Extracting prog: 34.047365106s
Minimizing prog: 15m3.732000362s
Simplifying prog options: 0s
Extracting C: 24.477054843s
Simplifying C: 9m26.211592069s


extracting reproducer from 31 programs
testing a last program of every proc
single: executing 6 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_WIPHY_NETNS-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP-close_range-sendmsg$NL80211_CMD_SET_TID_CONFIG
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
r3 = openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_WIPHY_NETNS(r0, &(0x7f0000000340)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x38, r4, 0x300, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x1, 0x58}, @void, @void}}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x3c}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x7, 0x60}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x57}]}, 0x38}}, 0x0)
r5 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r5, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r6=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r5, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r6, <r7=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r5, 0xc01864b0, &(0x7f0000000240)={r6, r7, 0x0, 0x0, 0x7})
close_range(r3, 0xffffffffffffffff, 0x0)
sendmsg$NL80211_CMD_SET_TID_CONFIG(r0, &(0x7f0000000400)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f00000003c0)={&(0x7f0000000940)={0x1450, r4, 0x20, 0x70bd2a, 0x25dfdbfd, {{}, {@void, @void}}, [@NL80211_ATTR_TID_CONFIG={0xa4, 0x11d, 0x0, 0x1, [{0x2c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x1}]}, {0x24, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0xc8}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x37}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x1}]}, {0x18, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x8}]}, {0x2c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x6}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}]}, {0xc, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x1}]}]}, @NL80211_ATTR_TID_CONFIG={0x24c, 0x11d, 0x0, 0x1, [{0x40, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x15}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0x3e}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x3}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x35}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0x8f}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x1}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0x76}]}, {0x3c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x2}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x5}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x2}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x9}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5, 0x6, 0x1}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0x98}]}, {0x3c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x1}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x8}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x86}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x1}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x1}]}, {0xe4, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_NOACK={0x5}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x34, 0xd, 0x0, 0x1, [@NL80211_BAND_2GHZ={0x30, 0x0, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x7d9, 0x10, 0x401, 0x8000, 0x25, 0x5, 0x6, 0xd]}}]}]}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x1}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0xf0}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x94, 0xd, 0x0, 0x1, [@NL80211_BAND_2GHZ={0x64, 0x0, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x5, 0xa, 0xf544, 0x6, 0x7, 0x400, 0x7ff, 0x5]}}, @NL80211_TXRATE_LEGACY={0x10, 0x1, [0x48, 0x1b, 0x4, 0x1, 0x2, 0x36, 0x5, 0x5, 0x18, 0xc, 0x30, 0x9]}, @NL80211_TXRATE_HT={0x2b, 0x2, [{0x4, 0x9}, {0x5}, {0x1, 0xa}, {0x0, 0x4}, {0x0, 0x1}, {0x0, 0x2}, {0x6, 0x4}, {0x1, 0x2}, {0x4, 0x1}, {0x3, 0x1}, {0x1, 0x1}, {0x4, 0xa}, {0x7, 0x3}, {0x7, 0x1}, {0x2, 0x9}, {0x5, 0x9}, {0x2, 0x2}, {0x2, 0xa}, {0x1, 0x8}, {0x7, 0x7}, {0x4, 0x3}, {0x0, 0x5}, {0x0, 0x7}, {0x6, 0x3}, {0x0, 0x9}, {0x6, 0x1}, {0x3, 0x8}, {0x0, 0x3}, {0x7, 0x4}, {0x2, 0x4}, {0x1, 0x7}, {0x2, 0x3}, {0x4}, {0x4, 0x5}, {0x3, 0x7}, {0x0, 0x2}, {0x4, 0x6}, {0x0, 0x1}, {0x4}]}]}, @NL80211_BAND_60GHZ={0x2c, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0x1, 0x9, 0x6, 0x4, 0x2, 0xc, 0x0, 0x1000]}}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x10, 0x3d96, 0x6, 0x6, 0x5, 0x5, 0x4, 0x900]}}]}]}]}, {0xc, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_NOACK={0x5}]}, {0x38, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0x2}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5, 0x6, 0x1}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x8e}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x4}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5}]}, {0x30, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x6}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}]}, {0x14, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x1}]}, {0x24, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0xe2}]}]}, @NL80211_ATTR_TID_CONFIG={0x458, 0x11d, 0x0, 0x1, [{0x4c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TX_RATE={0x48, 0xd, 0x0, 0x1, [@NL80211_BAND_60GHZ={0x38, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HT={0xb, 0x2, [{0x5, 0x8}, {0x4, 0x2}, {0x3, 0x4}, {0x7, 0x7}, {0x0, 0x8}, {0x0, 0x7}, {0x3, 0x6}]}, @NL80211_TXRATE_HT={0x9, 0x2, [{0x5, 0x6}, {0x6}, {0x1, 0x2}, {0x2, 0x8}, {0x4, 0x9}]}, @NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_HT={0x11, 0x2, [{0x5, 0x6}, {0x3}, {0x1, 0xa}, {0x4, 0x8}, {0x0, 0x8}, {0x4, 0x9}, {0x1, 0xa}, {0x1, 0xa}, {0x7, 0x9}, {0x3, 0x3}, {0x1, 0x5}, {0x6, 0x8}, {0x6, 0x5}]}]}, @NL80211_BAND_5GHZ={0xc, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}]}]}]}, {0x230, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TX_RATE={0x208, 0xd, 0x0, 0x1, [@NL80211_BAND_5GHZ={0x78, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x0, 0x8, 0x9, 0x7a46, 0x0, 0x1dd8, 0x7b5, 0x401]}}, @NL80211_TXRATE_LEGACY={0x1a, 0x1, [0x16, 0x36, 0x60, 0x1b, 0x36, 0x1, 0xc, 0x9, 0x12, 0x6, 0x78, 0x4, 0xb, 0x359ea1162b9d76ee, 0x36, 0x36, 0x4, 0x18, 0x0, 0x6, 0x12, 0x18]}, @NL80211_TXRATE_HE={0x14, 0x5, {[0xfffd, 0x7fff, 0x4, 0x81, 0x40, 0x5, 0x2, 0x2]}}, @NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_LEGACY={0xe, 0x1, [0x18, 0x48, 0x1b, 0x1b, 0x30, 0x34, 0x36, 0xb, 0xc, 0x6]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}]}, @NL80211_BAND_5GHZ={0x68, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0x5, 0x9, 0x9, 0x81, 0xfffc, 0xfffc, 0x7, 0x4903]}}, @NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x8d5, 0x8, 0xa, 0x5, 0x4, 0x5, 0x6, 0x3]}}, @NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HT={0x17, 0x2, [{0x3, 0x3}, {0x4, 0x8}, {0x2, 0x1}, {0x4, 0x4}, {0x2, 0x4}, {0x7, 0xa}, {0x4}, {0x2, 0x9}, {0x3, 0x8}, {0x4}, {0x2}, {0x5, 0x1}, {0x2}, {0x7, 0xa}, {0x7, 0x4}, {0x7, 0x7}, {0x0, 0x8}, {0x0, 0xa}, {0x5, 0x8}]}, @NL80211_TXRATE_LEGACY={0x11, 0x1, [0x16, 0xb, 0x12, 0x6c, 0x18, 0x60, 0xb, 0x5, 0x1b, 0x36, 0x16, 0x4, 0x6]}]}, @NL80211_BAND_2GHZ={0xa8, 0x0, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x2, 0xa5, 0x40, 0x8, 0x6, 0x2, 0x9, 0x8]}}, @NL80211_TXRATE_HT={0x39, 0x2, [{0x1, 0x3}, {0x3}, {0x2, 0x8}, {0x1, 0x8}, {0x5, 0x7}, {0x4}, {0x1, 0x3}, {0x4}, {0x4}, {0x1, 0x4}, {0x7, 0x3}, {0x6, 0xa}, {0x2, 0x4}, {0x0, 0x9}, {0x4, 0x4}, {0x2, 0x3}, {0x4}, {0x5, 0x6}, {0x4}, {0x0, 0x4}, {0x4, 0x1}, {0x0, 0x3}, {0x0, 0xa}, {0x2, 0x5}, {0x7, 0x9}, {0x5, 0x9}, {0x1, 0x6}, {0x2, 0x9}, {0x7, 0x2}, {0x5, 0x3}, {0x7, 0x2}, {0x2, 0xa}, {0x1, 0x7}, {0x4, 0x8}, {0x4, 0x1}, {0x0, 0x4}, {0x6, 0xa}, {0x2, 0x5}, {0x7, 0x3}, {0x3, 0x3}, {0x7, 0x4}, {0x7, 0x2}, {0x4, 0x3}, {0x0, 0x9}, {0x7, 0x8}, {0x1, 0x7}, {0x2, 0xa}, {0x7, 0x9}, {0x5, 0x2}, {0x7, 0x5}, {0x4, 0x4}, {0x3}, {0x0, 0x2}]}, @NL80211_TXRATE_GI={0x5, 0x4, 0x2}, @NL80211_TXRATE_HE={0x14, 0x5, {[0xc2, 0x7, 0x9, 0x7a04, 0x0, 0x0, 0x3, 0x8]}}, @NL80211_TXRATE_LEGACY={0xb, 0x1, [0x9, 0x4, 0x16, 0x1, 0x18, 0x3, 0x30]}, @NL80211_TXRATE_HE={0x14, 0x5, {[0xa04b, 0xc6, 0xbb6, 0x4, 0x9, 0xff93, 0x2, 0x3]}}, @NL80211_TXRATE_HE_GI={0x5}]}, @NL80211_BAND_60GHZ={0x64, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HT={0x40, 0x2, [{0x4, 0x2}, {0x3, 0xa}, {0x1, 0x4}, {0x1}, {0x1, 0x7}, {0x4, 0x2}, {0x2, 0x7}, {0x7, 0x8}, {0x5, 0x4}, {0x3, 0xa}, {0x0, 0x9}, {0x2, 0x8}, {0x5, 0x3}, {0x5}, {0x4}, {0x0, 0x4}, {0x3, 0x6}, {0x1, 0x1}, {0x1, 0x4}, {0x7, 0x1}, {0x6, 0x6}, {0x1, 0x7}, {0x2, 0x6}, {0x1, 0x5}, {0x0, 0x9}, {0x7, 0x4}, {0x6, 0x5}, {0x0, 0x7}, {0x2, 0x9}, {0x1, 0xa}, {0x0, 0x8}, {0x1, 0x6}, {0x1, 0x5}, {0x2, 0x5}, {0x1, 0x3}, {0x1, 0x9}, {0x7, 0x9}, {0x3, 0x5}, {0x4, 0x6}, {0x1, 0x6}, {0x1, 0x4}, {0x7, 0x9}, {0x4, 0xa}, {0x4, 0x7}, {0x7}, {0x3, 0x8}, {0x1, 0x9}, {0x3, 0x6}, {0x7}, {0x4, 0x9}, {0x4, 0x7}, {0x7}, {0x7, 0x9}, {0x3, 0x9}, {0x6, 0x6}, {0x3, 0xa}, {0x0, 0x7}, {0x7, 0x7}, {0x5, 0x3}, {0x0, 0x7}]}, @NL80211_TXRATE_LEGACY={0x20, 0x1, [0x9, 0x18, 0x30, 0x36, 0x1a, 0x18, 0x3, 0x18, 0x1b, 0x48, 0x24, 0x2, 0x1, 0x16, 0x6c, 0x1b, 0x18, 0x5, 0x3, 0x5c, 0xb, 0xc, 0x6c, 0x18, 0x60, 0x30, 0x18, 0x1b]}]}, @NL80211_BAND_5GHZ={0x18, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0xb91, 0xfff7, 0x7f, 0x5, 0x1, 0x9, 0x9, 0xfffb]}}]}]}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x1}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x71}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x32}]}, {0x170, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TX_RATE={0x94, 0xd, 0x0, 0x1, [@NL80211_BAND_60GHZ={0x3c, 0x2, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0xf, 0x1, [0x4, 0x24, 0x18, 0x41, 0x1, 0x18, 0x6, 0xb, 0x16, 0x9, 0x55]}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_HT={0xd, 0x2, [{0x0, 0x1}, {0x0, 0x7}, {0x5}, {0x7, 0x1}, {0x5, 0x2}, {0x0, 0x3}, {0x6, 0x9}, {0x2, 0x2}, {0x7, 0x7}]}, @NL80211_TXRATE_HT={0xe, 0x2, [{0x4, 0x1}, {0x0, 0x7}, {0x7, 0x9}, {0x4}, {0x7, 0x9}, {0x3, 0x9}, {0x3, 0x6}, {0x7, 0x5}, {0x0, 0x4}, {0x1, 0x4}]}]}, @NL80211_BAND_60GHZ={0x20, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x4, 0xb0a, 0x2, 0x9, 0x400, 0x0, 0x0, 0x4]}}]}, @NL80211_BAND_5GHZ={0x34, 0x1, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0x1a, 0x1, [0x4, 0x5, 0x3, 0xb, 0x1b, 0x18, 0x6c, 0x60, 0x1f, 0x1, 0xb, 0x18, 0x1, 0x48, 0xb, 0x3, 0x5, 0x4c, 0x54, 0x1b, 0x3, 0x5]}, @NL80211_TXRATE_LEGACY={0x13, 0x1, [0x1, 0xb, 0x16, 0x6c, 0x12, 0x12, 0x24, 0x18, 0x48, 0x4, 0x4, 0x2, 0x4, 0xb, 0x60]}]}]}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0x1d}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x94, 0xd, 0x0, 0x1, [@NL80211_BAND_60GHZ={0x90, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0xd, 0x4, 0x7, 0x0, 0x1, 0x3, 0x5, 0x3]}}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x10, 0x6, 0x0, 0x1000, 0x0, 0x3, 0x7, 0xc]}}, @NL80211_TXRATE_HT={0x35, 0x2, [{0x4, 0x5}, {0x1, 0x5}, {0x2, 0x1}, {0x5, 0x6}, {0x5, 0x2}, {0x1, 0x4}, {0x2, 0x8}, {0x6}, {0x0, 0xa}, {0x4, 0xa}, {0x0, 0x8}, {0x4, 0xa}, {0x0, 0x6}, {0x7}, {0x4, 0x2}, {0x0, 0x2}, {0x0, 0x5}, {0x1, 0x8}, {0x5, 0x4}, {0x6, 0x2}, {0x4, 0x7}, {0x1, 0x2}, {0x0, 0x4}, {0x5, 0x6}, {0x6}, {0x7, 0x2}, {0x4, 0x4}, {0x7, 0x2}, {0x4, 0xa}, {0x6, 0x5}, {0x1, 0x8}, {0x5, 0x2}, {0x0, 0x3}, {0x7, 0x3}, {0x6, 0x9}, {0x2, 0x5}, {0x0, 0x4}, {0x5, 0x9}, {0x0, 0x8}, {0x5, 0x9}, {0x2, 0x3}, {0x7, 0x8}, {0x4, 0x4}, {0x0, 0x2}, {0x1, 0x2}, {0x2, 0xa}, {0x3, 0x4}, {0x3, 0x1}, {0x4, 0x4}]}, @NL80211_TXRATE_LEGACY={0x19, 0x1, [0x18, 0x2, 0x3, 0x3, 0x36, 0x48, 0x1b, 0x4, 0x6c, 0xc, 0x24, 0x18, 0x16, 0x1b, 0x9, 0x24, 0xc, 0x4, 0x3, 0x3, 0x16]}]}]}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x70}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x2}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5}]}, {0x18, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x2}]}, {0x50, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0xf9}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0xdf}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x1e2}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x4}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x89}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x2}]}]}, @NL80211_ATTR_TID_CONFIG={0x2fc, 0x11d, 0x0, 0x1, [{0xc, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x2b}]}, {0x18, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0xd8}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}]}, {0x2bc, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x290, 0xd, 0x0, 0x1, [@NL80211_BAND_60GHZ={0x98, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HT={0x28, 0x2, [{0x3, 0x8}, {0x3, 0x4}, {0x4, 0x5}, {0x7, 0x6}, {0x3, 0x8}, {0x2, 0x4}, {0x1, 0x1}, {0x3, 0x3}, {0x4, 0x3}, {0x4, 0x7}, {0x1, 0xa}, {0x2, 0x5}, {0x7, 0x1}, {0x7, 0x3}, {0x1, 0xd}, {0x2, 0x4}, {0x0, 0x9}, {0x6, 0x1}, {0x0, 0x4}, {}, {0x2, 0x2}, {0x0, 0x6}, {0x1, 0x9}, {0x6, 0x2}, {0x7, 0x6}, {0x7, 0x1}, {0x2, 0x8}, {0x0, 0x6}, {0x5, 0x6}, {0x2, 0xa}, {0x7}, {0x2, 0x5}, {0x0, 0x9}, {0x0, 0x2}, {0x6, 0x2}, {0x1}]}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x5, 0x4, 0x2, 0x7, 0x7, 0x200, 0xfff, 0xa]}}, @NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_LEGACY={0x1a, 0x1, [0x0, 0xc, 0x6, 0x5, 0x16, 0x60, 0x30, 0x5, 0x4, 0x45, 0x24, 0x12, 0x1b, 0x1, 0x24, 0x7, 0x30, 0x1b, 0x36, 0x6, 0xa, 0x30]}, @NL80211_TXRATE_LEGACY={0x23, 0x1, [0xc, 0x24, 0x18, 0x1b, 0x4, 0x4, 0x4, 0xb, 0x12, 0x36, 0x9, 0x75d6406a09efea04, 0x6, 0x12, 0x12, 0xf7fd18e3b74b97e8, 0x48, 0x1b, 0x12, 0x12, 0x60, 0x18, 0x18, 0xb, 0x2, 0x24, 0xc, 0x16, 0x2, 0x6c, 0x48]}]}, @NL80211_BAND_60GHZ={0xbc, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x7, 0x3, 0x8, 0x4, 0xfff7, 0x7f, 0x4, 0x7]}}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x9, 0xffff, 0x9, 0x3, 0x8, 0xc9, 0x7, 0x4]}}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x9, 0xfffb, 0x2, 0x3293, 0x6, 0x0, 0x8, 0x100]}}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x82cb, 0x81, 0xfffb, 0x3ff, 0x2, 0x5, 0x3]}}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x0, 0xd, 0x2, 0x8000, 0x9d, 0xfffe, 0xff, 0x1]}}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x1, 0xfff9, 0x4, 0x3, 0xe, 0x2b6, 0x80, 0x180]}}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}, @NL80211_TXRATE_HT={0x28, 0x2, [{0x6, 0x3}, {0x4, 0x4}, {0x4, 0x9}, {0x0, 0xa}, {0x2, 0x3}, {0x6, 0x7}, {0x1, 0x5}, {0x0, 0x1}, {0x5}, {0x1}, {0x5, 0x7}, {0x7, 0x1}, {0x5, 0x3}, {0x2}, {0x4, 0x3}, {0x0, 0x5}, {0x1}, {0x5, 0x6}, {0x7, 0x2}, {0x0, 0xa}, {0x5, 0x1}, {0x7, 0x9}, {0x3, 0x3}, {0x0, 0x9}, {0x1}, {0x6}, {0x1, 0x2}, {0x7, 0x3}, {0x3, 0x4}, {0x7, 0x3}, {0x0, 0x7}, {0x7, 0x5}, {0x0, 0x7}, {0x0, 0x4}, {0x7}, {0x4, 0x6}]}]}, @NL80211_BAND_60GHZ={0x28, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x1e9, 0xd, 0xe13, 0x7fff, 0x9, 0x0, 0x7fff, 0x7]}}]}, @NL80211_BAND_2GHZ={0xc, 0x0, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5}]}, @NL80211_BAND_5GHZ={0xa0, 0x1, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_HE={0x14, 0x5, {[0xbef0, 0x7e, 0x0, 0x0, 0x7, 0x9, 0x5, 0x1]}}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x0, 0x283, 0x3ff, 0x5, 0x4, 0x0, 0xe3d, 0x78f]}}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x6, 0x5, 0x9b, 0x8001, 0x3127, 0x9, 0x6, 0x8]}}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_HT={0x3e, 0x2, [{0x1}, {0x1, 0x7}, {0x7, 0x5}, {0x4, 0x5}, {0x4, 0x3}, {0x5, 0x9}, {0x0, 0xa}, {}, {0x1, 0x6}, {0x1, 0xa}, {0x3, 0x6}, {0x7, 0xa}, {0x1, 0x2}, {0x1, 0x4}, {0x5, 0x8}, {0x4, 0xa}, {0x7, 0x2}, {0x4, 0x6}, {0x2, 0x8}, {0x1, 0x9}, {0x0, 0x5}, {0x1, 0x9}, {0x3, 0x3}, {0x5, 0x5}, {0x4, 0x8}, {0x6}, {0x0, 0x2}, {0x2, 0x9}, {0x7, 0x6}, {0x7, 0x9}, {0x4, 0x2}, {0x0, 0x7}, {0x2}, {0x5, 0x9}, {0x2, 0x5}, {0x7, 0x3}, {0x7, 0xa}, {0x0, 0x3}, {0x6, 0x8}, {0x2, 0x5}, {0x2, 0x8}, {0x0, 0xa}, {0x6, 0x9}, {0x1, 0x9}, {0x4, 0x9}, {0x5, 0x5}, {0x1, 0x5}, {0x0, 0x9}, {}, {0x5, 0x7}, {0x2, 0x8}, {0x3, 0x5}, {0x2, 0x5}, {0x4, 0x7}, {0x6, 0x3}, {0x5, 0x8}, {0x7, 0x8}, {0x4}]}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}]}, @NL80211_BAND_60GHZ={0x64, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}, @NL80211_TXRATE_HT={0x4e, 0x2, [{0x7, 0x3}, {0x3, 0x1}, {0x2, 0x7}, {0x5, 0x9}, {0x0, 0x5}, {0x4, 0x5}, {0x0, 0x4}, {0x7, 0x3}, {0x5, 0xa}, {0x1, 0xa}, {0x5, 0x5}, {0x7, 0x9}, {0x5}, {0x5}, {0x1}, {0x0, 0x5}, {0x5}, {0x3}, {0x5, 0x6}, {0x3, 0x2}, {0x2, 0x4}, {0x0, 0x9}, {0x3, 0x2}, {0x7, 0x7}, {0x6, 0x4}, {0x0, 0x8}, {0x2, 0x7}, {0x6, 0x4}, {0x6, 0x5}, {0x7}, {0x5, 0x2}, {0x0, 0x3}, {0x6, 0x7}, {0x0, 0x7}, {0x6, 0x6}, {0x7, 0xa}, {0x6, 0x2}, {0x5, 0x3}, {0x2, 0xa}, {0x3, 0x3}, {0x0, 0x3}, {0x2, 0x6}, {0x5, 0x9}, {0x4, 0x2}, {0x2, 0x9}, {0x3, 0x7}, {0x7, 0x4}, {0x2, 0x6}, {0x0, 0x7}, {}, {0x1, 0x1}, {}, {0x0, 0x5}, {0x5, 0x7}, {0x0, 0x7}, {0x1, 0x9}, {0x7, 0x9}, {0x0, 0x2}, {0x0, 0x9}, {0x6, 0x4}, {0x7, 0x6}, {0x4, 0xa}, {0x6, 0x4}, {0x1, 0x2}, {0x6, 0x9}, {0x4, 0x3}, {0x1, 0x7}, {0x3}, {0x7, 0x8}, {0x1, 0x8}, {0x4, 0x2}, {0x1}, {0x2, 0xa}, {0x4, 0x5}]}]}]}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x7}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x8}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x1}]}, {0xc, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x13}]}, {0xc, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}]}]}, @NL80211_ATTR_TID_CONFIG={0x4}, @NL80211_ATTR_TID_CONFIG={0x618, 0x11d, 0x0, 0x1, [{0x34, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x1}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0xfffffffffffffff8}]}, {0x24, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x2}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5}]}, {0xc, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}]}, {0x214, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x23}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x5}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x14c, 0xd, 0x0, 0x1, [@NL80211_BAND_5GHZ={0xa0, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HT={0x4f, 0x2, [{0x6, 0x7}, {}, {0x5, 0x1}, {0x5, 0x9}, {0x1, 0x4}, {0x7, 0x3}, {0x2, 0x1}, {0x0, 0x6}, {0x0, 0x7}, {0x5, 0x9}, {0x7, 0x1}, {0x7, 0x1}, {0x7, 0x8}, {0x1, 0x1}, {0x7, 0x8}, {0x3}, {0x1, 0x7}, {0x7, 0x3}, {0x2, 0x2}, {0x3, 0x5}, {0x1, 0xa}, {0x5, 0x6}, {0x1, 0x1}, {0x2, 0x1}, {0x5, 0x2}, {0x0, 0x1}, {0x7}, {0x0, 0x6}, {0x6, 0x5}, {0x2, 0x1}, {0x3, 0x5}, {0x5, 0xa}, {0x6, 0x6}, {0x6, 0x6}, {0x6, 0x9}, {0x5, 0xa}, {0x1, 0x7}, {0x7, 0x3}, {0x5, 0x6}, {0x0, 0x1}, {0x1, 0x7}, {0x0, 0x4}, {0x5, 0x4}, {0x3, 0x6}, {0x0, 0x5}, {0x1, 0x9}, {0x4, 0x5}, {0x6, 0x2}, {0x1, 0x4}, {0x2}, {0x0, 0x1}, {0x1, 0x8}, {0x1, 0x8}, {0x0, 0x8}, {0x4, 0x1}, {0x4, 0x6}, {0x0, 0x5}, {0x0, 0x6}, {0x3, 0x3}, {0x3, 0x2}, {0x2, 0x7}, {0x0, 0x1}, {0x2, 0x3}, {0x1, 0x7}, {0x6, 0x6}, {0x0, 0x8}, {0x6, 0x9}, {0x1, 0x3}, {0x6, 0x2}, {0x0, 0x4}, {0x7, 0x2}, {0x5, 0xa}, {0x0, 0x3}, {0x4, 0x1}, {0x0, 0xa}]}, @NL80211_TXRATE_LEGACY={0x13, 0x1, [0x12, 0x36, 0x1b, 0x5, 0x18, 0x1b, 0x24, 0x60, 0x4, 0x48, 0x30, 0x1, 0x0, 0x1, 0x2b]}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x10, 0x0, 0x7, 0x7, 0x5, 0x5, 0x8, 0x9]}}, @NL80211_TXRATE_LEGACY={0x23, 0x1, [0x60, 0x18, 0x30, 0x9, 0x49, 0x4, 0x2, 0x2, 0xe, 0x72, 0x0, 0xb, 0x16, 0x1, 0x1, 0x18, 0x13, 0x48, 0x56, 0x1, 0x3, 0x0, 0x1, 0x5, 0x24, 0x60, 0x30, 0x6c, 0x18, 0xb, 0x18]}]}, @NL80211_BAND_5GHZ={0x3c, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0xd9f, 0x4, 0x5, 0x5, 0x2, 0xd0f7, 0x5, 0x3]}}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HE_GI={0x5}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x2, 0x7, 0x5, 0x4, 0xfbd, 0x7, 0x99, 0x8]}}]}, @NL80211_BAND_5GHZ={0x3c, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x5, 0x4, 0x8001, 0x3ff, 0x733a, 0xff, 0x3, 0x5]}}, @NL80211_TXRATE_LEGACY={0x9, 0x1, [0x18, 0x1b, 0x12, 0x24, 0xb]}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_LEGACY={0x5, 0x1, [0xc]}]}, @NL80211_BAND_2GHZ={0x1c, 0x0, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_HE_LTF={0x5}]}, @NL80211_BAND_5GHZ={0x14, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x29}, @NL80211_TXRATE_GI={0x5, 0x4, 0x2}]}]}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x9c, 0xd, 0x0, 0x1, [@NL80211_BAND_2GHZ={0x38, 0x0, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0x1e, 0x1, [0x5, 0x16, 0x3, 0x36, 0x4, 0x3, 0x16, 0x30, 0x30, 0x12, 0x48, 0x3, 0x4, 0x16, 0x16, 0x1, 0x1, 0x0, 0x16, 0x5, 0x1b, 0x24, 0xb, 0x18, 0x4, 0x12]}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x3, 0x6, 0x8, 0x6, 0x3, 0x8000, 0xa3, 0x2]}}]}, @NL80211_BAND_2GHZ={0x60, 0x0, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0x9, 0x4, 0x0, 0x7, 0xff, 0x9533, 0x1]}}, @NL80211_TXRATE_LEGACY={0xf, 0x1, [0x18, 0x5, 0x0, 0x4, 0x6, 0x48, 0x6c, 0x24, 0x30, 0x3, 0x36]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_LEGACY={0x15, 0x1, [0x36, 0xb, 0x6, 0x24, 0x7b, 0xc, 0x1d, 0x18, 0x30, 0x18, 0x18, 0xd, 0x6c, 0x1c, 0x1, 0x16, 0x24]}, @NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}]}]}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x96}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5}]}, {0x28, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0xe6}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0xdd}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0xa8}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x6e}]}, {0x1c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_NOACK={0x5, 0x6, 0x7a}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x1}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}]}, {0x1c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5, 0x6, 0x1}]}, {0x28, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x2}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x7d}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}]}, {0x314, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x11}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x2f0, 0xd, 0x0, 0x1, [@NL80211_BAND_60GHZ={0x48, 0x2, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_HT={0x39, 0x2, [{0x5, 0x6}, {0x4, 0x9}, {0x3, 0x1}, {0x0, 0x5}, {0x6, 0x2}, {0x7, 0x8}, {0x0, 0xa}, {0x2, 0x1}, {0x1, 0x2}, {0x5, 0x3}, {0x1, 0xa}, {0x7, 0x9}, {0x4, 0x1}, {0x3, 0x8}, {0x0, 0xa}, {0x0, 0x8}, {0x4, 0x8}, {0x4, 0x4}, {0x1, 0x6}, {0x5, 0x1}, {0x3, 0x2}, {0x1, 0x1}, {0x2, 0x6}, {0x5, 0x3}, {0x4, 0x1}, {0x1, 0xa}, {0x7, 0x9}, {0x4, 0x8}, {0x6, 0x9}, {0x5}, {0x1, 0x7}, {0x5, 0x8}, {0x2, 0x9}, {0x4, 0x7}, {0x5, 0x7}, {0x5, 0x8}, {0x0, 0x8}, {0x7, 0x5}, {0x7, 0x4}, {0x5}, {0x0, 0x6}, {0x7, 0x2}, {0x4, 0x8}, {0x1, 0x2}, {0x1, 0x1}, {0x1, 0x7}, {0x1, 0x9}, {0x0, 0x8}, {0x4, 0x6}, {0x6, 0x3}, {0x3, 0x2}, {0x5, 0x3}, {0x0, 0x5}]}]}, @NL80211_BAND_5GHZ={0x18, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0x885c, 0xafd1, 0xfffd, 0xd8, 0xfff9, 0x8, 0x6, 0x4]}}]}, @NL80211_BAND_5GHZ={0x34, 0x1, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_HT={0x17, 0x2, [{0x0, 0x4}, {0x4, 0x9}, {0x7, 0x5}, {0x0, 0x3}, {0x0, 0x1}, {0x4, 0x8}, {0x2, 0x9}, {0x1, 0x8}, {0x4, 0x9}, {0x2, 0x7}, {0x1, 0x9}, {0x1, 0x9}, {0x2, 0xa}, {0x1, 0x9}, {0x7, 0x7}, {0x1, 0x8}, {0x3, 0x9}, {0x1, 0xa}, {0x4, 0x1}]}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}]}, @NL80211_BAND_2GHZ={0xe0, 0x0, 0x0, 0x1, [@NL80211_TXRATE_VHT={0x14, 0x3, {[0x7ac, 0x4, 0x4, 0xff, 0xff7f, 0x0, 0x0, 0x3]}}, @NL80211_TXRATE_LEGACY={0x23, 0x1, [0x1, 0x0, 0x16, 0x6, 0x48, 0xc, 0x4, 0x1, 0xb, 0x48, 0x1, 0x7b, 0x24, 0x3, 0x24, 0x6c, 0x48, 0xb, 0x2, 0x4, 0x16, 0x9, 0x6c, 0x1b, 0x18, 0x36, 0x24, 0x16, 0x18, 0xb, 0x5]}, @NL80211_TXRATE_HT={0x2a, 0x2, [{0x1, 0x2}, {0x0, 0x8}, {0x1, 0x3}, {0x3, 0x4}, {0x1}, {0x4, 0x2}, {0x7, 0xa}, {0x1, 0x7}, {0x7, 0x4}, {0x7, 0x3}, {0x1}, {0x7, 0x2}, {0x0, 0x4}, {0x2, 0x3}, {0x7, 0x5}, {0x1, 0xa}, {0x3, 0xa}, {0x2, 0x9}, {0x0, 0x2}, {0x1, 0x7}, {0x0, 0x4}, {0x1, 0x5}, {0x6, 0x9}, {0x1, 0x9}, {0x5, 0x3}, {0x1, 0x7}, {0x7, 0xa}, {0x1, 0x6}, {0x3, 0x7}, {0x0, 0xa}, {0x3, 0x3}, {0x7, 0x4}, {0x4}, {0x0, 0xa}, {0x1, 0x9}, {0x0, 0x5}, {0x1, 0x3}, {0x6, 0x9}]}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x0, 0x8, 0x2, 0x9, 0x3, 0x1a0, 0x5, 0xfffe]}}, @NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_LEGACY={0x5, 0x1, [0x48]}, @NL80211_TXRATE_HT={0x4b, 0x2, [{0x1}, {0x3, 0x7}, {0x0, 0x2}, {0x7, 0x4}, {0x0, 0x2}, {0x1, 0x7}, {0x2, 0x9}, {0x2, 0x4}, {0x3, 0x1}, {0x7, 0x6}, {0x1, 0x4}, {0x7, 0x8}, {0x4, 0x1}, {0x3, 0x5}, {0x3, 0x7}, {0x1, 0x3}, {0x2, 0x8}, {0x2, 0x3}, {0x0, 0x6}, {0x5, 0x3}, {0x0, 0x1}, {0x0, 0x1}, {0x5, 0x9}, {0x1}, {0x3, 0x5}, {0x7, 0x3}, {0x2}, {0x4, 0x3}, {0x7, 0x8}, {0x6}, {0x0, 0x8}, {0x6, 0xa}, {0x0, 0x6}, {0x3, 0xa}, {0x5, 0x7}, {0x2, 0x2}, {0x7, 0x6}, {0x1, 0x9}, {0x3, 0x9}, {0x0, 0x2}, {0x5, 0x4}, {0x7, 0xa}, {0x1, 0x1}, {0x3, 0x7}, {0x5, 0xa}, {0x6, 0x5}, {0x5, 0x6}, {0x7, 0x3}, {0x1, 0x6}, {0x3, 0x6}, {0x4, 0xa}, {0x7, 0x4}, {0x0, 0x9}, {0x6, 0x1}, {0x5, 0x9}, {0x0, 0x5}, {0x7, 0x8}, {0x1, 0xa}, {0x1, 0x4}, {0x5, 0x8}, {0x3, 0x2}, {0x7, 0x9}, {0x1, 0x1}, {0x0, 0x8}, {0x1, 0x5}, {0x6, 0x6}, {0x3}, {0x0, 0x6}, {0x1, 0x8}, {0x6, 0x3}, {0x6, 0x1}]}]}, @NL80211_BAND_5GHZ={0x54, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5}, @NL80211_TXRATE_LEGACY={0x1b, 0x1, [0x3, 0x24, 0x2b, 0x30, 0x12, 0x18, 0x5, 0x5, 0x1, 0x48, 0x68, 0x7683ddd3b91a2e08, 0x16, 0x6, 0x1b, 0x48, 0x48, 0x6c, 0x30, 0x60, 0x18, 0x16, 0x5]}, @NL80211_TXRATE_HT={0x21, 0x2, [{0x4, 0x7}, {0x2}, {0x5, 0x1}, {0x2, 0x6}, {0x1}, {0x7, 0x9}, {0x7, 0x9}, {0x4, 0xa}, {0x6, 0x2}, {0x0, 0x5}, {0x5, 0x4}, {0x3, 0xa}, {0x3, 0x8}, {0x1, 0x6}, {0x1, 0x7}, {0x7, 0x8}, {0x6, 0x8}, {0x4}, {0x2, 0x1}, {0x7, 0x6}, {0x3, 0x9}, {0x1, 0x5}, {0x6, 0x7}, {0x7, 0x6}, {0x0, 0x6}, {0x3, 0x6}, {0x0, 0xa}, {0x6}, {}]}, @NL80211_TXRATE_GI={0x5, 0x4, 0x1}]}, @NL80211_BAND_6GHZ={0x8c, 0x3, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0x1, 0xd4, 0x0, 0x4, 0x7, 0x0, 0xfffd, 0x8]}}, @NL80211_TXRATE_GI={0x5, 0x4, 0x2}, @NL80211_TXRATE_HE={0x14, 0x5, {[0xfff, 0x1, 0x1ff, 0x0, 0x80ca, 0x2, 0x2, 0x2]}}, @NL80211_TXRATE_HT={0x41, 0x2, [{0x3, 0x2}, {0x2, 0x5}, {0x7, 0x9}, {0x2, 0x5}, {0x3, 0x1}, {0x3, 0x1}, {0x1, 0x1}, {0x7, 0x4}, {0x5, 0x2}, {0x5, 0x3}, {0x2, 0xa}, {0x1, 0x4}, {0x1, 0x8}, {0x4, 0x2}, {0x3}, {0x5, 0x1}, {0x4, 0xa}, {0x5, 0x8}, {0x1, 0x7}, {0x3, 0xa}, {0x1, 0x6}, {0x5, 0xa}, {0x1, 0x8}, {0x3, 0x4}, {0x6, 0xa}, {0x1, 0x5}, {0x7, 0x1}, {0x0, 0x7}, {0x6, 0x2}, {0x0, 0x5}, {0x4, 0x6}, {0x5, 0x3}, {0x7}, {0x4, 0x2}, {0x1, 0x5}, {0x0, 0x1}, {0x4, 0x2}, {0x7, 0x2}, {0x0, 0x8}, {0x1, 0x5}, {0x0, 0x9}, {0x0, 0xa}, {0x0, 0x5}, {0x3}, {0x7, 0x9}, {0x1, 0xa}, {0x2, 0x4}, {0x4, 0xa}, {0x6, 0x1}, {0x2, 0x1}, {0x5, 0x9}, {0x0, 0x4}, {0x5}, {0x7}, {0x7, 0x6}, {0x2, 0x5}, {0x0, 0xa}, {0x4, 0x1}, {0x1}, {0x6, 0x4}, {0x4}]}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0xffff, 0x1000, 0x7, 0x8, 0xb, 0x4, 0x8001, 0x9]}}]}, @NL80211_BAND_60GHZ={0x74, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE_GI={0x5}, @NL80211_TXRATE_LEGACY={0x1b, 0x1, [0x36, 0x1, 0x6, 0x24, 0x60, 0x60, 0x24, 0x9, 0x18, 0x48, 0xc, 0x24, 0x0, 0x48, 0x48, 0x20, 0x1b, 0x3d, 0x6c, 0x3, 0x0, 0x18, 0x6c]}, @NL80211_TXRATE_HT={0x44, 0x2, [{0x4, 0x5}, {0x1}, {0x6, 0x3}, {0x5, 0x5}, {0x5, 0x9}, {0x6, 0x3}, {0x6, 0x1}, {0x1, 0x2}, {0x3, 0x7}, {0x6, 0x2}, {0x3, 0x8}, {0x4, 0x4}, {0x4, 0x3}, {0x0, 0xa}, {0x6, 0x2}, {0x5, 0x1}, {0x0, 0x2}, {0x2, 0x9}, {0x5, 0x1}, {0x0, 0x9}, {0x2, 0xa}, {0x4, 0x4}, {0x6, 0x8}, {0x4, 0x5}, {0x0, 0x6}, {0x4}, {0x1, 0x8}, {0x6, 0x9}, {0x5, 0x7}, {0x0, 0xa}, {0x0, 0x5}, {0x7, 0xa}, {0x1, 0x3}, {0x7, 0x9}, {0x4, 0x6}, {0x3, 0x3}, {0x1, 0x6}, {0x7, 0x1}, {0x6, 0xa}, {0x1, 0x8}, {0x1, 0x1}, {0x7, 0x3}, {0x1, 0x5}, {0x0, 0x6}, {0x0, 0xa}, {0x4}, {0x1, 0x5}, {0x5, 0x8}, {0x0, 0x4}, {0x4, 0x9}, {0x0, 0xa}, {0x1, 0xa}, {0x2, 0x1}, {0x4, 0x1}, {0x0, 0x9}, {0x5, 0x9}, {}, {0x7}, {0x5, 0x7}, {0x5, 0x6}, {0x7, 0x8}, {0x5, 0x7}, {0x3, 0xa}, {0x5, 0x6}]}]}, @NL80211_BAND_60GHZ={0x24, 0x2, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_LEGACY={0x18, 0x1, [0x16, 0x6, 0x18, 0x24, 0x16, 0x1b, 0x60, 0x1b, 0x9, 0x1, 0x48, 0x1, 0xc, 0xc, 0x3, 0x18, 0x24, 0x1, 0x6, 0x60]}]}]}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc}]}]}, @NL80211_ATTR_TID_CONFIG={0x3a4, 0x11d, 0x0, 0x1, [{0x40, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5, 0x6, 0x1}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0x29}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x1}, @NL80211_TID_CONFIG_ATTR_AMPDU_CTRL={0x5, 0x9, 0x1}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5, 0x6, 0x1}]}, {0x3c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x4}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x2}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x74}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}]}, {0x20, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_NOACK={0x5, 0x6, 0x1}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0x8000000000000001}]}, {0x50, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x11}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x3}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x55}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0xb9}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x2}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_VIF_SUPP={0xc, 0x2, 0xca7c}]}, {0x28, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0x22}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0xf8}, @NL80211_TID_CONFIG_ATTR_OVERRIDE={0x4}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}]}, {0x2c, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_NOACK={0x5}, @NL80211_TID_CONFIG_ATTR_RETRY_SHORT={0x5, 0x7, 0xef}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0x20}]}, {0x260, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5, 0xb, 0x1}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x2}, @NL80211_TID_CONFIG_ATTR_RETRY_LONG={0x5, 0x8, 0xc5}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x5bc}, @NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL={0x5, 0xa, 0x1}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x128, 0xd, 0x0, 0x1, [@NL80211_BAND_5GHZ={0x20, 0x1, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0x1b, 0x1, [0xc, 0x16, 0xb, 0x36, 0x1e, 0xc, 0xb, 0x1b, 0x1, 0x4, 0x30, 0x18, 0x12, 0xb, 0x0, 0x9, 0x4, 0x3, 0x1, 0x4, 0xb, 0x48, 0x6]}]}, @NL80211_BAND_6GHZ={0x30, 0x3, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0x19, 0x1, [0x48, 0x16, 0x1b, 0x60, 0x60, 0x60, 0x1, 0x2, 0x73, 0x3d, 0x12, 0x5, 0x12, 0x4, 0x48, 0x2, 0x60, 0x48, 0x5, 0x24, 0x36]}, @NL80211_TXRATE_LEGACY={0x5, 0x1, [0x6]}, @NL80211_TXRATE_HE_GI={0x5}]}, @NL80211_BAND_60GHZ={0x18, 0x2, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0x11, 0x1, [0x1b, 0x1b, 0x2, 0x1b, 0x3, 0x2, 0x48, 0x60, 0x6c, 0x6, 0x30, 0x12, 0x6]}]}, @NL80211_BAND_5GHZ={0x68, 0x1, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0x19, 0x1, [0x3c, 0x60, 0x9, 0x24, 0x48, 0x24, 0x48, 0x48, 0x6, 0x5, 0x9, 0x12, 0x30, 0xc, 0x48, 0x1b, 0x3, 0xb, 0x1, 0x60, 0x4]}, @NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_LEGACY={0x22, 0x1, [0x30, 0x60, 0x16, 0x0, 0x18, 0x24, 0x5, 0x60, 0x12, 0x12, 0x16, 0x18, 0x6c, 0x12, 0x6, 0x6, 0x48, 0xc, 0x28, 0x5, 0x5, 0x36, 0x1, 0x42, 0x1b, 0x36, 0x2, 0x67, 0xc, 0xc]}, @NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_HT={0xa, 0x2, [{0x3, 0x4}, {0x4, 0x6}, {0x2, 0x5}, {0x4}, {0x1}, {0x1, 0x8}]}]}, @NL80211_BAND_5GHZ={0x20, 0x1, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x9, 0x7f, 0x1ff, 0xf, 0x3, 0x6, 0x3, 0x4]}}]}, @NL80211_BAND_5GHZ={0x30, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x101, 0x7b, 0x0, 0x9, 0x0, 0x8, 0x65, 0xff]}}]}, @NL80211_BAND_2GHZ={0x4}]}, @NL80211_TID_CONFIG_ATTR_TX_RATE={0x100, 0xd, 0x0, 0x1, [@NL80211_BAND_5GHZ={0x28, 0x1, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5, 0x4, 0x2}, @NL80211_TXRATE_LEGACY={0x12, 0x1, [0x12, 0x5, 0x30, 0x36, 0x12, 0x1, 0x30, 0x18, 0x60, 0x30, 0x24, 0x5, 0x18, 0x6]}, @NL80211_TXRATE_HT={0x8, 0x2, [{0x5, 0x3}, {0x1, 0x6}, {0x1, 0x2}, {0x0, 0x7}]}]}, @NL80211_BAND_2GHZ={0x88, 0x0, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x4, 0x8, 0x8001, 0x0, 0x7, 0x5, 0xfffa, 0x1]}}, @NL80211_TXRATE_HE_GI={0x5}, @NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_LEGACY={0x8, 0x1, [0x5, 0x9, 0x18, 0x60]}, @NL80211_TXRATE_LEGACY={0xe, 0x1, [0x14, 0x6, 0x12, 0x36, 0x42, 0x4, 0x6c, 0xc, 0x3, 0x1]}, @NL80211_TXRATE_HT={0xd, 0x2, [{0x5, 0x8}, {0x2, 0x4}, {0x1, 0xa}, {0x2, 0x5}, {0x5, 0x4}, {0x0, 0x2}, {0x1, 0x3}, {0x7, 0x3}, {0x2}]}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x3, 0x2, 0x8, 0x5, 0x7, 0x8, 0x8da]}}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x5, 0x7ff, 0x3, 0x0, 0x200, 0xc, 0x9, 0x631]}}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}]}, @NL80211_BAND_5GHZ={0x18, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0xe, 0x3ff, 0x8000, 0xffff, 0xa713, 0x9, 0x8, 0xad8c]}}]}, @NL80211_BAND_60GHZ={0x34, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0xd, 0x7ff, 0x7ff, 0x0, 0x6, 0x7, 0x8000, 0x2]}}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x3ff, 0x9, 0x4, 0xb4f6, 0x1, 0x7, 0x200, 0x2]}}, @NL80211_TXRATE_HE_LTF={0x5}]}]}]}]}, @NL80211_ATTR_TID_CONFIG={0x38, 0x11d, 0x0, 0x1, [{0x34, 0x0, 0x0, 0x1, [@NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE={0x5, 0xc, 0x1}, @NL80211_TID_CONFIG_ATTR_AMSDU_CTRL={0x5}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0x8}, @NL80211_TID_CONFIG_ATTR_PEER_SUPP={0xc, 0x3, 0xb3}, @NL80211_TID_CONFIG_ATTR_TIDS={0x6, 0x5, 0x75}]}]}]}, 0x1450}, 0x1, 0x0, 0x0, 0x20004890}, 0x0)

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
single: successfully extracted reproducer
found reproducer with 15 syscalls
minimizing guilty program
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_WIPHY_NETNS-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP-close_range
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
r3 = openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_WIPHY_NETNS(r0, &(0x7f0000000340)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x38, r4, 0x300, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x1, 0x58}, @void, @void}}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x3c}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x7, 0x60}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x57}]}, 0x38}}, 0x0)
r5 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r5, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r6=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r5, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r6, <r7=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r5, 0xc01864b0, &(0x7f0000000240)={r6, r7, 0x0, 0x0, 0x7})
close_range(r3, 0xffffffffffffffff, 0x0)

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_WIPHY_NETNS-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_WIPHY_NETNS(r0, &(0x7f0000000340)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x38, r3, 0x300, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x1, 0x58}, @void, @void}}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x3c}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x7, 0x60}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x57}]}, 0x38}}, 0x0)
r4 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r4, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r5=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r4, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r5, <r6=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r4, 0xc01864b0, &(0x7f0000000240)={r5, r6, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_WIPHY_NETNS-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_WIPHY_NETNS(r0, &(0x7f0000000340)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x38, r3, 0x300, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x1, 0x58}, @void, @void}}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x3c}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x7, 0x60}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x57}]}, 0x38}}, 0x0)
r4 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r4, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r5=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r4, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r5})

program did not crash
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_WIPHY_NETNS-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_WIPHY_NETNS(r0, &(0x7f0000000340)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x38, r3, 0x300, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x1, 0x58}, @void, @void}}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x3c}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x7, 0x60}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x57}]}, 0x38}}, 0x0)
r4 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r4, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r5=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r4, 0xc01864b0, &(0x7f0000000240)={r5, 0x0, 0x0, 0x0, 0x7})

program did not crash
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_WIPHY_NETNS-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_WIPHY_NETNS(r0, &(0x7f0000000340)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x38, r3, 0x300, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x1, 0x58}, @void, @void}}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x3c}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x7, 0x60}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x57}]}, 0x38}}, 0x0)
r4 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETCRTC(r4, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, 0x0, <r5=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r4, 0xc01864b0, &(0x7f0000000240)={0x0, r5, 0x0, 0x0, 0x7})

program did not crash
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_WIPHY_NETNS-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_WIPHY_NETNS(r0, &(0x7f0000000340)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x38, r3, 0x300, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x1, 0x58}, @void, @void}}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x3c}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x7, 0x60}}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x57}]}, 0x38}}, 0x0)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r4=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(0xffffffffffffffff, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r4, <r5=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(0xffffffffffffffff, 0xc01864b0, &(0x7f0000000240)={r4, r5, 0x0, 0x0, 0x7})

program did not crash
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_genetlink_get_family_id$nl80211-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
r3 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r4=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r4, <r5=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r3, 0xc01864b0, &(0x7f0000000240)={r4, r5, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-openat$sw_sync-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
r3 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r4=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r4, <r5=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r3, 0xc01864b0, &(0x7f0000000240)={r4, r5, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-sendmsg$nl_generic-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000900)={0x24, 0x32, 0x9, 0x0, 0x800, {0x1}, [@nested={0x8, 0x1, 0x0, 0x1, [@nested={0x4, 0x10}]}, @typed={0x8, 0x2, 0x0, 0x0, @pid=0xffffffffffffffff}]}, 0x24}}, 0x0)
r3 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r4=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r4, <r5=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r3, 0xc01864b0, &(0x7f0000000240)={r4, r5, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_XEN_HVM_CONFIG-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
ioctl$KVM_XEN_HVM_CONFIG(r2, 0x4038ae7a, &(0x7f0000000080)={0x2, 0xa1d, 0x0, 0x0})
r3 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r4=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r4, <r5=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r3, 0xc01864b0, &(0x7f0000000240)={r4, r5, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r2 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r2, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r3=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r3, <r4=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r2, 0xc01864b0, &(0x7f0000000240)={r3, r4, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20000, 0x0)
r1 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r1, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r2=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r1, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r2, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r1, 0xc01864b0, &(0x7f0000000240)={r2, r3, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00'})
r1 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r1, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r2=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r1, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r2, <r3=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r1, 0xc01864b0, &(0x7f0000000240)={r2, r3, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r1=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r1, <r2=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r0, 0xc01864b0, &(0x7f0000000240)={r1, r2, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r1=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r1, <r2=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r0, 0xc01864b0, &(0x7f0000000240)={r1, r2, 0x0, 0x0, 0x7})

program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(0x0, 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r1=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r1, <r2=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r0, 0xc01864b0, &(0x7f0000000240)={r1, r2, 0x0, 0x0, 0x7})

program did not crash
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, 0x0)
ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r0, 0xc01864b0, &(0x7f0000000240)={0x0, r1, 0x0, 0x0, 0x7})

program did not crash
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x0})
ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, 0x0, <r1=>0x0})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r0, 0xc01864b0, &(0x7f0000000240)={0x0, r1, 0x0, 0x0, 0x7})

program did not crash
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r1=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, 0x0)
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r0, 0xc01864b0, &(0x7f0000000240)={r1, 0x0, 0x0, 0x0, 0x7})

program did not crash
testing program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
detailed listing:
executing program 0:
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x2, 0x400)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000180)={0x0, &(0x7f00000000c0)=[<r1=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r1})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r0, 0xc01864b0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=44.45829141s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
simplifying C reproducer
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program did not crash
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program did not crash
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
testing compiled C program (duration=44.45829141s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$dri-ioctl$DRM_IOCTL_MODE_GETRESOURCES-ioctl$DRM_IOCTL_MODE_GETCRTC-ioctl$DRM_IOCTL_MODE_PAGE_FLIP
program crashed: KASAN: slab-use-after-free Read in drm_atomic_helper_wait_for_vblanks
reproducing took 25m28.468029605s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in drm_atomic_helper_wait_for_vblanks.part.0+0x8c0/0x9b0 drivers/gpu/drm/drm_atomic_helper.c:1662
Read of size 1 at addr ffff888028471409 by task kworker/u32:1/13

CPU: 0 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.14.0-syzkaller-01103-g2df0c02dab82 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound commit_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 drm_atomic_helper_wait_for_vblanks.part.0+0x8c0/0x9b0 drivers/gpu/drm/drm_atomic_helper.c:1662
 drm_atomic_helper_wait_for_vblanks drivers/gpu/drm/drm_atomic_helper.c:1658 [inline]
 drm_atomic_helper_commit_tail+0xcb/0xf0 drivers/gpu/drm/drm_atomic_helper.c:1758
 commit_tail+0x35b/0x400 drivers/gpu/drm/drm_atomic_helper.c:1835
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c1/0xef0 kernel/workqueue.c:3400
 kthread+0x3a4/0x760 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6304:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:902 [inline]
 drm_atomic_helper_crtc_duplicate_state+0x70/0xd0 drivers/gpu/drm/drm_atomic_state_helper.c:177
 drm_atomic_get_crtc_state+0x16e/0x450 drivers/gpu/drm/drm_atomic.c:360
 page_flip_common+0x57/0x320 drivers/gpu/drm/drm_atomic_helper.c:3631
 drm_atomic_helper_page_flip+0xb6/0x180 drivers/gpu/drm/drm_atomic_helper.c:3692
 drm_mode_page_flip_ioctl+0x1029/0x1460 drivers/gpu/drm/drm_plane.c:1516
 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:796
 drm_ioctl+0x5d6/0xc10 drivers/gpu/drm/drm_ioctl.c:893
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl fs/ioctl.c:892 [inline]
 __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6304:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2376 [inline]
 slab_free mm/slub.c:4633 [inline]
 kfree+0x2b6/0x4d0 mm/slub.c:4832
 drm_atomic_state_default_clear+0x453/0xe30 drivers/gpu/drm/drm_atomic.c:224
 drm_atomic_state_clear drivers/gpu/drm/drm_atomic.c:293 [inline]
 __drm_atomic_state_free+0x185/0x2b0 drivers/gpu/drm/drm_atomic.c:310
 kref_put include/linux/kref.h:65 [inline]
 drm_atomic_state_put include/drm/drm_atomic.h:538 [inline]
 drm_client_modeset_commit_atomic+0x6b2/0x7e0 drivers/gpu/drm/drm_client_modeset.c:1085
 drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1182
 drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1208
 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:237 [inline]
 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:216 [inline]
 drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:264 [inline]
 drm_fb_helper_lastclose+0xc7/0x160 drivers/gpu/drm/drm_fb_helper.c:1977
 drm_fbdev_client_restore+0x2c/0x40 drivers/gpu/drm/clients/drm_fbdev_client.c:31
 drm_client_dev_restore+0x183/0x290 drivers/gpu/drm/drm_client_event.c:104
 drm_lastclose drivers/gpu/drm/drm_file.c:396 [inline]
 drm_release+0x2c2/0x360 drivers/gpu/drm/drm_file.c:429
 __fput+0x3ff/0xb70 fs/file_table.c:465
 fput_close_sync+0x15e/0x1e0 fs/file_table.c:570
 __do_sys_close fs/open.c:1581 [inline]
 __se_sys_close fs/open.c:1566 [inline]
 __x64_sys_close+0x8b/0x120 fs/open.c:1566
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888028471400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 9 bytes inside of
 freed 512-byte region [ffff888028471400, ffff888028471600)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28470
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b442c80 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b442c80 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0000a11c01 ffffffffffffffff 0000000000000000
head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6301, tgid 6301 (syz-executor953), ts 46603842638, free_ts 45847670791
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x10c4/0x34c0 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x223/0x24d0 mm/page_alloc.c:4740
 alloc_pages_mpol+0x1fb/0x540 mm/mempolicy.c:2301
 alloc_slab_page mm/slub.c:2446 [inline]
 allocate_slab mm/slub.c:2610 [inline]
 new_slab+0x23c/0x330 mm/slub.c:2663
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3849
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3939
 __slab_alloc_node mm/slub.c:4014 [inline]
 slab_alloc_node mm/slub.c:4175 [inline]
 __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4344
 kmalloc_noprof include/linux/slab.h:902 [inline]
 kzalloc_noprof include/linux/slab.h:1036 [inline]
 crtc_or_fake_commit.part.0+0x7f/0x110 drivers/gpu/drm/drm_atomic_helper.c:2217
 crtc_or_fake_commit drivers/gpu/drm/drm_atomic_helper.c:2208 [inline]
 drm_atomic_helper_setup_commit+0x1066/0x15d0 drivers/gpu/drm/drm_atomic_helper.c:2372
 drm_atomic_helper_commit+0xa9/0x380 drivers/gpu/drm/drm_atomic_helper.c:2023
 drm_atomic_commit+0x231/0x300 drivers/gpu/drm/drm_atomic.c:1518
 drm_client_modeset_commit_atomic+0x69d/0x7e0 drivers/gpu/drm/drm_client_modeset.c:1079
 drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1182
 drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1208
 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:237 [inline]
 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:216 [inline]
 drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:264 [inline]
 drm_fb_helper_lastclose+0xc7/0x160 drivers/gpu/drm/drm_fb_helper.c:1977
page last free pid 6232 tgid 6232 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x6d8/0xf40 mm/page_alloc.c:2660
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4138 [inline]
 slab_alloc_node mm/slub.c:4187 [inline]
 __do_kmalloc_node mm/slub.c:4317 [inline]
 __kmalloc_noprof+0x1d4/0x510 mm/slub.c:4330
 kmalloc_noprof include/linux/slab.h:906 [inline]
 tomoyo_realpath_from_path+0xc2/0x6e0 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_number_perm+0x245/0x580 security/tomoyo/file.c:723
 security_file_ioctl+0x9b/0x240 security/security.c:2913
 __do_sys_ioctl fs/ioctl.c:900 [inline]
 __se_sys_ioctl fs/ioctl.c:892 [inline]
 __x64_sys_ioctl+0xb7/0x200 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888028471300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888028471380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888028471400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888028471480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888028471500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in drm_atomic_helper_wait_for_vblanks.part.0+0x8c0/0x9b0 drivers/gpu/drm/drm_atomic_helper.c:1662
Read of size 1 at addr ffff888028471409 by task kworker/u32:1/13

CPU: 0 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.14.0-syzkaller-01103-g2df0c02dab82 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound commit_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 drm_atomic_helper_wait_for_vblanks.part.0+0x8c0/0x9b0 drivers/gpu/drm/drm_atomic_helper.c:1662
 drm_atomic_helper_wait_for_vblanks drivers/gpu/drm/drm_atomic_helper.c:1658 [inline]
 drm_atomic_helper_commit_tail+0xcb/0xf0 drivers/gpu/drm/drm_atomic_helper.c:1758
 commit_tail+0x35b/0x400 drivers/gpu/drm/drm_atomic_helper.c:1835
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c1/0xef0 kernel/workqueue.c:3400
 kthread+0x3a4/0x760 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6304:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:902 [inline]
 drm_atomic_helper_crtc_duplicate_state+0x70/0xd0 drivers/gpu/drm/drm_atomic_state_helper.c:177
 drm_atomic_get_crtc_state+0x16e/0x450 drivers/gpu/drm/drm_atomic.c:360
 page_flip_common+0x57/0x320 drivers/gpu/drm/drm_atomic_helper.c:3631
 drm_atomic_helper_page_flip+0xb6/0x180 drivers/gpu/drm/drm_atomic_helper.c:3692
 drm_mode_page_flip_ioctl+0x1029/0x1460 drivers/gpu/drm/drm_plane.c:1516
 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:796
 drm_ioctl+0x5d6/0xc10 drivers/gpu/drm/drm_ioctl.c:893
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl fs/ioctl.c:892 [inline]
 __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6304:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2376 [inline]
 slab_free mm/slub.c:4633 [inline]
 kfree+0x2b6/0x4d0 mm/slub.c:4832
 drm_atomic_state_default_clear+0x453/0xe30 drivers/gpu/drm/drm_atomic.c:224
 drm_atomic_state_clear drivers/gpu/drm/drm_atomic.c:293 [inline]
 __drm_atomic_state_free+0x185/0x2b0 drivers/gpu/drm/drm_atomic.c:310
 kref_put include/linux/kref.h:65 [inline]
 drm_atomic_state_put include/drm/drm_atomic.h:538 [inline]
 drm_client_modeset_commit_atomic+0x6b2/0x7e0 drivers/gpu/drm/drm_client_modeset.c:1085
 drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1182
 drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1208
 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:237 [inline]
 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:216 [inline]
 drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:264 [inline]
 drm_fb_helper_lastclose+0xc7/0x160 drivers/gpu/drm/drm_fb_helper.c:1977
 drm_fbdev_client_restore+0x2c/0x40 drivers/gpu/drm/clients/drm_fbdev_client.c:31
 drm_client_dev_restore+0x183/0x290 drivers/gpu/drm/drm_client_event.c:104
 drm_lastclose drivers/gpu/drm/drm_file.c:396 [inline]
 drm_release+0x2c2/0x360 drivers/gpu/drm/drm_file.c:429
 __fput+0x3ff/0xb70 fs/file_table.c:465
 fput_close_sync+0x15e/0x1e0 fs/file_table.c:570
 __do_sys_close fs/open.c:1581 [inline]
 __se_sys_close fs/open.c:1566 [inline]
 __x64_sys_close+0x8b/0x120 fs/open.c:1566
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888028471400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 9 bytes inside of
 freed 512-byte region [ffff888028471400, ffff888028471600)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28470
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b442c80 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b442c80 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0000a11c01 ffffffffffffffff 0000000000000000
head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6301, tgid 6301 (syz-executor953), ts 46603842638, free_ts 45847670791
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x10c4/0x34c0 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x223/0x24d0 mm/page_alloc.c:4740
 alloc_pages_mpol+0x1fb/0x540 mm/mempolicy.c:2301
 alloc_slab_page mm/slub.c:2446 [inline]
 allocate_slab mm/slub.c:2610 [inline]
 new_slab+0x23c/0x330 mm/slub.c:2663
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3849
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3939
 __slab_alloc_node mm/slub.c:4014 [inline]
 slab_alloc_node mm/slub.c:4175 [inline]
 __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4344
 kmalloc_noprof include/linux/slab.h:902 [inline]
 kzalloc_noprof include/linux/slab.h:1036 [inline]
 crtc_or_fake_commit.part.0+0x7f/0x110 drivers/gpu/drm/drm_atomic_helper.c:2217
 crtc_or_fake_commit drivers/gpu/drm/drm_atomic_helper.c:2208 [inline]
 drm_atomic_helper_setup_commit+0x1066/0x15d0 drivers/gpu/drm/drm_atomic_helper.c:2372
 drm_atomic_helper_commit+0xa9/0x380 drivers/gpu/drm/drm_atomic_helper.c:2023
 drm_atomic_commit+0x231/0x300 drivers/gpu/drm/drm_atomic.c:1518
 drm_client_modeset_commit_atomic+0x69d/0x7e0 drivers/gpu/drm/drm_client_modeset.c:1079
 drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1182
 drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1208
 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:237 [inline]
 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:216 [inline]
 drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:264 [inline]
 drm_fb_helper_lastclose+0xc7/0x160 drivers/gpu/drm/drm_fb_helper.c:1977
page last free pid 6232 tgid 6232 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_frozen_pages+0x6d8/0xf40 mm/page_alloc.c:2660
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4138 [inline]
 slab_alloc_node mm/slub.c:4187 [inline]
 __do_kmalloc_node mm/slub.c:4317 [inline]
 __kmalloc_noprof+0x1d4/0x510 mm/slub.c:4330
 kmalloc_noprof include/linux/slab.h:906 [inline]
 tomoyo_realpath_from_path+0xc2/0x6e0 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_number_perm+0x245/0x580 security/tomoyo/file.c:723
 security_file_ioctl+0x9b/0x240 security/security.c:2913
 __do_sys_ioctl fs/ioctl.c:900 [inline]
 __se_sys_ioctl fs/ioctl.c:892 [inline]
 __x64_sys_ioctl+0xb7/0x200 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888028471300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888028471380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888028471400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888028471480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888028471500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================