3, 0x0, 0x0, 0x4000001}, 0x8095)
r8 = syz_open_dev$sndpcmc(0x0, 0x1, 0x80)
ioctl$SNDRV_PCM_IOCTL_UNLINK(r8, 0x4161, 0x0)
io_uring_register$IORING_REGISTER_BUFFERS(0xffffffffffffffff, 0x0, &(0x7f00000002c0)=[{0x0}], 0x1)
executing program 3:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
arch_prctl$ARCH_REQ_XCOMP_GUEST_PERM(0x1025, 0xfffffffffffffff7)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x8, &(0x7f0000000080)=0x40, 0x4)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r1, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000300)="420fc7bc4898580000640f01c50f01c566baf80cb864c95782ef66bafc0cec67670f1b0166ba410066ed8ec046d9c3c442b90a2c81c442812852fcc744240012000000c74424020b000000ff1c24", 0x4e}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_TRANSLATE(0xffffffffffffffff, 0xc018ae85, &(0x7f00000000c0)={0xeeee8000, 0x10000, 0x7, 0x10, 0x6})
r3 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_rx_ring(r3, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x4682}, 0x1c)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000240)={[0x5836, 0x5, 0x5, 0xe51, 0x2, 0x5479, 0x103d, 0x6, 0x0, 0x32a, 0xfffffffffffffffe, 0x7b00, 0x1, 0x40000000009, 0x5, 0x6a], 0xeeee0000, 0x808d6})
bpf$MAP_CREATE(0x0, &(0x7f00000001c0)=@base={0x1, 0x5, 0x0, 0x84, 0x105, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x10000000}, 0x50)
syz_emit_ethernet(0x0, 0x0, &(0x7f0000000000)={0x0, 0x3, [0x79a, 0xab2, 0x445, 0xf2e]})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
executing program 2:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000004c0)=@updpolicy={0xc4, 0x19, 0x1, 0x0, 0x400000, {{@in=@multicast1=0xe0000002, @in, 0x0, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x87}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffb}, {0x0, 0x0, 0x200000000000000}}, [@mark={0xc, 0x15, {0x35075a, 0x81}}]}, 0xc4}, 0x1, 0x0, 0x0, 0x40100}, 0x2c000010)
sendmsg$nl_xfrm(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000000)=@updpolicy={0xb8, 0x15, 0x1, 0x0, 0x0, {{@in=@multicast1=0xe0000002, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0xa, 0x10}, {0x0, 0x1, 0x0, 0x8100000000000000, 0x0, 0x0, 0xffffffff}, {}, 0x0, 0x6e6bb5, 0x0, 0x1}}, 0xb8}}, 0x0)
executing program 0:
socket$inet6(0x10, 0x3, 0x0) (async)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) (async)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
socket$pppl2tp(0x18, 0x1, 0x1)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) (async)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0) (async)
ioctl$sock_ipv6_tunnel_SIOCGETTUNNEL(0xffffffffffffffff, 0x89f0, &(0x7f0000000180)={'ip6_vti0\x00', &(0x7f0000000280)={'ip6_vti0\x00', <r2=>0x0, 0x4, 0x0, 0x3, 0x5, 0x12, @mcast2, @private0, 0x0, 0x8007, 0x100, 0x5}}) (async)
r3 = openat$cuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0)
read$FUSE(r3, &(0x7f0000002d40)={0x2020, 0x0, 0x0, <r4=>0x0}, 0xfffffffffffffc88)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f00000003c0)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x80021}, 0xc, &(0x7f0000000380)={&(0x7f0000000a40)=ANY=[@ANYBLOB="741000002100100027bd7000fddbdf2500000000000000000000ffffac1e0001fe8000000000000000000000000000bb4e2100004e200000", @ANYRES32=r2, @ANYRES32=r4, @ANYBLOB], 0x1074}, 0x1, 0x0, 0x0, 0x20000000}, 0x28880)
sched_setattr(0x0, &(0x7f0000000200)={0x38, 0x5, 0x8, 0x8003, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0) (async, rerun: 64)
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r5=>0xffffffffffffffff}) (rerun: 64)
getpeername$tipc(r5, 0x0, 0x0) (async)
r6 = socket$inet6_sctp(0xa, 0x1, 0x84)
ioctl$AUTOFS_IOC_READY(r3, 0x9360, 0x7)
sendmmsg$inet6(r6, &(0x7f0000000a00)=[{{&(0x7f0000000240)={0xa, 0x4e20, 0xc52, @initdev={0xfe, 0x88, '\x00', 0x1, 0x0}, 0x4}, 0x1c, &(0x7f0000000200)=[{&(0x7f00000004c0)="f3", 0x1}], 0x1}}], 0x1, 0x4000841) (async)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)) (async)
r7 = bpf$MAP_CREATE(0x0, &(0x7f0000000440)=@base={0x1, 0x42, 0x6, 0x8, 0x0, 0x1}, 0x48)
bpf$MAP_CREATE(0x0, &(0x7f0000000040)=@base={0xc, 0x4, 0x4, 0x8001, 0x0, r7}, 0x50)
prctl$PR_SCHED_CORE(0x3e, 0x4, 0x0, 0x2, 0x0) (async, rerun: 64)
r8 = openat(0xffffffffffffff9c, &(0x7f0000000140)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x20) (rerun: 64)
syz_fuse_handle_req(0xffffffffffffffff, &(0x7f0000004300)="00e7a0633e8438bafa888b9b02144af32e296a0a01dc194d649b6fa26d6d5e63bac4a04baeeb8aacb22c6eec461b67db6a737737c6d2687acb00572f92e3fdb5d0cb2f11121c557a943020200755bcab77b39c406b733239e2bb1175b9322ba39dc7d67da8f77aed1714dae2e6c24c3ea96be9d151c6ab7b3c54bbe507b8b2461fb4be8dc90042184af6d48f8ace16abb5e3fc943cf61cdb75624a259bdb5f7829b9775820f85f2d1a6ee6c6c2af4fd41ab8a41ecb2612abf13cd2c6f9f3e6db505e4bbe68cc000cf5fa6d5636191a4b366ab59af52132a3f9678d4ed1bd577bacffb3b52850804005eebf3dfa4763168ff30490a11acdbbf4c3312a45f30139f6b72b1e7cdec185006bb30e0e8fa88da2cefc718cae7e9830f7ca101e4e23c6bd16bfacf4a9927fb13af4b79c86ab999beda4ad396abdda354a42fb4ef21d6749175dc21a0cf9191aa4f90d274b50370a580ad8dcd166d2b06c0d8b071973c3fde30f7e2bc371a51ca5866bf8b24eaac75bf482dd4436b214ff62d32e20df223b0b680ede28b3a49e66e330a8a3ecace0db9855d235d5ff23765e742d1a739c2ac8743f4c62664a3b347279da55a1a5b16e1e2828b584a013577d50f890e3894d9e8d6bfccdfb2b70221f12a7fac24b7a8818edce72b65f622c77bf1312771a2c0d805ec9a25c536c91868762032255be78903b77b2c1a773a03996fabba69214e76f5df6df0375b592692a2c3c86c75a3be56fe598ddaea0b9901d20db7e43e128e04e5509283f833c24c625887288459db5727210ba9a301fb8c934dd1d8dca68039fe5b2e1a8d7cdfc6d875e5851098100c3cd42544ed90bb55b58d20a501fabbc485d148c615a3b070fa0520da2ed68ee115a4411d5418b47f3d95616096f67a7a36d68f1e8df82eca8ef96fb4a96b3422fe046a37ea5f5967513a559bd770fecab7228b0692f439765c9e9c6ea4fc608e0b27f9b49064daa2bac06f83f6d87ebc61fa3a29bb5ed39641245ce8cf43770df32a84838802b0827ca5a40e2003915e2ed108a005637bb028d29bd2cfd28a1bd55e67ed1b6b7b72163c27c4b0e36d1b134d6dfdb165a66fb46498fc04bb8053b84098af5b18758631d1318d625a6fa4d3ce5a4d3a90e10c6363a26b5ae96c2d56f87ad21a6118af6847d041f88f852ddc3f250c088ef5cb31198f3ac81cff9a5bab26ed56c09f8416188974e08349f7da28fc754b98c1ac4ea0060ac1e1b1c49f7dbadbc59254b265dc418cab9ac14e2bbecc4c3103543e37984efb1f61315e10d2b422732217d3a9b0cfe4561f3765d3bda60be239e02bdc164dd631582e8c87dd8fa60d63dcf9e7f3dadc4ce5e4433a42425b8ee8cb8a2defab0bf9b6109c90b5655b79b18c06884f2670a985d454e08e54de69f645cb0cbb70620bd988ee717c310ae77b4abe81c01c6e7f47268ee20bc30b9062830917705682eba2c5ef966b877f33294aa5f8b29d3dd5ed92302087f34fa18d19a005de05f925e3e93c8c0f24507ff20cd23d9ae5452c32ff58c78ccdb1ab32c98edfaa6d2c3971934ca8f849ac360c286566eb72b0793f12cef84bd282368d533247ee750f18aeda484167f3d680e4aaa3aa0694441d4ff6a71531f1a30f87eeb71afd04c5d686e1f86f27586f4e2c8ff77c09612ba1af9b3fb93efd31af42f8e0498f35d07c662b743a08f2839cad8f95b90cbb4fc0ed2ca45dd093a549cde4c6ff08ce09a2cbc6f9f78b6f96643357f92f8f403202742057731fd3e343a87c0affe803cfdbddb8c2694ab63f2dc35da705624747e30a943000fc82c40f10e1975d2e2ec15aefd531b6dbc053606b054dc976f44d5b5a5f37e9c08532ce16cf8bca55ab6c814ceb855ab50b8b52620f8645a9dc25fcb732080d84bf39c3ebb235b4d96da527b64ec4b72f69e91d16a4efcaf76f2e1f968ca68a06f60b01ec7becc9ffd7877c0992cb0f80fb3daabc039513896bd7697843be06aba53e7761e11e075c61ef2d897d4d9f90041c14283746feeb3f0d456ba4be27843350fe43e7c1110b4439489139f6dae01c43f23ec71f08d3042663c65e059d368e4e2c6e49de45bf078d3182a1bc1208bc59379e705aa3309579947409f2a8b3d79099c8619f916e7a6fa333d2312a274247156b8c25cbcfcc59ef13339c700f56a8691dff39bd4338789001872c0d90929037dc0ad99b380a6ba73f331f73f9274f4c2bf5233d7482edf37bf6ffed4f2c0ee44a1d57cae0d644f25591dc03bf837571a82d0c31b61be7ff85a5b3843e8f96a50eaa43f5c137ecfc4e4530d08a2afa4ba02fcc50117a4ad0d5862302017639344c82749f673dbd650e49b35302d0acbab45c0973198291bb42b4cfcd3b0c272074341ea8eca19e122cd234da6d41bf5eedb706e16c17687ed8b84db67130796d26b94eac83bbcd785b603242bd6252c155711efd7dd22cc54e1eaf6d910d0f22c701f3d4da0314dd2829c6ee13bbcbd126558b47b8066bf0766c792a012315bd29bfeda8f28a2c1f4e638b701758e19a0e5bd5b4f19048b00a877d956292e345f8a3a8367892f955bcb5e50ca145ec5e2c9309e25941bd277e393aaad38f9b72a42514b27da6856223c37a1fc1327fa760551d3fdeb0b222ab180b16c9eea138cf4f327e88fdfee293c5b6b007028eb796a60772148282dcd17ffc1c90ed8b6540ede933545ed5a5301d6ff39734444ff3d85cda4ac3befa5083a4685e9e231eba4a91a35f4f7f48fd5ac2447c64c010e2a9f8e80691c95460e1995444466ec5f3cd71fe509a26ff0b7f3254bc8c3255e903834e841b37c70b267fb33deb0d1ed4ea84a869453ba508fc255b12cf847103d5195046c930ae4a75c956f22fcfe4186d547686b54bd7a534940d5d62216994eac0e8ed3bd2bd59354e6b9c6b5b10511d54a8b928040f1e1024a423b0cf519fc6e9673df5c48c0778c7edb8fa8d8ace77463a77d2d6313160e1ee72742953e433b6732ced59c93464fd91520847db238610ed0c289fc55647881a7d6257cf28090c75a6f19df079cfd35742a74a5ab270314f7c8039c20ff0f3f543d029b75a741b5dc6425241ac2ffabf1f96288e6d4ba34da09fb6049c2c8753fbd41fdb4bc68c57bf374ef4feb0df00c41319debb26afba2ff39e1799a1c2137f4e920ee5b02d93789b6b0c853e8143dae5b08ee85da2ea7c31803610ce797293ea95c16ade6dae2afb008e59d8b9505737f008b5227df5f1e4eb5d707f502698a17ead9b1f5ec09dff34248ff2fb153dc6df4812e39754a4baa42e1d8b77fbddef3ca091701ac28ae5fd422dbd8db5b122d3965383abc37a52d2fca5ce56eba974dba3d059cefe40e3c35c9daa8ae31198214303c1dcb90d58fc983ccfd504fa43925636f94b128d44e8aa5cd3ecfabd50a84062d03f7508a0575ab65ecc749d3ef566fdbc529a8139b7a7fb3a9bd784df52cddc6f2699044ba47615163fbbe19f3d88d38a8b71fe52b2611ca74341429d1cef1a7e350545be29d2caa560e60352cab074c298c44ca2c07f9795ce52f10aa3e2fcdef371f24e309b19e52218881f25a4674527edbe3b3bd0b9b536d810c6f9500c0c81bcfd9a440dd91c1d35c52758d2b2ae1a8497bb394c4f09d3947cf777727b0d1daf5ac4fe4fa3c247a791702cb84b96321b7fec81bf549d4eb5d6dafe019b26187417c68b064e4308908535a3e77b6cd3e28caaf12d726f15590b7958e40134d045a38cbb689131a7e85532f1c63dd4bac9e4d00645cd7b2b71704563f3738b92044a8153f6ba717800ab7cb238175c376d7add2c5ec38e4c856f1ab9c3ee33f6ca6d576ae908dd290e4bae23470182e253765e04e8eb02a791c4396a511ef467879a9e2818b8a4b1b0b39a6c44e816e3ebf6e3be93929dfcb38d5dad7d20b60215447674d0608b8b02331ac20e57083cb9b4449fecbb149441aea0ad82f00a82d87d743fc80d410922bc20923516885440f43c9f32beb81ce148def6140952583a7825c2d2fe012d52d30ef66d32a8a0864ac5c1737e2506228d41ff0515ee80be4cf012927dde0fd2a07cac68eff8c4437f2844d4df07936fd8753e5909f962c5c767f8719cc295bdfa8a16f3f36ff56e34d7b14b6b8c46d5af248b04a9c5396f84990e23d145670950bce5f5638e5e2cea37c371a4483729338f1305cbb32fa1c05dd9d21d2a69e5fa3abe9a2dad2237be20b4088393c04aa66cf13718de4bffac72f641a8c017a1d5568fa15a6a06e4dc833874ec95af6f115bdadf15179bfc8c4e3e64f26f1299e282c4ab397340934efc1e601afc630fe195e8ae7d8da1310568cab4f2fad085d0ec39710d8b7c812b3fd55c6f50925bcfc90fbcb35b8daa0f1e1f69d82fae2034039f7ad6921694ed48a55a68bc541e6d86f1e33c261a92d48b50eb58a03d8e31b2f6564a4ddc3ee988d0dc47b4b610a9a9dcb87571b5c1edb3362df0ec3d58872157e0f7247dfa8100b4478b705702a5620c9201010f40232327550db333e845dbecd6aadbd0a94c064862b1100b4dd45ece811b8c0275e3753e11b4bcd8bc5ed7668e72afa5bc5cc17b4c313273755f532ecfdefdf2d5c47999453a3b7c158d98332f0bd3a820cfb2c8c3bcd43197e7395a032cec6e41662079f2f654965aebc393e22b5c8516d9b8ad01e33ee481a4ac46a2df304dadeaa9e5274d340aaebe14dcea315fe1279f1a41a5c7aa8c94bf4b3d48757503171f53488e01210145e62c0de7c39737848dbdb1b207d4d33b8de180b020e8a76b1b521905e5e3ce97292f8558fb68efdee774681bfffcf1dc3eef35f660dd1659a32950de2d50e762313beee330d9c2a9fe8ce5e4e61ddd86378d3551335f6ef62053d3b248a8c33a11abdf3f3aa1975a15f4a6957a13d5b12a44d0f2b52b9a2d996e98c630c0f2abca80c7ae89efcf81ae284a0d19582cb1319d207077e5657d245533181ed6e07e0f7647123fc46c37bd75b4f4d181112b4a08acdcf445332cb9dde69a0923dd9244dd2ecd818b19588939922e3b2d8dd9d9fed95fa55b0e4564b38aca2c4d24eebc634664400177fbdeaeb278bb1d8eb11baf4be5c87d4f8d9a855bfa75df4c51fb4eec87a27c59df9a47d82523b08022a1c0fb22ff6f93c3d2cc22a4111a6ec5be428cba33617be65739c2240248f3a02d01ddf2d6aca9e537a2296b16d082d2b868504371dd5e41898885b03ebfaca73b40e8924ece83c1c80de6ce14943e1199c6f81bf359f44c3ed5ae3c6eacb730b1039f0b6555347bd566dfff45a7a2176420ab2b40916a73b66a3ad07af6e1ac5597393d203fa1ad34d4564af956a0a3e2997e27a4e5eff67dd89cce8875d995e00c1858234f149f6ad4cac2b8056966f726df57b8c4ee8f22f23097ba1471b1f1036e3a499400fccdb75b56eb13e9eca1407d5bff4b075b06d00fcbfcafc28431eb33156232e73c6577e3eca437330c494ede57b9609e1f40634918dea767338b5542197410cdc000143ace89ca0b7bf645b3267f74767d7c7fce05d2f59c137204e56bfa711f66903c511f681cf7a1b4f9fc0f42b7c438ff8957e1059375321df5b0c5c884f46d94c21686e1300582d34928bc398653118f79bfeea2e7cfbbf31a7718f4aab50fae57db94203d43e060365c9a7455241be03d828ffc3783d0f6aa170c0866eb0dad07485831526922d8348a7a16e2e9903a2ac93c58c6dce83127fab17703ec004a519ae5675baffb31bf4b52f9ca992a84017a44d68dc693abd829947342f277fdcbc87168bcc03c32b8b1e81a1915af2517c464af07d52b79d1b0e53164c82ba049f81e92ed1dc20a88fd72e9ce7aa4b22a7cc57dc5527d14f62bc29cfc9d57ed26fd523cac39ac00ba12d3a49d694709924275fc0793d56acf9558818dc9eb210649fa5307d45886b879257d627cee0542b51c2ce6ce134100efb47c92456ece5b73cdc051f570810a8d534222649eb56cf73a377162b753de6c282bcd4a25dda21dd10901bd8dfe8fd4ba8a70811c39707beded23dd60f23e2933372e3a6bce099899b07f0a4c4956fd98e956a8649622c77717de099463c0c6c9389ab4a1ae10f8ddd086d876af2943ee0b6b402ae5f89e09922e8c510ec0caa0a83e366e916400bfec88a52ab457037a35ddc6a8e2289c33684a5915c37bf5d227cbc65a737b52bdcb4fbbb7b4e7f965db116b46044d0870846c730dce12e120b1fe6dd5798ced24cad72c59a3f44de4978b8bc05a1dbeb766be6e2abf6ef46c67a58a370e54e92d89e5f44525e82b94a388d8d0cb20c3469a258c1633c9dddb6854aee255f93f59435ff317622f6899250aa185c207644275278580c5d32401741fe264a2e03b80f442ed58fd0704ebac923ac6a5abb7f0c695252f82e3fbcf2b99d721589a8fe3fad4d5926aee3d7bfafb6739e525faae3d25b12841fa2cc61dddc44d36acb9a8b72d60ecdd9c8cf04f9bac341b5e0f9bc59042db8126324888b07afe72b18cce36d61eec975b6b4ef5dc4a16ac14440cf770599bd4db630bd110eb63a03a80cd95c16d314a4de60cc5115bf0754cb7ab84a827ecefafa96069c721a5979f227fdc2467b4cd1975dafb5b28e1d6f3c1c3a2816ad831dd98c1378a03798c128f176426eaa0e361571e758d54bf4ec2c988355f016e16d6cd5cf97bb4891ab33f5623b7e796af313cc7a9e2f9510cd2bead1ea5dd080d9de1f595b2629ebccf69a0feaed3963ae8a6c89edd66fbf6e566379898185828925f8669668d6bddff961b08aaedbbe7fc196931a887ec740da6bcdab8f826a34aa2aa1e406a258558f3baf022a64222df4d6ee8726c79ba3dd6e11a19e4b4bb49b4a8cd99c189e6392f08ad731e415b65d0ccb919dca46efe9f79e21437111ab09e926d3038182044ae047bf1cc92e2d2644c528985719667a1a8abaf65d0f211172ea789b2fa016e1a88325d1ed706239da4dbb9e2079e3598b4ae5885667587ba1e0921c9ba55d7a3be4c47bc2f2f3547ce9efe32e5a22855f761bd4cbe1cd9337eda4bd7d82a918084d7e116b656104ca87e64b1b8c62323c3c296c5b5b98051feb607b872edf9f789744aff710c4b7279711182bcac6b76c05f5cd982f52f451e7e29046550e012e01d8cdd3e305427030f4247488c9136303084c12175c5c781cdd08aede5a356ea0ccdd05a460be3c7b4bfd62c3ce9ab68e285a36c1546d0b18edad71f69f5bedb340772e1bbb035514b085067259e39f59dc292a12557350c66904b253efee29a5eb7a6920f583c899dc46a1d3e2af2db3a3d1a0e8d1f98722a16c6cc1e401058d60c8c436d8f1166ba53bdde5810f9d0288528affd486c266546a864c92af3df8abd451cc1e0d6bfea534865cea9d49b3ea5e390fa823118df8a61e31022f5fbb8ceee870bf2e60890263c4d14e24d053d0fddf665ff80a66fa00a5957f8a30fe82a4b82cf2f6b4d49def98f66bfcdaa0aef13314e950ca9f3849b1edf3b82eaf74a0dbcf45c3dba9bd2d853281a78484f1efaf4150da1207ec3cb61fbcbf759f8182b7052b28d7164b73197b0a440759fe9d5ddf827f1897a174e82fb968a9a07c61bee44bc1f7f9ee5c6de04c02d57735c5fab741b36aec7c8642e56cba932a08b8e8a9d3eb066a4ee7cbf22e5abbd4346de59eca1f24ad9f7f9ff7621e5f30dd08f4cddda8e80e496908109f5212a72bab1378d1237def07bdda4178719975346c68405de15153031fb17535894e5e3c1de6fdd507333f0226b78ba7cae509cfb48d6735ede9392650bf85ac1db919b1e9fe0a823119d8253204dbb2f7a8f524be6d419f3a45c5051a7a88ef0bd41586d90c11a894d647f03895f671a6e19f1c70e32668653aba8366a3d372522f49844081a9637db080663ab02f4a8af502955d5411461b62f85308c91852f8fb9f0bdddd500b4a133791d3a2f91a82dc4b09f5ad2196a9172ab0cd3fafe7266e9f6d159110d99ca8da8a34b17be17a04ad4509a9fffab1e45e10f10e0cf9cfbd9c761ad044064c07e473fdc626289cfb88b13a11455c069b70aa02426d9119ac878a14c9483be9c0d5bcbb5fa76c8d06531f59c7cf7c26372e750e2f332418ca769e5e7fbeb3ada7bb58b573a0635e2e3ad9a53ddb809ea01086a3fa993ad57e89da6f9c5e61bd0f8ba69212a386b2aa1ae17520d7fb989dbe14021885eb50fa3048aebd42c861a09a308b660d382c0480ead8a52a1a14927c7c77957f94bb59ccfd557f8c4a7af23360a298a603d20ebc386db041d8c306b3e32b0bff541bdec5ff75c3b40950815cf9f89d48a382f67e44c409d046c01fb1262aca0df6f5238a3c3c09977261494f7361ba326815d6e23f49e4d6d4b54665081067332265fff59cf54af9da0db9d19bc611cbcb6e6f3f1e2e1ffb6cdd6253578d78d06a2ff5f9250f1994c5749e3ce49231fbd63bba28e948f9150933e3ae31299babaa41043b181a100882e613b4b4b8f49ceeb742d22f860853a9b917f5a323a8a1fb1f3363a7be4407fba44b408f259b5db79a055b92ce3d7a0649cc59f4afa2b1f69959d5c6f5eef1fa7987a47bee4491f685c52e9db1ee1a231ab5a4bae1019c97868a409dd0d57b32525394a233023c4a7ac429808bbcb57a34b41883202744c3bdebc0a637773273f19c2be6e806bef7fc1002846db762ee4e16867773808c5477987d5851d5b1641d070feabc203cb3d7943ffb206272fcac1bccb616352d85975f5a22c0f247548535ad9fb83fb2be17689453f10691143c060cd964df63c3c70e7b1cfc7e2b468015f327f9869353477bfeeed330b03ddd9e4e0a2441182244da283d7a59d2b2b20e6de3e3a47c26aeef4944c1190bba674523a6c3c4ed6bac53b9edffcb0e9fb19d8bf36949d03ef6a7e59eb903a00d9614f642d1932c766421906f5b177963c71e881453560e3ffcec792e8dc46b1832a8fcb2ab2268a9c1fb648d1c6fa1c8cbd50d5a2d8264fbc6c063e6daac5519d362da389dcd3d12c8039f991de91e728abf5bab95c3aef66dd8cc36c60e73cb10afb02eff6df20ff12c59b142b07fc48fe94612de80b8b958f78256fd7cf3c6f79a83867f3bb5f70da392957badadecefdf7b6e4ebd39ff945397c7d302ca0a5a3918d8abb893cd9cdd680916a50fe19699ff0476ad82e6ba46523f26ccc5eb65313c1df1077c8876d2b73bf86ba311862d12b0c557a92ef827197121512e87f817167d4b17c7e225a48b3f8fbbf4187438e0e9b78e905cdbeb72e80dfb37ec0104f5186b39b4ff34f0cdf4b74dc915acd3f98874cd6a67308d0ad9697121ac477550b1affe004f433705933f9647522be65cb5a7471120ec942aeb956f195be0c1783102cf7d842f2968222ae1a7fa6513f200d3fa85d71724956ed697f0673ee3b40a4d46ba4850439ec125b708ed52b52b9f72906477d520c90a9f5dd49a7a33a328537a183f439895532b78ae451a8c3db789bc862fbc37241d523027e1a008629c969380f6eb55f9cf3f0675bca6851f00df6aaf90de9f62d5c179945ef81d1073850301f97e379ea415d830e3f3751cf83e2dba541cb6cdd89e6b674f2c53e329e5f3dd418d534ada6469a5b3bca5b7cfbdfdd6df4abaf77d4520d0311e801145c91b52586a56086e663841b702f52cef9fff8cfb7b33dfa125688ba6b4fadd1dca8defaf4259ca85323b23d3bbb45933562c25af3e8d7bc6ad4a50ae974f8d207994b3bd74a6812ab6a40fcaf96bb4e17bd20d742b14c72226caef3e0f5c56c4930071e9f9a894f18650fbb785c6f707605c86b634c9722c8690cf3a954f68d7c2db3a257339ade67a41259f6f878dd0ab7876deffa77f6f00819282a8f4c4da84c6cf4f335cd0410770a2b1a1fbb3f85f4489eeceb78bbfddb2d1866c57b41f6ed179a0bc3750a486403d23473f2feef43ebc5af1018d9c20089e277d77fb9c34f425c8f8af4c49864b57572fa8c232e61ef37194251a1ddc2f73ffecd57e638751cb72bcb2c40d22540166ca1e8588f24b010c9fbd962e3a2c23a7e93f131df61b8703ce326ed80cc87912d3c6aaa27574bbe8d65bcaecd660c31cead132a44b1d0e4a53cacc0b82a263c4e7783944af0af08ea9e68e8e25ed9111cfef841f1b2fd24164f9097f70efe09b1109e5cb91fe68a2760381fd63a7fd422dd578a60661abc9ee3a5db1c2cde2fb21f2040f1ed3fc27b99e254256949d0560e8b98fa028fca50768caa951a87bf8969af498d50a9ee773c9caa7d9f7d8e1955506013f198cda316d79b177e59f233b98f727afd2494fc18642f0015adab756ea6742690c7d00f28655b915ce4eb8b3ba2e8559ba23e1ff1ccc9f79ae2df85f924459c56715dec78ef4592352eb1a850cd65ecd36e1a9121e888586b7b2fa84da920b8cf44480433e61ab076b10171c0537524bb170a4b99b0b0c437418a665b7ef909652b6483b20362e557c1480c2a2a0efa221fc59054a48122b52d38245f9bd026001635be5b155f5c766a59306fbde231fa72b4d74449a2fe8fb969496ee26af5881adaafb4189b439877ab8f78709cfd32c10ea576a010bfc137b7a4aae137ea3d29070ce3bc8dbe6655e967115ca3461ad9d28b9cf8af07441e68a54ec5e889846f3978f07ba51f7d5af5da78c5c675dc5d0c1a4a399ff4247203573a46fb903eaf7bc886e6cbd3126fa4a3fe3bb13bbdfea7da871f6563aa750f6ad7895b34b2809563dcf5ed30f1c60cef4138aa49d4f55e396534ed10cf4d857723a2b442f47d79de162c30ec6c4daf939b4c88649494e3682d1da81b4a5928d8e18a16c46707a685305e592589acb484e28e9d5af89c44b6e563d125ec97c0155410527406d94b90bc9576a662db99da1cb82b04d610d02187ce08f22ea0e8fd31919d53fa6aaf980e31ca7f8610e695a41919c24136a8406c62d5f15fca36507002b54ece17664b5247583ad60d863f283f3c288946139575dcaedc978762e85f534e56334ef0221c34ffae054ddf79339b8f08701e9699b11041df8f518dd33203363c8098fbefb01555bcc2542422777b38d8dff11b15aadb0c251ce2c5b32f8735b3cb784f2e5731b48feb5a0e791a1106abdea0f7d1f087737cbe7fdf523fa14c9be2a2987511004c5b7ac1814ef6961db16799698242452c469a07c30e4a1f73193c74a41bdd88aef50035e4648bc9dfa276951798420a45e4085932bdb9381af3cc4678bd962af616549e4020d2c9fd25e2117a6d8934fde2218273d7833d60ea492e251417a27e7fb32012a940a6b6487af4b64958bf05f1b1107732149d227eeda5ca5a43cf583dc297d66072a1acd75e93a7caefd36a0d581e21d5cb08654c4ecef46ebac5391546e0b7d2a6418548d8f816446bcf237f676e873e6bae9107234abe5ab24c53ea472ad10653cef068fd9f4e729fc0d526e489f8df13af5575f1e70e0ec22899728b0659d70fc2dd509d9df3ec170638f89e540f4d3f02aa9b1b1819f84da596e0d7b45a5818061728f8eeccd2bea0f460dd7e18cb95f2364c50e351f0690e184eb63ebbb14a0b4b2117e44f3b2b3", 0xb5, 0x0) (async)
read$FUSE(r8, &(0x7f0000006300)={0x2020}, 0x402) (async)
r9 = syz_open_dev$sndctrl(&(0x7f0000000040), 0x0, 0x0)
syz_usb_connect$sierra_net(0x0, 0x3f, &(0x7f0000000080)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0x1199, 0x68a3, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x80, 0xfa, "", {{0x9, 0x4, 0x7, 0x0, 0x3, 0xff, 0x0, 0x0, 0x0, "", {{0x9, 0x5, 0x3, 0x2, 0x40, 0x4, 0x19, 0xfe}, {0x9, 0x5, 0x8f44bf2897946724, 0x2, 0x260, 0xc, 0x77, 0x3}, {0x9, 0x5, 0x81, 0x3, 0x40, 0x0, 0xfd, 0x72}}}}}}]}}, 0x0) (async, rerun: 64)
ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r9, 0xc0045516, &(0x7f0000000000)=0xffb) (async, rerun: 64)
r10 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000700), 0x101180, 0x0)
ioctl$SOUND_MIXER_WRITE_VOLUME(r10, 0xc0040d07, &(0x7f0000000040)=0x121)
executing program 2:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
r5 = syz_usb_connect(0x0, 0x1de, 0x0, 0x0)
syz_usb_disconnect(r5)
r6 = syz_usb_connect$uac3(0x5, 0x80, &(0x7f0000000000)=ANY=[@ANYBLOB="12010102000000408205820540000102030109026e0003017f0006080b0002012030230904000000010130000a2401100a00090000000904010000010230000904010101010230000905810960"], &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r6, 0x0, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r7, &(0x7f0000000580)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="160000006800e978"], 0x18}}, 0x0)
syz_usb_control_io$hid(r5, 0x0, 0x0)
executing program 3:
sendmsg$SOCK_DIAG_BY_FAMILY(0xffffffffffffffff, 0x0, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x26)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './bus\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
io_setup(0x4, &(0x7f0000000000))
unshare(0x2c020400)
socket(0x15, 0x80000, 0x4)
mknodat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1000, 0x0)
munmap(&(0x7f0000ff3000/0xb000)=nil, 0xb000)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff1000/0x3000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ff0000/0xd000)=nil, &(0x7f0000ff3000/0x4000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffc000/0x2000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0}, 0x68)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000700)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000200)=ANY=[], 0x18}, 0x1, 0x0, 0x0, 0x81}, 0x40006)
openat$fuse(0xffffffffffffff9c, &(0x7f0000002080), 0x42, 0x0)
mount$fuse(0x0, &(0x7f0000000280)='./file0\x00', 0x0, 0x100040, 0x0)
r4 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r4, 0x10e, 0xc, &(0x7f0000000140)={0x6, 0x6, 0x6, 0x7}, 0x10)
write(r4, &(0x7f0000000000)="1c0000001a005f0214f9f407000904001f000000ff02000200000000", 0x1c)
socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r4, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)=ANY=[@ANYBLOB="14908c003e0002202dbd7000fcdbdf25256affff123f8db93fd0740e105ad14bd0ddf0bf9445d36308078f3e4eeff2c34a"], 0x14}}, 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x80000, 0x0)
r5 = socket$kcm(0x21, 0x2, 0x2)
sendmsg$kcm(r5, &(0x7f00000002c0)={&(0x7f0000000440)=@rxrpc=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x0, @loopback}}, 0x80, 0x0, 0x0, &(0x7f0000001a00)=ANY=[], 0x10b8}, 0x106)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000500), 0x40, 0x0)

program did not crash
program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf-syz_usb_connect-syz_usb_disconnect-syz_usb_connect$uac3-syz_usb_control_io$hid-socket$nl_route-sendmsg$nl_route-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
r5 = syz_usb_connect(0x0, 0x1de, 0x0, 0x0)
syz_usb_disconnect(r5)
r6 = syz_usb_connect$uac3(0x5, 0x80, &(0x7f0000000000)=ANY=[@ANYBLOB="12010102000000408205820540000102030109026e0003017f0006080b0002012030230904000000010130000a2401100a00090000000904010000010230000904010101010230000905810960"], &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r6, 0x0, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r7, &(0x7f0000000580)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="160000006800e978"], 0x18}}, 0x0)
syz_usb_control_io$hid(r5, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
single: successfully extracted reproducer
found reproducer with 20 syscalls
minimizing guilty program
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf-syz_usb_connect-syz_usb_disconnect-syz_usb_connect$uac3-syz_usb_control_io$hid-socket$nl_route-sendmsg$nl_route
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
r5 = syz_usb_connect(0x0, 0x1de, 0x0, 0x0)
syz_usb_disconnect(r5)
r6 = syz_usb_connect$uac3(0x5, 0x80, &(0x7f0000000000)=ANY=[@ANYBLOB="12010102000000408205820540000102030109026e0003017f0006080b0002012030230904000000010130000a2401100a00090000000904010000010230000904010101010230000905810960"], &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r6, 0x0, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r7, &(0x7f0000000580)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="160000006800e978"], 0x18}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf-syz_usb_connect-syz_usb_disconnect-syz_usb_connect$uac3-syz_usb_control_io$hid-socket$nl_route
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
r5 = syz_usb_connect(0x0, 0x1de, 0x0, 0x0)
syz_usb_disconnect(r5)
r6 = syz_usb_connect$uac3(0x5, 0x80, &(0x7f0000000000)=ANY=[@ANYBLOB="12010102000000408205820540000102030109026e0003017f0006080b0002012030230904000000010130000a2401100a00090000000904010000010230000904010101010230000905810960"], &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r6, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf-syz_usb_connect-syz_usb_disconnect-syz_usb_connect$uac3-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
r5 = syz_usb_connect(0x0, 0x1de, 0x0, 0x0)
syz_usb_disconnect(r5)
r6 = syz_usb_connect$uac3(0x5, 0x80, &(0x7f0000000000)=ANY=[@ANYBLOB="12010102000000408205820540000102030109026e0003017f0006080b0002012030230904000000010130000a2401100a00090000000904010000010230000904010101010230000905810960"], &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r6, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf-syz_usb_connect-syz_usb_disconnect-syz_usb_connect$uac3
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
r5 = syz_usb_connect(0x0, 0x1de, 0x0, 0x0)
syz_usb_disconnect(r5)
syz_usb_connect$uac3(0x5, 0x80, &(0x7f0000000000)=ANY=[@ANYBLOB="12010102000000408205820540000102030109026e0003017f0006080b0002012030230904000000010130000a2401100a00090000000904010000010230000904010101010230000905810960"], &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf-syz_usb_connect-syz_usb_disconnect
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
r5 = syz_usb_connect(0x0, 0x1de, 0x0, 0x0)
syz_usb_disconnect(r5)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf-syz_usb_connect
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)
syz_usb_connect(0x0, 0x1de, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int-setsockopt$sock_attach_bpf
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)
setsockopt$sock_attach_bpf(r4, 0x1, 0x32, &(0x7f0000000080), 0x4) (rerun: 64)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet-setsockopt$sock_int
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
r4 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
setsockopt$sock_int(r4, 0x1, 0x2c, &(0x7f0000000040)=0xff000000, 0x4) (async, rerun: 64)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease-socket$packet
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)
socket$packet(0x11, 0x3, 0x300) (rerun: 64)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB-fcntl$setlease
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})
fcntl$setlease(0xffffffffffffffff, 0x400, 0x1) (async, rerun: 64)

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040)={r3})

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
r2 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r2, 0xc00464b4, &(0x7f0000000040))

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-setsockopt$sock_int-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000000)=0x2, 0x4) (async, rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(0xffffffffffffffff, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r2=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(0xffffffffffffffff, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(0xffffffffffffffff, 0xc00464b4, &(0x7f0000000040)={r2})

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-socket$inet6_tcp-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r1, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r2=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r1, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r1, 0xc00464b4, &(0x7f0000000040)={r2})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-setsockopt$sock_int-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
setsockopt$sock_int(r0, 0x1, 0x800000000f, 0x0, 0x0) (async, rerun: 64)
r1 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r1, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r2=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r1, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r1, 0xc00464b4, &(0x7f0000000040)={r2})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-bind$inet-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, 0x0, 0x0) (async, rerun: 64)
r1 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r1, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r2=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r1, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r1, 0xc00464b4, &(0x7f0000000040)={r2})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
socket$inet_tcp(0x2, 0x1, 0x0)
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3})
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(0x0, 0x1, 0x0) (rerun: 32)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040))

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, 0x0) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
simplifying C reproducer
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program did not crash
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
validation run: crashed=true
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
validation run: crashed=true
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_CREATE_DUMB-ioctl$DRM_IOCTL_MODE_DESTROY_DUMB
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f00000029c0)={0x6, 0x8000005, 0x9, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064d2, &(0x7f0000000080)={0x1, 0x80, 0x3}) (async)
ioctl$DRM_IOCTL_MODE_DESTROY_DUMB(r0, 0xc00464b4, &(0x7f0000000040)={r1})

program crashed: KASAN: slab-use-after-free Read in drm_gem_object_release_handle
validation run: crashed=true
reproducing took 1h13m57.964123527s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in drm_gem_object_release_handle+0x4b/0x1e0 drivers/gpu/drm/drm_gem.c:374
Read of size 8 at addr ffff88802a81e288 by task syz.0.286/6819

CPU: 1 UID: 0 PID: 6819 Comm: syz.0.286 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 drm_gem_object_release_handle+0x4b/0x1e0 drivers/gpu/drm/drm_gem.c:374
 idr_for_each+0x1c6/0x2a0 lib/idr.c:210
 drm_gem_release+0x28/0x40 drivers/gpu/drm/drm_gem.c:1088
 drm_file_free+0x729/0xa00 drivers/gpu/drm/drm_file.c:261
 drm_close_helper drivers/gpu/drm/drm_file.c:290 [inline]
 drm_release+0x2de/0x3f0 drivers/gpu/drm/drm_file.c:438
 __fput+0x44f/0xa70 fs/file_table.c:469
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faf6659c819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe7976e968 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffe7976ea50 RCX: 00007faf6659c819
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 000000000001adae R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b2ef20000 R11: 0000000000000246 R12: 00007ffe7976ea90
R13: 00007faf6681609c R14: 000000000001ade4 R15: 00007faf66816090
 </TASK>

Allocated by task 6820:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5380
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 __drm_gem_shmem_create+0xc4/0x2e0 drivers/gpu/drm/drm_gem_shmem_helper.c:130
 drm_gem_shmem_create drivers/gpu/drm/drm_gem_shmem_helper.c:157 [inline]
 drm_gem_shmem_create_with_handle drivers/gpu/drm/drm_gem_shmem_helper.c:460 [inline]
 drm_gem_shmem_dumb_create+0x72/0x120 drivers/gpu/drm/drm_gem_shmem_helper.c:549
 drm_mode_create_dumb drivers/gpu/drm/drm_dumb_buffers.c:227 [inline]
 drm_mode_create_dumb_ioctl+0x2bd/0x340 drivers/gpu/drm/drm_dumb_buffers.c:236
 drm_ioctl_kernel+0x2df/0x3b0 drivers/gpu/drm/drm_ioctl.c:804
 drm_ioctl+0x6ba/0xb80 drivers/gpu/drm/drm_ioctl.c:901
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6821:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 drm_gem_object_release_handle+0xc2/0x1e0 drivers/gpu/drm/drm_gem.c:385
 drm_gem_handle_delete+0x7b/0xb0 drivers/gpu/drm/drm_gem.c:413
 drm_ioctl_kernel+0x2df/0x3b0 drivers/gpu/drm/drm_ioctl.c:804
 drm_ioctl+0x6ba/0xb80 drivers/gpu/drm/drm_ioctl.c:901
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802a81e000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 648 bytes inside of
 freed 1024-byte region [ffff88802a81e000, ffff88802a81e400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a818
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fea6dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fea6dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000aa0601 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 36, tgid 36 (kworker/u8:2), ts 12597772264, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_node_noprof+0x577/0x7c0 mm/slub.c:5266
 kmalloc_node_noprof include/linux/slab.h:1081 [inline]
 blk_alloc_flush_queue+0xe2/0x230 block/blk-flush.c:492
 blk_mq_init_hctx block/blk-mq.c:3998 [inline]
 blk_mq_alloc_and_init_hctx+0x79e/0xc50 block/blk-mq.c:4537
 __blk_mq_realloc_hw_ctxs+0x2bd/0x670 block/blk-mq.c:4584
 blk_mq_realloc_hw_ctxs block/blk-mq.c:4621 [inline]
 blk_mq_init_allocated_queue+0x365/0x13e0 block/blk-mq.c:4651
 blk_mq_alloc_queue+0x1ba/0x2e0 block/blk-mq.c:4433
 scsi_alloc_sdev+0x7c0/0xc80 drivers/scsi/scsi_scan.c:339
 scsi_probe_and_add_lun+0x200/0x4830 drivers/scsi/scsi_scan.c:1215
 __scsi_scan_target+0x1f0/0xe10 drivers/scsi/scsi_scan.c:1786
 scsi_scan_channel drivers/scsi/scsi_scan.c:1874 [inline]
 scsi_scan_host_selected+0x372/0x690 drivers/scsi/scsi_scan.c:1903
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88802a81e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802a81e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802a81e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88802a81e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802a81e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in drm_gem_object_release_handle+0x4b/0x1e0 drivers/gpu/drm/drm_gem.c:374
Read of size 8 at addr ffff88802a81e288 by task syz.0.286/6819

CPU: 1 UID: 0 PID: 6819 Comm: syz.0.286 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 drm_gem_object_release_handle+0x4b/0x1e0 drivers/gpu/drm/drm_gem.c:374
 idr_for_each+0x1c6/0x2a0 lib/idr.c:210
 drm_gem_release+0x28/0x40 drivers/gpu/drm/drm_gem.c:1088
 drm_file_free+0x729/0xa00 drivers/gpu/drm/drm_file.c:261
 drm_close_helper drivers/gpu/drm/drm_file.c:290 [inline]
 drm_release+0x2de/0x3f0 drivers/gpu/drm/drm_file.c:438
 __fput+0x44f/0xa70 fs/file_table.c:469
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faf6659c819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe7976e968 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffe7976ea50 RCX: 00007faf6659c819
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 000000000001adae R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b2ef20000 R11: 0000000000000246 R12: 00007ffe7976ea90
R13: 00007faf6681609c R14: 000000000001ade4 R15: 00007faf66816090
 </TASK>

Allocated by task 6820:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5380
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 __drm_gem_shmem_create+0xc4/0x2e0 drivers/gpu/drm/drm_gem_shmem_helper.c:130
 drm_gem_shmem_create drivers/gpu/drm/drm_gem_shmem_helper.c:157 [inline]
 drm_gem_shmem_create_with_handle drivers/gpu/drm/drm_gem_shmem_helper.c:460 [inline]
 drm_gem_shmem_dumb_create+0x72/0x120 drivers/gpu/drm/drm_gem_shmem_helper.c:549
 drm_mode_create_dumb drivers/gpu/drm/drm_dumb_buffers.c:227 [inline]
 drm_mode_create_dumb_ioctl+0x2bd/0x340 drivers/gpu/drm/drm_dumb_buffers.c:236
 drm_ioctl_kernel+0x2df/0x3b0 drivers/gpu/drm/drm_ioctl.c:804
 drm_ioctl+0x6ba/0xb80 drivers/gpu/drm/drm_ioctl.c:901
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6821:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 drm_gem_object_release_handle+0xc2/0x1e0 drivers/gpu/drm/drm_gem.c:385
 drm_gem_handle_delete+0x7b/0xb0 drivers/gpu/drm/drm_gem.c:413
 drm_ioctl_kernel+0x2df/0x3b0 drivers/gpu/drm/drm_ioctl.c:804
 drm_ioctl+0x6ba/0xb80 drivers/gpu/drm/drm_ioctl.c:901
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802a81e000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 648 bytes inside of
 freed 1024-byte region [ffff88802a81e000, ffff88802a81e400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a818
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fea6dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fea6dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000aa0601 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 36, tgid 36 (kworker/u8:2), ts 12597772264, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_node_noprof+0x577/0x7c0 mm/slub.c:5266
 kmalloc_node_noprof include/linux/slab.h:1081 [inline]
 blk_alloc_flush_queue+0xe2/0x230 block/blk-flush.c:492
 blk_mq_init_hctx block/blk-mq.c:3998 [inline]
 blk_mq_alloc_and_init_hctx+0x79e/0xc50 block/blk-mq.c:4537
 __blk_mq_realloc_hw_ctxs+0x2bd/0x670 block/blk-mq.c:4584
 blk_mq_realloc_hw_ctxs block/blk-mq.c:4621 [inline]
 blk_mq_init_allocated_queue+0x365/0x13e0 block/blk-mq.c:4651
 blk_mq_alloc_queue+0x1ba/0x2e0 block/blk-mq.c:4433
 scsi_alloc_sdev+0x7c0/0xc80 drivers/scsi/scsi_scan.c:339
 scsi_probe_and_add_lun+0x200/0x4830 drivers/scsi/scsi_scan.c:1215
 __scsi_scan_target+0x1f0/0xe10 drivers/scsi/scsi_scan.c:1786
 scsi_scan_channel drivers/scsi/scsi_scan.c:1874 [inline]
 scsi_scan_host_selected+0x372/0x690 drivers/scsi/scsi_scan.c:1903
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88802a81e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802a81e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802a81e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88802a81e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802a81e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================