Extracting prog: 1h4m23.667132778s
Minimizing prog: 25m0.689705117s
Simplifying prog options: 0s
Extracting C: 43.219635372s
Simplifying C: 6m15.290586837s


extracting reproducer from 28 programs
testing a last program of every proc
single: executing 8 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): fsopen-fsconfig$FSCONFIG_CMD_CREATE-fsmount-setreuid-symlinkat-openat$rnullb
detailed listing:
executing program 0:
r0 = fsopen(&(0x7f0000000080)='ramfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x18)
setreuid(0xffffffffffffffff, 0xee01) (async)
symlinkat(&(0x7f0000000000)='.\x00', r1, &(0x7f0000000140)='./file0\x00') (async)
openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-socket$inet6-openat$binderfs-socket$inet_icmp_raw-setsockopt$inet_msfilter-ioctl$KVM_IRQFD-socket$nl_generic-syz_genetlink_get_family_id$ethtool-sendmsg$ETHTOOL_MSG_LINKMODES_SET-dup3-socket-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bind$packet-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-socket$unix-dup2-close_range-syz_usb_connect-syz_usb_control_io$printer-ioctl$TCSETAW-syz_usb_control_io$cdc_ecm-socket$nl_route-sendmsg$netlink
detailed listing:
executing program 0:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-getsockopt$bt_hci-socket$nl_generic-socket$packet-socket$inet-openat$kvm-socket$netlink-sendmsg$netlink-ioctl$KVM_CREATE_VM-dup-ioctl$KVM_CREATE_VCPU-ioctl$KVM_SET_USER_MEMORY_REGION-syz_kvm_setup_cpu$x86-syz_kvm_setup_cpu$x86-ioctl$KVM_REGISTER_COALESCED_MMIO-ioctl$KVM_RUN-syz_open_procfs-read$FUSE
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f0000000300)=""/4081, &(0x7f0000000080)=0xff1)
socket$nl_generic(0x10, 0x3, 0x10)
socket$packet(0x11, 0x2, 0x300)
socket$inet(0x2, 0xa, 0xfffffffc)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000760001"], 0x1c}], 0x1, 0x0, 0x0, 0x4004000}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = dup(r3)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x10003, 0x2, 0x8080000, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@textreal={0x8, &(0x7f0000000800)="ba4000b8e6008ed03b940f73da0eccb8f0028ed80f23d80f21f86635800000200f238c66b9800000c00f326635000400000f306c0ffcdf36efddc666b9800000c0c4c249cf9009186635004000000f300f01c4", 0x53}], 0x1, 0x1a, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x42, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
read$FUSE(r6, &(0x7f0000000f00)={0x2020}, 0x2020)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$selinux_status-read$FUSE-openat$rnullb-syz_open_dev$usbfs-socket$netlink-socket$key-sendmsg$key-setsockopt$sock_int-dup-socket$packet-setsockopt$packet_int-setsockopt$packet_rx_ring-socket$inet-sendto$inet-read$usbfs-syz_usb_connect-mmap
detailed listing:
executing program 0:
r0 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
read$FUSE(r0, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x200202, 0x0) (async)
syz_open_dev$usbfs(&(0x7f0000000000), 0x200, 0x102)
r2 = socket$netlink(0x10, 0x3, 0x10) (async)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000780)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000700)=ANY=[@ANYBLOB="020b0f050f00000026bd7000fcdbdf25040004000900000001f8ffffffffffff0500000000000000ff0100000000000002001000000004d2000004d50000000002000a0030000000050000000000000005000500322000000a"], 0x78}}, 0x24048950)
setsockopt$sock_int(r2, 0x1, 0x8, &(0x7f0000000300), 0x4) (async)
r4 = dup(r2) (async)
r5 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r5, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) (async, rerun: 32)
setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x20000002}, 0x1c) (async, rerun: 32)
r6 = socket$inet(0x2, 0x4000000000000001, 0x0)
sendto$inet(r6, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) (async)
read$usbfs(r4, 0x0, 0x0)
syz_usb_connect(0x3, 0x35, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000b58f55408205d5b9f773000000010902230001000000000904080001fff56a00082502017f040e0009050b02"], 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1, 0x2010, r1, 0xfffff000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): fsopen-fsconfig$FSCONFIG_CMD_CREATE-fsmount-setreuid-symlinkat-openat$rnullb
detailed listing:
executing program 0:
r0 = fsopen(&(0x7f0000000080)='ramfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x18)
setreuid(0xffffffffffffffff, 0xee01) (async)
symlinkat(&(0x7f0000000000)='.\x00', r1, &(0x7f0000000140)='./file0\x00') (async)
openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-getsockopt$bt_hci-socket$nl_generic-socket$packet-socket$inet-openat$kvm-socket$netlink-sendmsg$netlink-ioctl$KVM_CREATE_VM-dup-ioctl$KVM_CREATE_VCPU-ioctl$KVM_SET_USER_MEMORY_REGION-syz_kvm_setup_cpu$x86-syz_kvm_setup_cpu$x86-ioctl$KVM_REGISTER_COALESCED_MMIO-ioctl$KVM_RUN-syz_open_procfs-read$FUSE
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f0000000300)=""/4081, &(0x7f0000000080)=0xff1)
socket$nl_generic(0x10, 0x3, 0x10)
socket$packet(0x11, 0x2, 0x300)
socket$inet(0x2, 0xa, 0xfffffffc)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000760001"], 0x1c}], 0x1, 0x0, 0x0, 0x4004000}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = dup(r3)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x10003, 0x2, 0x8080000, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@textreal={0x8, &(0x7f0000000800)="ba4000b8e6008ed03b940f73da0eccb8f0028ed80f23d80f21f86635800000200f238c66b9800000c00f326635000400000f306c0ffcdf36efddc666b9800000c0c4c249cf9009186635004000000f300f01c4", 0x53}], 0x1, 0x1a, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x42, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
read$FUSE(r6, &(0x7f0000000f00)={0x2020}, 0x2020)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-socket$inet6-openat$binderfs-socket$inet_icmp_raw-setsockopt$inet_msfilter-ioctl$KVM_IRQFD-socket$nl_generic-syz_genetlink_get_family_id$ethtool-sendmsg$ETHTOOL_MSG_LINKMODES_SET-dup3-socket-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bind$packet-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-socket$unix-dup2-close_range-syz_usb_connect-syz_usb_control_io$printer-ioctl$TCSETAW-syz_usb_control_io$cdc_ecm-socket$nl_route-sendmsg$netlink
detailed listing:
executing program 0:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$selinux_status-read$FUSE-openat$rnullb-syz_open_dev$usbfs-socket$netlink-socket$key-sendmsg$key-setsockopt$sock_int-dup-socket$packet-setsockopt$packet_int-setsockopt$packet_rx_ring-socket$inet-sendto$inet-read$usbfs-syz_usb_connect-mmap
detailed listing:
executing program 0:
r0 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
read$FUSE(r0, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x200202, 0x0) (async)
syz_open_dev$usbfs(&(0x7f0000000000), 0x200, 0x102)
r2 = socket$netlink(0x10, 0x3, 0x10) (async)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000780)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000700)=ANY=[@ANYBLOB="020b0f050f00000026bd7000fcdbdf25040004000900000001f8ffffffffffff0500000000000000ff0100000000000002001000000004d2000004d50000000002000a0030000000050000000000000005000500322000000a"], 0x78}}, 0x24048950)
setsockopt$sock_int(r2, 0x1, 0x8, &(0x7f0000000300), 0x4) (async)
r4 = dup(r2) (async)
r5 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r5, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) (async, rerun: 32)
setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x20000002}, 0x1c) (async, rerun: 32)
r6 = socket$inet(0x2, 0x4000000000000001, 0x0)
sendto$inet(r6, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) (async)
read$usbfs(r4, 0x0, 0x0)
syz_usb_connect(0x3, 0x35, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000b58f55408205d5b9f773000000010902230001000000000904080001fff56a00082502017f040e0009050b02"], 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1, 0x2010, r1, 0xfffff000)

program did not crash
single: failed to extract reproducer
bisect: bisecting 28 programs with base timeout 6m0s
testing program (duration=6m7s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 14, 30, 24, 6, 25, 24, 22, 14, 17, 18, 16, 30, 30, 10, 40, 9, 10, 17, 14, 24, 24, 18, 6, 17, 18, 24, 6]
detailed listing:
executing program 0:
r0 = openat$ptp0(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
ioctl$PTP_PEROUT_REQUEST2(r0, 0x40383d0c, &(0x7f0000000080)={{0x0, 0xfffffffb}, {0x7, 0x2800}, 0xf, 0x1})
ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100})
ioctl$PTP_EXTTS_REQUEST2(r0, 0x40603d10, &(0x7f0000000040))
r1 = openat$binderfs_ctrl(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs2/binder-control\x00', 0x2, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.time_recursive\x00', 0x275a, 0x0)
mmap(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x0, 0x13, r2, 0x0)
remap_file_pages(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x0, 0x8, 0x0)
mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x1, 0x32, 0xffffffffffffffff, 0x2ec37000)
ioctl$BINDER_CTL_ADD(r1, 0xc1086201, &(0x7f0000000540)={'binder1\x00'})
executing program 0:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680))
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 0:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
r2 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
mmap$binder(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x1, 0x11, r2, 0x8000)
r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000080)={'pimreg0\x00', 0x7c2})
ioctl$TUNATTACHFILTER(r3, 0x401054d5, &(0x7f0000000480)={0x2, &(0x7f00000004c0)=[{0x1d}, {0x6}]})
msync(&(0x7f0000ff9000/0x1000)=nil, 0x1000, 0x4)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r6, 0xc008ae88, &(0x7f0000000000)=ANY=[@ANYBLOB="0100000000ffffff040001c0"])
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r7 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r7, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
r8 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
write$vga_arbiter(r8, &(0x7f0000000080)=ANY=[@ANYBLOB='decodes '], 0xf)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
r9 = syz_usb_connect(0x0, 0x24, &(0x7f0000000cc0)=ANY=[@ANYBLOB="120100004f92b90857152077ebb7000000010902120001000000000904"], 0x0)
syz_usb_control_io(r9, 0x0, &(0x7f0000000140)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000000)={0x40, 0x13, 0x5e, @local}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io(r9, 0x0, &(0x7f0000001740)={0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)={0x40, 0x19, 0x2, "0200"}, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$uac1(r9, 0x0, &(0x7f00000000c0)={0x44, &(0x7f0000000080)=ANY=[@ANYBLOB="000101"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$printer(r9, 0x0, 0x0)
syz_usb_control_io$uac1(r9, 0x0, 0x0)
syz_usb_control_io$hid(r9, 0x0, 0x0)
executing program 1:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000500), 0x0, 0x0)
r1 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000002c0), 0x4b301, 0x0)
ioctl$TCSETSF(r1, 0x5404, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffa)
mmap(&(0x7f0000701000/0x1000)=nil, 0x1000, 0x0, 0x12, r0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
r3 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r3, &(0x7f0000f5dfe4)={0xa, 0x4e20, 0x0, @empty}, 0x1c)
recvmmsg(r3, &(0x7f0000002c80)=[{{0x0, 0x0, 0x0}, 0x7ff}], 0x1, 0x2b, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, &(0x7f0000000440)="f30fc7340366baf80cb84bbee38aef66bafc0cec3ef30fc770d966baf80cb8a04aa989ef66bafc0cedc4c125fa2166b8e6008ec8c4e3055ca4aaf00f000000c4c2f9aa0766baf80cb808da688aef66bafc0cb8d254e399ef0f004103", 0x5c}], 0x1, 0x10, 0x0, 0x0)
r4 = socket(0x11, 0x3, 0x0)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f00000005c0)={'gre0\x00', <r6=>0x0})
bind$packet(r4, &(0x7f0000000180)={0x11, 0x0, r6, 0x1, 0x0, 0x6, @dev}, 0x14)
r7 = open(&(0x7f0000000040)='./file0\x00', 0x30000, 0x182)
setsockopt$packet_int(r4, 0x107, 0xf, &(0x7f0000000240)=0xe9, 0x4)
cachestat(r2, &(0x7f0000000080)={0x481, 0x1}, &(0x7f00000000c0), 0x0)
sendmsg$netlink(r4, &(0x7f0000002ac0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000400)=ANY=[@ANYBLOB="02011400012918000e1a80009f00016d2900002f0600ac141430e0000003808a8972bd0b72e41082b1a3d206"], 0xdd12}], 0x1, 0x0, 0x0, 0x4000007}, 0x1)
setsockopt$inet6_int(r3, 0x29, 0x4, &(0x7f0000000000)=0x1, 0x4)
sendto$inet6(r3, 0x0, 0x0, 0x0, &(0x7f0000000300)={0xa, 0x4e20, 0x0, @mcast1}, 0x1c)
bind$xdp(r7, &(0x7f0000000100)={0x2c, 0xc, r6, 0x3b, r4}, 0x10)
r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff)
sendmsg$NL80211_CMD_PEER_MEASUREMENT_START(r2, &(0x7f0000001800)={0x0, 0x0, &(0x7f00000017c0)={&(0x7f0000000280)={0x1c, r8, 0x1, 0x70bd2c, 0x25dfdbfe, {{}, {@val={0x8}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x80}, 0x20000000)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x1000)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1002, 0x0)
r1 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r1, 0x29, 0x2e, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}, 0xfffffffd}}, {{0xa, 0x0, 0x0, @remote}}}, 0x108)
r2 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r2, 0x29, 0x2a, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x4e22, 0x0, @remote}}}, 0x108)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r12, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
dup3(r0, r1, 0x80000)
r5 = socket(0x11, 0x3, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'gre0\x00', <r7=>0x0})
bind$packet(r5, &(0x7f0000000180)={0x11, 0x0, r7}, 0x14)
r8 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r9 = socket$unix(0x1, 0x5, 0x0)
r10 = dup2(r9, r8)
close_range(r10, 0xffffffffffffffff, 0x0)
r11 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r11, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r11, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r11, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 2:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)
fstat(r7, &(0x7f00000001c0))
executing program 2:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 2:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0) (async)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1/file2\x00', 0x81c0, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x2040, 0x0) (async)
renameat2(0xffffffffffffff9c, &(0x7f0000000480)='./file1/file2\x00', 0xffffffffffffff9c, &(0x7f00000004c0)='./file0\x00', 0x2) (async, rerun: 64)
msync(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x5) (async, rerun: 64)
fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) (async)
r0 = fsmount(0xffffffffffffffff, 0x0, 0x3) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002}) (async)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) (async, rerun: 64)
r3 = dup3(r2, r1, 0x0) (rerun: 64)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x802, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a}) (async)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000340)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000001040)={0x8, 0x0, &(0x7f00000001c0)=[@increfs={0x40046304, 0x1}], 0x0, 0x0, 0x0})
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002})
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r2 = dup3(r1, r0, 0x0)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000640)='./binderfs/binder0\x00', 0x0, 0x0)
syz_kvm_setup_syzos_vm$x86(r2, &(0x7f0000c00000/0x400000)=nil)
r4 = socket$inet6_udplite(0xa, 0x2, 0x88)
ioctl$VHOST_SET_VRING_ADDR(0xffffffffffffffff, 0x4028af11, &(0x7f0000000280)={0x0, 0x0, 0x0, &(0x7f0000000340)=""/185, 0x0, 0x80a0000})
syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000001180)={&(0x7f0000000240)={0x50, 0x0, 0xa6, {0x7, 0x2b, 0x6, 0x2000000, 0xa61, 0x8, 0xffff7161, 0x1, 0x0, 0x0, 0x4}}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
setsockopt$inet6_opts(r4, 0x29, 0x40, &(0x7f0000000240)=ANY=[], 0xd0060)
r5 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000080)={'tunl0\x00', <r6=>0x0})
sendto$packet(r5, &(0x7f00000002c0)="05", 0x1, 0x4, &(0x7f0000000140)={0x11, 0x86dd, r6, 0x1, 0x0, 0x6, @multicast}, 0x14)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1, 0x11, r3, 0x10000000000)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000340)=[@acquire={0x40046305, 0x3}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x4c, 0x0, &(0x7f0000000100)=[@transaction_sg={0x40486311, {0x1, 0x0, 0x0, 0x0, 0x31, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000280)={@ptr={0x73682a85, 0x0, 0x0, 0x0, 0x0, 0x80000000004}, @fd={0x66642a85, 0x0, r2}, @flat=@weak_handle={0x77682a85, 0x1, 0x2}}, &(0x7f0000000240)={0x0, 0x28, 0x40}}, 0x1000}], 0x0, 0x0, 0x0})
executing program 2:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r0 = syz_usb_connect$cdc_ncm(0x3, 0x7f, &(0x7f0000000240)={{0x12, 0x1, 0x200, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6d, 0x2, 0x1, 0x8, 0x0, 0x9, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0xa, 0x24, 0x6, 0x0, 0x1, "7cc6a244db"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x5, 0x2, 0xf, 0x9}, {0x6, 0x24, 0x1a, 0x2, 0xd}, [@call_mgmt={0x5, 0x24, 0x1, 0x1, 0x9}, @dmm={0x7, 0x24, 0x14, 0x3, 0x7}]}, {{0x9, 0x5, 0x81, 0x3, 0x40, 0x2, 0x0, 0x6}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x96, 0x3, 0x80}}, {{0x9, 0x5, 0x3, 0x2, 0x10, 0x0, 0xa, 0x3}}}}}}}]}}, &(0x7f00000004c0)={0xa, &(0x7f0000000100)={0xa, 0x6, 0x200, 0x5, 0xfd, 0x8, 0x20, 0x9}, 0x1f, &(0x7f00000002c0)={0x5, 0xf, 0x1f, 0x3, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "e4a5ad9a8cde9c3e54e18f7865399127"}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0x5, [{0x8b, &(0x7f0000000300)=@string={0x8b, 0x3, "7de45d845daf93585071e897f2dbfd4684a6061dde1c5c990a345f18d60a6dda8571d0839378ba34fa2ea9486f5330195dec4c815577336dd1bf1cc2024df0a0880076c686dbd4d3b64bea9eda09bb803d9a72bdcb7b32a0c1d0116a2597b6143e7dafbcba1b95ec56899359ea25365cb7b1828a2b88b2f53c94279d59b8cc4470c4373cd11c26171a"}}, {0x4, &(0x7f00000003c0)=@lang_id={0x4, 0x3, 0x2c09}}, {0x4, &(0x7f0000000400)=@lang_id={0x4, 0x3, 0x44d}}, {0x4, &(0x7f0000000440)=@lang_id={0x4, 0x3, 0x1007}}, {0x4, &(0x7f0000000480)=@lang_id={0x4, 0x3, 0x401}}]})
syz_usb_control_io(r0, &(0x7f0000000780)={0x2c, &(0x7f0000000540)={0x20, 0x1, 0x9d, {0x9d, 0x31, "b5a6786efd5f900ba546ea87ff1ea9b0ab5d37de432fa7c4ff06a861e46adc1b854969abbbfaf63c9d0ea90e537a7819c986118e1a99e484732e6f7e6082c0844e273338581bd0c293e7069b8842de58a32eb20f2dd45793419454f71e730b14a97468bd0411fa9749c6baf5adec906e5eb6d41797016f3b1bd188c1122b4cce21ffbf7e3166e57d4bdcd61ea2b55cec5253138b303abc91766ae1"}}, &(0x7f0000000680)={0x0, 0x3, 0x97, @string={0x97, 0x3, "a0a300286cca2c462ef7567dcd93696869b234fb5d14d9c37b5d2480f914b2f026a23a89622a8b1007e324e6496166ecd9a09220eb783103f59111ca54c33a2b3025aed6a36308628b8011b9e11be405c882f69e42ef7d74bf5ddf6f878ebd8d7e03d82002d2b439418f89b3d066f706d30d69c37c6573476f44736b25c8599efd4d45ca45e9ec7501c367242e18f598f194da866b"}}, &(0x7f0000000600)={0x0, 0xf, 0x8, {0x5, 0xf, 0x8, 0x1, [@ptm_cap={0x3}]}}, 0x0, &(0x7f0000000740)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x6, 0x68, 0x7, 0x3, 0x7f}}}, &(0x7f0000000c40)={0x84, &(0x7f0000000d00)=ANY=[@ANYBLOB="00037f000000a5533f6b0bb66f5ff843f02da2b58d890bcbc4a74859943db962468a5c05a53f8cb05a1c94e36e4eaa48a89a12308183b82e93f82aa734a30396744eb96deb3df451c3b760840184851c5e8597a0dfed70a990b0ed10b851da7a7173ceafbc3d5604818c759873be1cdae4bf0b368d6c559c917f49c6ed147563ac9ed4c8c9f6a492c73d5bd2545a11410e3859b6c83ed1bedb72e3f76934bdb9c0a353cf826fc5b575622b59ee7f8d3b4cc3dfe883e58e2d59e8aed79ee7bab8cb84f8c04c34a943c81cc76a7b0a3b8218cc09c697863727ddb662785a29b5e20e650ab1ff656d2bc842069680b3a74c51958dda0117ee66c2275053"], &(0x7f0000000880)={0x0, 0xa, 0x1, 0xb}, &(0x7f00000008c0)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000000900)={0x20, 0x0, 0x4, {0x2, 0x1}}, &(0x7f0000000940)={0x20, 0x0, 0x4, {0x4, 0x40}}, &(0x7f0000000980)={0x40, 0x7, 0x2, 0x7}, &(0x7f00000009c0)={0x40, 0x9, 0x1, 0x8}, &(0x7f0000000a00)={0x40, 0xb, 0x2, "8ff4"}, &(0x7f0000000a40)={0x40, 0xf, 0x2, 0x6}, &(0x7f0000000a80)={0x40, 0x13, 0x6, @multicast}, &(0x7f0000000ac0)={0x40, 0x17, 0x6, @multicast}, &(0x7f0000000b00)={0x40, 0x19, 0x2, "6210"}, &(0x7f0000000b40)={0x40, 0x1a, 0x2, 0xfff7}, &(0x7f0000000b80)={0x40, 0x1c, 0x1, 0x9}, &(0x7f0000000bc0)={0x40, 0x1e, 0x1, 0x3}, &(0x7f0000000c00)={0x40, 0x21, 0x1, 0x2}})
r1 = socket$can_raw(0x1d, 0x3, 0x1)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000000000)={'vcan0\x00', <r2=>0x0})
bind$can_raw(r1, &(0x7f0000000080)={0x1d, r2}, 0x10)
setsockopt$CAN_RAW_FILTER(r1, 0x65, 0x1, &(0x7f0000000140)=[{{0x4, 0x0, 0x1}, {0x4, 0x0, 0x0, 0x1}}, {{0x4, 0x0, 0x1}, {0x3, 0x1, 0x0, 0x1}}], 0x10)
bind$can_raw(r1, &(0x7f0000000040), 0x10)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/binder1\x00', 0x800, 0x0)
syz_clone3(&(0x7f00000005c0)={0x11c103200, 0x0, 0x0, &(0x7f00000003c0), {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000200)={0x73622a85, 0x10a})
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x8, 0x0, &(0x7f0000000040)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000640)={0x20, 0x0, &(0x7f0000000e00)=[@request_death={0x400c6313}, @clear_death={0x400c6313}], 0x0, 0x0, 0x0})
r5 = openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
openat$cgroup_ro(r5, &(0x7f0000000080)='devices.list\x00', 0x0, 0x0)
executing program 3:
r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f00000005c0), 0x420e43, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x11, r0, 0x45809000) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0)
mkdir(&(0x7f0000000100)='./file1\x00', 0x13b)
mkdir(&(0x7f0000000000)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000380)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}]})
setxattr$security_ima(&(0x7f0000000300)='./bus\x00', &(0x7f0000000340), &(0x7f0000000400)=@md5={0x1, "31a9c79fa63b95fe4578c4d8cfdc2ffd"}, 0x11, 0x1) (async)
r1 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
ioctl$VHOST_SET_VRING_BASE(r1, 0xaf01, 0x0) (async, rerun: 32)
r2 = openat$tcp_congestion(0xffffffffffffff9c, &(0x7f00000002c0), 0x10, 0x0) (rerun: 32)
read(r2, &(0x7f0000000240)=""/2, 0x2)
ioctl$VHOST_SET_LOG_BASE(r1, 0x4008af04, &(0x7f0000000300)=&(0x7f0000000240)) (async, rerun: 64)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f0000000000)={0x73622a85, 0x0, 0x3}) (async, rerun: 64)
ioctl$KVM_CLEAR_DIRTY_LOG(0xffffffffffffffff, 0xc018aec0, &(0x7f0000000140)={0x0, 0x2c0, 0x0, &(0x7f0000000180)=[0x6bd1a312, 0xec66, 0xff, 0x8, 0x98bd, 0x800000000000009, 0x0, 0x100000000000004, 0x10000, 0x100, 0x9004, 0x0, 0x3, 0x5, 0xffffffffffffffff, 0x49, 0x3ff, 0x5, 0x0, 0x9, 0x8, 0x7, 0x1c1, 0x1000000003, 0x2, 0x2, 0x6, 0x7, 0x96, 0xffffffff, 0xffffffff00000000, 0x0, 0x4, 0x7, 0x23b, 0x3, 0x2, 0x888f, 0x4, 0x8, 0x6, 0x6, 0x3, 0xa3de, 0x20000000006, 0x8, 0x5c3e, 0x400, 0x3, 0xfffffffffffffff7, 0xfffffffffffffffa, 0x2, 0xe, 0x7, 0x4, 0xe6, 0x200000000000101, 0x5, 0x9, 0x66, 0x6, 0x7, 0x40000005, 0xfffffffeffffffff, 0xc, 0xd, 0x9, 0xe8, 0x80000000, 0xfffffffffffffc00, 0x2, 0x4, 0x2, 0xcdc, 0x7, 0x2, 0x3, 0x2, 0x5, 0xfff, 0x6, 0x4, 0x6, 0xab6, 0x0, 0x8, 0xfff, 0xffffffffffffff81, 0x9, 0xff, 0x6, 0x28000000, 0x5, 0x400000000008061d, 0x3, 0x8, 0xf6, 0x4, 0x6, 0x200, 0x7, 0xe53e, 0x2c, 0x8, 0x22933333, 0x6, 0x5, 0x0, 0xd, 0x2, 0x5, 0x2, 0x2, 0x7, 0xdfd4, 0xfffd, 0x10, 0x8, 0x8, 0x1, 0x8000, 0xeb4, 0x2, 0xfffffffffffffffe, 0xb692, 0xcc, 0x8, 0x3]}) (async)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x40100, 0x0)
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x1000007, 0x2172, 0xffffffffffffffff, 0x0) (async)
mprotect(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x1000001) (async, rerun: 64)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) (rerun: 64)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) (async)
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x6, 0xfffffffffffffffd, 0x2, 0x5, 0x0, 0x4002004c4, 0x1000, 0x0, 0x0, 0x9, 0x0, 0x0, 0x2], 0x8080000, 0x1144})
mlock2(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x0) (async)
madvise(&(0x7f0000ff7000/0x6000)=nil, 0x6000, 0x17) (async)
ioctl$KVM_RUN(r5, 0xae80, 0x0)
ioctl$VHOST_SET_VRING_ADDR(r1, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000500)=""/67, 0x0}) (async)
msync(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xf5e8d0b131c6a560)
ioctl$VHOST_SET_VRING_ADDR(r1, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, 0x0, &(0x7f00000000c0)=""/87, 0x0, 0xeeee0000})
ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000680)) (async, rerun: 32)
write$tcp_congestion(r2, &(0x7f0000000580)='westwood\x00', 0x9) (async, rerun: 32)
ioctl$VHOST_VSOCK_SET_RUNNING(r1, 0x4004af61, &(0x7f0000000000)=0x1)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x1c4f, 0x59, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x50, 0xb1, [{{0x9, 0x4, 0x0, 0x0, 0x2, 0x3, 0x0, 0x4, 0x0, {0x9, 0x21, 0x105, 0x2, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0xc, 0xa}}}}}]}}]}}, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io(r1, &(0x7f0000000340)={0x2c, &(0x7f0000000440)=ANY=[@ANYBLOB="000611001c001109c1658d2bf916ab9f996450b538eb645b0471b29323da4676b95b256bff3aba4967e1c45de0555dca0df284bae3e1a0742d6a2a8d00ca0bd6656b1a82d7503e49c095b032538420dd61542527f3b60b82241a6624a18899115cf7ff7e5378fed0fb9746bc35bb6697e5492570a18359efcdab4d8aab6860d5b8ee0f2f45ac1d12bea1679457b6a6e6dd22d3650930db251b013fd545e6a6317103f6398015555471760e2e4aee3b87392c0000000000"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000280)={0x4000}, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=ANY=[@ANYBLOB="200000001600010a00"], 0x20}}, 0x40816)
r3 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
futex(&(0x7f000000cffc), 0x0, 0x0, 0x0, 0x0, 0x0)
setsockopt$WPAN_SECURITY_LEVEL(r3, 0x0, 0x2, &(0x7f00000000c0)=0x5, 0x4)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@free_buffer={0x40086315}], 0x0, 0x0, 0x0})
openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
syz_genetlink_get_family_id$smc(&(0x7f00000001c0), r2)
r4 = socket(0x28, 0x5, 0x0)
bind$vsock_stream(r4, &(0x7f0000000040)={0x28, 0x0, 0x0, @local}, 0x10)
listen(r4, 0x0)
r5 = socket(0x28, 0x5, 0x0)
connect$vsock_stream(r5, &(0x7f0000000080)={0x28, 0x0, 0x0, @local}, 0x10)
write$binfmt_elf64(r5, &(0x7f0000000240)=ANY=[], 0x40000)
r6 = socket$inet6(0xa, 0x80002, 0x88)
setsockopt$inet6_udp_int(r6, 0x11, 0xa, &(0x7f0000000200)=0x40006, 0x4)
sendmmsg$inet(r6, &(0x7f0000000b00)=[{{&(0x7f0000000100)={0x2, 0x4e20, @local}, 0x10, 0x0}}], 0x1, 0x0)
socket$vsock_stream(0x28, 0x1, 0x0)
accept4$unix(r4, 0x0, 0x0, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='memory.events\x00', 0x275a, 0x0)
socket(0x10, 0x803, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
open(&(0x7f0000000140)='./file0\x00', 0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r7=>0xffffffffffffffff})
fstat(r7, &(0x7f00000000c0))
executing program 3:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
getsockopt$IPT_SO_GET_ENTRIES(r0, 0x0, 0x41, &(0x7f00000003c0)=ANY=[@ANYBLOB="66696c746572010000000000000000000000000000000000000000000000000007"], &(0x7f0000000200)=0x2f)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100})
r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000080)=0x3) (async)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000080)=0x3)
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0x4c, 0x0, &(0x7f00000002c0)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x18, 0x0, 0x0, 0x68, 0x18, &(0x7f0000000000)={@flat=@weak_binder={0x77622a85, 0x90e, 0x2}, @ptr={0x70742a85, 0x0, &(0x7f0000000140)=""/255, 0xff, 0x0, 0x33}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x0, 0x31}}, &(0x7f0000000280)={0x0, 0x18, 0x40}}, 0x10}], 0x50, 0x0, &(0x7f0000000380)="1920ff09471b1099c7961fdcc405843a41a786d3ed8ebe8e80e4b4144e1cf51c728b926c80eb2a8e4f6b2dab5b6ac95dd16066dc703442a9132a8dd210e45df98d795a638622681df1cb222612051f61"}) (async)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0x4c, 0x0, &(0x7f00000002c0)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x18, 0x0, 0x0, 0x68, 0x18, &(0x7f0000000000)={@flat=@weak_binder={0x77622a85, 0x90e, 0x2}, @ptr={0x70742a85, 0x0, &(0x7f0000000140)=""/255, 0xff, 0x0, 0x33}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x0, 0x31}}, &(0x7f0000000280)={0x0, 0x18, 0x40}}, 0x10}], 0x50, 0x0, &(0x7f0000000380)="1920ff09471b1099c7961fdcc405843a41a786d3ed8ebe8e80e4b4144e1cf51c728b926c80eb2a8e4f6b2dab5b6ac95dd16066dc703442a9132a8dd210e45df98d795a638622681df1cb222612051f61"})
executing program 3:
r0 = userfaultfd(0x801)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000001c0)={0xaa, 0x46}) (async)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000001c0)={0xaa, 0x46})
ioprio_set$uid(0x3, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x20040, 0x0)
r2 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r2, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4)
setsockopt$packet_rx_ring(r2, 0x107, 0x5, &(0x7f0000000140)=@req={0x35d, 0x1, 0x6, 0x2}, 0x10)
r3 = socket$inet(0x2, 0x4000000000000001, 0x0)
setsockopt$inet_tcp_int(r3, 0x6, 0x80000000000002, 0x0, 0x0)
bind$inet(r3, 0x0, 0x0)
sendto$inet(r3, 0x0, 0x0, 0x200007fd, 0x0, 0x0) (async)
sendto$inet(r3, 0x0, 0x0, 0x200007fd, 0x0, 0x0)
sendmmsg$inet(r3, 0x0, 0x0, 0xc0) (async)
sendmmsg$inet(r3, 0x0, 0x0, 0xc0)
close(0x4) (async)
close(0x4)
syz_usb_connect$hid(0x0, 0x0, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async)
r4 = openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
mlock(&(0x7f0000ffa000/0x3000)=nil, 0x3000)
prlimit64(0x0, 0x7, &(0x7f0000000180)={0x1, 0x8}, 0x0)
capset(&(0x7f0000000040)={0x20080522}, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x9})
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) (async)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000200)={'rose0\x00', 0x112})
ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(0xffffffffffffffff, 0xc0145401, 0x0)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1, 0x11, r4, 0x8001)
syz_io_uring_setup(0x1492, &(0x7f00000000c0)={0x0, 0xc494, 0x1000, 0x2, 0x21c}, &(0x7f0000000140), &(0x7f0000000240)) (async)
r6 = syz_io_uring_setup(0x1492, &(0x7f00000000c0)={0x0, 0xc494, 0x1000, 0x2, 0x21c}, &(0x7f0000000140), &(0x7f0000000240))
syz_io_uring_setup(0x5844, &(0x7f0000000000)={0x0, 0xc5f8, 0x40, 0x1, 0xc3, 0x0, r6}, 0x0, 0x0) (async)
syz_io_uring_setup(0x5844, &(0x7f0000000000)={0x0, 0xc5f8, 0x40, 0x1, 0xc3, 0x0, r6}, 0x0, 0x0)
socket$inet_udp(0x2, 0x2, 0x0) (async)
r7 = socket$inet_udp(0x2, 0x2, 0x0)
syz_open_dev$tty20(0xc, 0x4, 0x0) (async)
r8 = syz_open_dev$tty20(0xc, 0x4, 0x0)
ioctl$TCSBRKP(r8, 0x5425, 0x200000000000000)
setsockopt$inet_buf(r7, 0x0, 0x8008000000010, &(0x7f0000000000)="17000000020001000003d68c5ee1768812002b08020300ecff3f0002000300000a000000009afc5ad9485bbb6a880000d6c8db0000dba67e060180000a0000f10607bdff59100ab65761407a681f009cee4a5acb3da400001fb700674f39b44e09f9315033bf79ac2dff060115003901000000000000ea000000000000000009ffff02dfccebf6ba0008400200000000e90554062a80e605007f71174aa951f3c63e5c83f1ba2112ce68bf17a6e000"/184, 0xb8)
sendfile(r1, r1, 0x0, 0x7ffff000)
executing program 0:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000240))
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs2/binder0\x00', 0x2, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_SET_CPUID(r4, 0x4008ae8a, &(0x7f0000000040)={0x0, 0x0, [{0x80000001, 0x6, 0x10800, 0x0, 0x1}]})
ioctl$KVM_SET_MSRS(r4, 0xc008ae88, &(0x7f0000000000)={0x1, 0x0, [{0x20e, 0x0, 0x2886}]})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x18, 0x0, &(0x7f0000000340)=[@increfs, @request_death={0x400c630e, 0x3}], 0x0, 0x0, 0x0})
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x1f0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='net/route\x00')
read$FUSE(r2, &(0x7f0000004640)={0x2020}, 0x2020)
syz_fuse_handle_req(r2, &(0x7f0000000240)="26b2a8dd3bb50b8ceb62f430e5885746b5fd58b5a47a2bf28b373c8660a05cf8181b4b7a61b8ce127e9a2c0e92dea9379d5ca6b58c15037915bb4319621bdbead01cade5fc0535760d2286578af05881b83e2c2007508ed17ff1e44b5f91fd57e1077aaaf77b6741f58c4e426bb9b1ac269ddb81ba7c1d6ee457f1bb8ceb4e8a69db85ebb1df95fec7f3b5bd95dd726c920792e9a54f1641d5578f4347df0d583f76f962383980e8c6a1c123a70212d089e9b35900b052f0ee59eed7cf1e133398f5f5bd78d5c9820ee007f32894a57377a97af57c6d6dd108231b10a94c67f18552a65b870b7a9afcdfb72b57b81b1e424f739df21dfeebfaca906901b2626cfa482aabcc62b510255ee5010b4c1b260471011275c7f242659df63a8de398c2b0dfa67422e519853a439752898451f9f02defd4ae71ecc8aadd28d21a339d35cb425e109a5452d01d1ca2fc9cd2572a1252582d4b179876cc489b1b3fe4767d0356c29e6e0b891991f1dd5acc3c3e35f9d0048ed0e28b9771295729aeb5a1e262ec2fcbb545c3e24799bc424924294928312b42be902842083b4d7383ed289b307b66c8568277b3c17fea747ee49b750d83dd7ea1f18a5eae198451bd2968f823e03a4656cbbb154145465ddc7bcdd0c7b1d07366c0a4090e4023fd98d0f77d3949d7788bf0b31c52c7704bbfd681c4691d16ef610708ad2ae5af88301c5b0451ae9f292f16aa44230e53874a432be156fc74c9690983928aff88c8d817c86913fdc8425cf2cc43297e89321dfbbba3f4f1b8bcb602a17f1f5918c0657a9e0230f2722f2aca5f2f931c8c91dca589c02a711db5b7ca36f3a49282c4ec3b447ddcbb2f94e257a384d8c17980a3962b2c7b5c0b661899fd1451ce783dfb29355650454b65479ef40a319e37e90757ec3e3e08a2bbe0b9bed99d8bb31e5d240ffa66d5162748f30635658f92d864dc6ee1d95d9b6e19e554f6a4a5cb4a067b3c7d7d882ed4f908337febfd5cf00a6fd68e95fe62f5c374399f6d3201d3482a0637ac4d9d8253fbbf6bfdc3feb9db0a3d8a85cb337dc7a1328973e20bb82bcc2ec03a637f4f29e1efcf4fec09568a42ece4ee0508a0da8206989d12e522a65e76c4d64bbaec9f328b927391f2b15c7e8b3f138ef345afcac4d566448f327f84ed41f69b4d40c8309d9d5ed6846f788198e151a48f654d29b659f923858d443e118409541cea176cda5c518a938d10086148efdecda55cd4990922cffc06633c59db0c21d12e4b311e3858e82001c24c2225844019f9d633679ee75a70521da58cb8809c193c0f3389dcf540884ff0b44f224cbe03623ee16ad37e00abd1bdda5972379bfb097aa2ffe5e881ff988644b1364d8117feb6859fa4a942260aa6ac51387bc4c9173b8656813929744af772742e69d78f5b127b3ec8a64a3781a603a56e05eb948a003e54f3095e56899dc6413c4317e12141b3409ee8d33dc77ff33b10c5294c5e6b969848dee370c19e732f3e75a6bf21ad433c99d3978f8a8254fcc589eb067e3663e6179cd7904e080048565f0d8aae47d0dec7830d5eb48cd386ea8ff0cebf7bf86eda674cabd0d06f2068817d1d85f39bff655bda536ca5d9727545b8202a982818c388ab0219021fdf4dcdc5de8731edb03e9170a8867b614e5317f76f44c33563fabb73eb4cf8a766b6299e52d00646262e6e7704748a35322cdd7c52e6bae2654295f7804f68e807d5ce420213a278b751b360bffbc1bb9a027b98e65e9dab8fd143e02c2e6192eb8f411d80aad0fa5ff40ced48d26e076cda037ffed74f19b1a35839239b5d14e57fcba05aad705435f998d5a85c05d944bfc472ecda2974332b9b44c448365682d00e271f0fd2a436057adfb7b8eca4abdb8c1329121d6dae395dd1506a95c0de8191bd69cd1f68ec5af9a88fbb1a37c082b9df5cb390379f2db48c63e9f779b875ef9891a84181900bec4d6f512e4633f6b43b6abcb87e2e72f74d8cb0ea3019860339fdcff45dfe7e0817de819eef61d6e91b05a6b8ce8b0e1416e0210813429ff7a75cbd6e7a8f5c1e41012f8b092c6f0b45896a3de1a278b80104157dec7e210aab22aebb54ec881291fee48bc1c413f6a0704e45c1b00f39d4618147e4e11f429592bc92044a772bb33349d3ee4b6c2c5a5a8fdd5ad65434943c3987be2ab99807e23db8b9ec30a3030be076b7871c1bc7a9d4506f3a1e7b986d2ea1b60f9240db71a360c919dc6dc24f6af5878efd95d83f5a9529266f2fef29af2b60d214b21b6e3b8e5b3555849453f66e3b2fe46c2547690b745cf6b850312d825c73049a9a009d66d0d58801f254e2dc32897d9f3bf6fc3fd9ca6fef5d0f0dc55e85a99d735d1800f418010986d80f04e7f5a37109b73432db749b569966e781e646c0e373c94d7797960e1b73cb6cf58ffed290c567d7b5dc54f7a9c911d19fab72aded28cb7c063c46fd530b6ea9efef61c4da2bd5bad7d317743314ab01046b0f92d9d428a13bf5ff427fe25bdce29637f916b2da55f2f5ff05ea17002bf139a5740b7f2b60d6048844cc3909c76eb9ea0735ebed9c201efb8228245373c97d8c565e1ddb4c4d07c1ee7e3a942eea3cb88b2b263a0e4eef9b5cbc99f0b1fde017d01b15820f55f51d325c77c298b6973ad694b1f3bd5440fe8e8ea72fb10b53bbfb84c7d2b7be416df5cb60ad3607c71b387687752a119afb71cdc53b8a395e0398a5be4ac9a175df444ea715fbb2703911bcc6867a85ae2d76d25af06ed0e3688660dad6d69c1f356d43e655811e4169ff9f3f275a8417c44a9b7f5cc3e6ae05ed6a226da85946e84144191b4018d2a226e957e583fb34af3d4bdfbb59da087565fdd7faca17d652208c129549f16541f8addf7be170c6041459600364f025362ea0726f48cf82521d47eb478c341da8b0ba94e96942787d4046d04e86b3ecdbf4b3579aa8f00ca70e132609df358d9183f6cf6b200dfd16fac3e0bcdb13cc5bfb20bde3cc139967c70fefe3c39f484c442b75a5606a2b4952c799b04957e151d3dd76eeac764170a1929a88a668926fd6c22e9c2327f85fe88d388f4eed175a5c13e82bd6f42a7669341d2f3012c75c9871e419e0f3c7e50e347856415b8584eb2d2a0214d5bb03b10a26505ea9ffc7d5aca844e24af916eebe7513d8dd9145049aa0dd8e2a5a9fc53cef6239f56f2ba429601ead8223b5d89e5326e09f9d7c409a466fe5781435b9c324efc040cface76eb40b2da68b71a8baf2f916303726256c772cf27806d5208724cdf9f4eef7c7f3084a25242479fbe759bde637a7cb96d98510f0a68876d04cb47a3e7614b0b51f8812727b0881da22bf270d4a44206a581e71a7150c4096dc1fbd9e724ac572adfa13d6c2129e51df101bd5fd45bc57c356d67b65f270168bd0601e0241e887becb130fcb72c398c6e50d5123f5e8cef49d7ae92ae8e7de2221677a8aa6a285824ef679c68f87330224ce2c11299878adf4f46ed510fa4286f6110dd9965c189c21e85654d44992593ad75bb264fa4c9c7f600224b8eee14e6bac1aa0f9c9bc8c10caee2826cc6d8a787a9b98f908d062732ac0226268047fb44fd950d8ae380620c1f594a68a0813b492bfa3a8560dc1458ba84ddbf9b58f0f7317589a36c66493d1b1093c50719fe4e7b3a7f9dc61e961b0a36b0d65bd14029ad5b9dacdb4edbf090c2455c6c1af080e5447ec7aad8d1a532a48ce280decb70918738b3dcd49d3ffe16e1a2099f7e083aec3a97866e51d43e2581530e53d269c4ff2a6f576ecadc018f4e233b6e7da57130bdd369bdf5973031b7280d7bfcfc443dfb578de9d60be87e741e3aabedffd7b46e6a1c342661b0a122d579623e6e86e745e6ec3ee53545e9a1f63c1db363f68ee2a693a8f8bcd5f97c575db2ce1e03fee213bbd7a38a288fb83a07b1adeb99932fa55dda4b7e6be199f8f008abaa88c63f59179b47c541d8707709c7cd5f5aa5ed5c4dc63093596b09858952e64133cbe6b7d02b60528d6a263c9b72aa3e751a99e9fd1664121fc0ba9018d61011edd23d29d05c2080e33c721e503113be23973351a68fb5da582205a0e89e69fc84e24f3d4e8629847f9b6ba77e2ffe6ce394f99b1a94576c677e7433aa8bdc4d9779cbb706c6e2f426806d111173ffb0cd4f7be3ccffcfc9e66a16ab2806b6118ce28bc935624f1cbef0c9c4da396e6dc0e87ff20d0fd0e07d49327d8c0c97c7d70c50b584fbe563cde1cb17f36a73ebbe6b331b6321ac5ceba510a35ee913c5542a9d7b12805a29a99d25a5d3bc13a330435d6f0305bf522cc71e261c39d82584440d47fd82b9b31ad4ea0d2922558e6bab6fb6d3f6da9eb2a2e824af6928ee2ce41baee61fd4b5f896bf92bb1cf06c0c5a1b9b81a8216084c8e90451823d6be884a735a2be130304a22d8168c06db9cb6d62ba30079ecc831952f2564b760153311226d2188bc523928aa63223e785e6cf67a01962eed4195d5b06f06f272fe27d38660153c1727cfb438b5d98da5778070791c5ace1fd3ae756c8f261ad9d1c6aec5722a8e0609c3bb672c628879b65fbba3692070781c13bd34a93a5b9fff4f9ac4cd6aa3fdf076eeb4c0cfa14d2a41193e723d6d013995f34c97bd5d438eae8ca9a8a2dfdadec39c84c11cc9e9506020e072908178a6b60c53321c0b857d12b9adb58d90197c090e558d20a29bfd9f2ae297c23f47a544daa537f5780ec75b1824be5c92c20785499143252dd2f6d1f8aaf47deccbabf74ee0d55793b046aee7dc763353249f03cf2f0c60f6dd6ff082a051ffe2c8ef4ae9b1d8a046af67ffab68a4587ccd0a503906cca13aac0b7309d5fed12abd5303d2803f928651b51dd8747db79c56c3e3f89e6799a9dac3a7c57257c6575e133379b6c616dbab839b530e7ede62dc529acf5a6fa061fd1244fbc82d6e883388291ecaf1130151c8da538f8bccb9b871d2ce3417a9212ad94fe94c6e13e06975d8ba285d7e937ac4c6fd89aae06db06940670463d6b86a18856cc978a49f7e407f2e4f042d7ee1b7791cb33697824c68b2535af6c803e7940512da7db39c98ed1030e615569c200bc3ab833156187c25c1f659dcde3434f47a8cce56d821617c58907f80d5628214a0a8aad3fa2087647d52ac1c9692c6b57b85d70cd12875f110e631f3a9e34f21afc401797d9a13753deabb43fef92d691efb19a7120167f838d283fc5f2f1d7b4c2ef736fb1c8a47befcfd320f98461756d6908f00cea4a252733db78b6f67620e1a209e39f788a8360b8f42ccf1776259c6f70ef7ca2b0ee8caf4bf27017730236669eab62ada6db1d381ec2f8c60bebf555425bab9fa4d46823d3b0a1b1f51add64961aa2a073929116f02ea230bfb354019e47800415edeacf72a7daf8930c64adff306aba841fbe75bb18da73441721c86d3a70f9e6025e7fc95516703372fcae04421b08d0edbc5f1b6b6a3c66225011dc19f575111180e8d173922c2e28123347036b3ff2418dd529c49beb2e335801a3a5473c73d71d084c8271c10d86f283a659deaa57fff6673519645e0ee4c915cc3b8c440584fe222b1bc0cc0888142b9753ad409ed41ca16a92a3126ee73f7237523c6c781959fd255c5c0dff4ff324dc3e2246da77281809ead68df57e4ae6c1f8001e6d292e8e42f897b59770ec26b508ac5d57b47ee9696f9d40ceb39f9653a14737ede3f3213147381417d9633d30cc1107dde46e5ead6e4e4dec617202e10b9093e3bb2dfd785dd96a6a64f44bef7465552dc2e391c978c7ac1ce2b8f774d7b3934d15fc6d96eb3de6f0e9402a8538c6081712e5affa5b67b4153217b38f3248b2565c804226f4a31688d5fafacfe2e4fc191791c7164cfa33a474f4a9cd90fb5f37f5268e1801a2a762b00e8b7b2bda1db7a90ccc74ccc0fb015eb49a6ed0236d8b6b0e67bcaeeb750a499cfc3b2dc34e9024ea9bf00e5f0013a15509992979b50617dc14aeb0bac46c6961eca1e96ab2b45d342bc68e88b765a79d73f1eec58167e8ea4752981fd898f1ce528e9ba947723bd4d2ce228b6e5787227697d52f2bd0d4ecbebf5c6164f5819313060579ebb3ddb3c6423adb999975427c2d3da65b3cf52849c75464b46ede138be670742b175474222a47755f8006d4752b6c271643aa622f8439903abe53595792e7856a6e5a5e1b309fa139c2e64e927620c87aec8f36b9509c1d5cdee296bdde21d2cc54e7738070d93552d9ecd799325fe6fae9f3d7046ef1459d401922e3da284b7f6ef67ae196f274f6ce94887bb5ec25c0101618d6118b4cf47e0dfcb8dc89e8f44b47ba19c326db51a75a5b790620a2e460110dbc0f923a7d3825e4ac1d04597c0693fd05d93aabe907b47b1581f915de89c16580ae484f864e583b43ddc0991d716e401f60b6f62ebd52178a9e0adfbecc706dfffe8eee93f67ba2c9da4515bdfffd764741527ec04c3503da653271f2051ddad922ae38cae98c9a2eba5f8470d2551d2224add25a32b9c4d573f69ed15445d2b72ab20d1cd07c2d897dd7c97edab293db9f217a5eee5de9ad08da2f734e617b9f5268a3b91336237f5e9738a65f4adde4279eea09ce40e577b97eb5c67772e4ebee5a33afc7de28c70d97a514cdcd95908d26ad62800900a7cb9dcb88955b5401ccd4d965d00ebf0da48bf43cd2f5b61331894f523685b17beb253c3f50db89e11e664d6427a2551b5bfb2cbbfbf1e8240909d5eef23ccfa23d185391713d1205078be21e99063ff6316c06cd77969dda4d7f3350d4f2f29a23f12e14788fd60cbe4c3c00685a5e42b861597fd3b70c5e0e4d9f02355b754bf353fa2bd5dc0225080c26eb39be11a5b3cfe5264f39399167ab55ae7286f09c1d7fd0fc69bc9c7fca34867b5bf11c43612d3e010d2918a0d9b620549402f2c56e9cf3aa53b7614337f0867fe08170ffb272c5d340f237cdca3e023d2e65b250acf4f265ab8794a5388c5358d7e1cccbf82d99dd1aeba50f3363b9c3b6ac43542334bde8cf2ffd29da1d516bb5d950938f410829e2e37684916e1eac5c2ea1352e7cf6d0bc19bf16bf4ee61e44cd339fadcdf18126c46c0aba43c927510f3b876b32f606bfd2f657254e9715f8151099da8897c287ec1eb9077c72a0a31171f5e2672c16d3907caf659a73a15ec1bbdf240cf5796c22a99933999dd36ab3c354736b45b990e1631be048cad72829f782504ccff0cfc2e1eb5fb3e52e9fa4c3a39ec9ae7ef7b4b9e7e9a721a3f6addace5ca68d525ab9dc0d26b05333dd638bba4e40ec0a716b29172fc84a26c046dcdd0a744af3a7da0eb295a6b0d2a4e45bd6222464cae11bdb5a6c02f8ebb9c8846ca03175d4cab8b9c9531ae686029cc740c296feee12fda2cfb130808a3fd435c13bfca388ab530b8c4b546c4fc9af86596daec4569b5e82c8fd452731e27f9dffdc5713562b99fde6b59948a46f2a44ed0e539469040bb04a54fdf390f589c6491f1057b3d44573838dd2a1271ef8ccec3796012d2debeddb9dd0e252bf622f2671d6940f1c89b3ae38b4fcaa37103d96f4504c5654e603b80f710dc575bfdf2f4fa01741ab79057c15b627cd03e7dc24aab3ee312dd1d7e96731c28e24df9b051fa5972615858f07572d07f6a6f947fecf8acb05d220b68a4962b0bb9e2bb6341b97b0bfb18dc92764ceca8f723592c02104a020dfb9ff06bebc81ea80c68a1fa6175ab4042abd3305c1a17b72ba5491dc812def91672873fdd98632871ed0387e00a80c173b9e8c75e185149d32a9945e2f9707301c96337cd1c44cc13a9f38dc23720558c31c4cf6ff72559794c04af4deccbeddb04f267308e220963bf64d0aa830af54a91ae3ae0eb1aa3d48dde97ddd0916e3c16f4d90ef3e66f06f8c4c3d4fcfe41094708f49ac8d4e7150a74d9378a75018dba062fd1ec331776aafdb64e5e1732ab0f0ce0bd8985ec4b1374a6245b6d714a1c02ababcdc1fe22481a6ad3276662d4c9adf65e9d275afa6d57d6c3bcc6ab68234f4a1dade56c852c86c0bb4f427387bc9ea23e7361b7f518039af614141a12499b9602f95e2a969c7f31cf1056fe3b1954ecaa3db219f546a28e954964268be0296ea2765a8194d88b14869d388996d645f34511d63a602d92e795a0b29773052ce44b008556b6a0fb418a9233ed13edf3bda3db479211d00c16d40ee6321241d884fffeb3c1e2c01707c7aa387778779a241699ef4bd5d7cb8e40986539d0778cc242e98f17e630a09d62155b469ef5dba920d2ef80686c8f9eaf1965b42935d6dc470de7fbe0f5083a4b6ced2fa06b255fc35c3325bcc57ae3ef95ef58edb0b45bbff699de88afa565ab9f98b1c98255dfd6bd3eb18af00b94cbe5f94421b2828b0583c91e7cecd4754003ad8f46a206da99e75056705f9cccc481b591d4c33d96b21acbbdb4e70dfd9b6a2fccaa6a0af7f97fca9da759e62a6fb222341cbab0c808d320ff13a5989ce707aabd7f7c569b3e22e0c91613c483c136fb5b94ff7bdc1f51cbb9f5c46e4b62a19cca73057b78d1f3f8a9b0e2a20b8b8d9f2e8d0459df86c18353fbb3cb6e8b804e28dee571349e16b5df662cdedf1aa5a44eea00b778bc79c16138d85fab98c15ad9f2b83eebdb9432634280768397d2895c10012da8c6659e02295cfa52d6d06ef1e6ed0546d46c676048e5a455261659c83492d355eee56596e520962467fa8b3ae99cea9547d99a6d6b674682363c0dd5c8bd5c63d3bc2d45a94fb4e090ca27028b29a61c53d96ade29f1c60cffb5053b494dd2d7c7ccffc7006e16eb2bdcb360a1e0a3fa1f380616d0298e315808db7ae9ad16b6c4bb7dece5c2c4ba52d514f7fdc9b00e66302d1b6c6a7b5b58adb313e0cec67448238f66f69dd480d304a9831833a1b94f8109c0d2f85e646077bbaf140f9c7e72301d8e452f13711be18bdb48e2f0031c38da789a9e4161b7f0a6da09075414aaf9984ab7f141647c532e3b2530f3fd8a93b4218ecbbff44c4a58cdde1f9d89eb60ebe8033dc10116cbc09d4903bfd0830ef8b0d33572ce61bc028133be720544872e4a205fed6b005e8ed240ceb6e9efdd313b6eb0aed6bdcd335cb1765f2d7ed7f1819e0c04a8989183abcaa3677c35c33d95b139ed63f9f67e51386206ee2a3ad54bd4312b1178ece5a5a76eac9534faf2bb8c7b5105811a34a110553c63f1b9168ec5758e39d1f1baa4fd3e8dec73026c08ddf1568fa04b1a36a98055b6912f4faa0741e0bb5f063dfab6e6a8605b997affc69369980188967e4655c954d31b3ebea8dff5face904366191f0695fd3ccdc5e82c5982243e16a895f8aaf9d63d37ee1d323b296862ad265760a392378bc2ae5d7b75039b77aec33aa00c134f554ca9e5fd162296e915ccd359976e7ce4099bcaa5494c8eb6fa4da2a2e245920762f3639fa4fd4eb0e5e167a5f2111bfa669576ff3e0711a4ad78d2f8477363b03e6a13cd5b479817a62614ef613ac2b03a340114909c7b21ee93adf74c2ee2d4c666f1ab8bc43368e7643f3ea8da5a919b1e3078875228d2b519387ac49b7b9990d7dc229fb9ff0d551d3dfbeb843c8b2782f50cf8c575dec6836259a160a9a047165791d1e759c74ea65f4f9da990fc0e789bcd4ddf716442864788be6f2c5b607b6ddc7f9575b4e8375eea50e98cd9320fe736114e03aa0a2c1430d5cb507b29b388ace6ab58393513724607102a0458a458998e94d71b758df51ed4ecb6c6f2b94c31fb480745fbc6f6dc595c9558161fa14462779952982adb70d70a9f9a734fcbde17652e1a91422f93a6ff7d6c80fc92a5005bedf58aefe9bbba9d0ab3441e86b863bb5a3fdfd2a9c6f6d10717d2cd35d3c2a892f0e58545b1794d9aae993d72c215a6673bbe38976cc7d03cda84999c637aec8036ea1a23b143ed6288dcbc7d1ee487b1b6a4f6e8ef63b378acd4ff888bf95d86336907939c29695b2e0cc58efab49056f88a9027cad6d724e635f94f45f4cbddd8188608663ec7e46547e2aac7dec6cc5609e9f5f41ef26a1f16ecf6bfe200b0a955f98d9a4d41a2a268f8857670e33fbd4f076aa11c49cebd8306a4de3c86f7726fde93c7fc984079ae60e63854ee9a14162c749d7e308530c6b84cb5cafdd09ec3411cc0302c77d316beff973e3108ddb9b249e206d5476d605b7b24603ca344c2263bda8d7d3db55b9e2fcdce69be9b1ce24f8c4df129cd62a299fcbbff3309031973b5da452654c0b8ca4cf65891a8bdb8dedd20f631a34964e3bb0fa45c618861da79b259d79ecde8394061c99c661851c016c35ee8c91d52bbbc25f52b5e2f77ef2f63c764b717e8cce4d291742d5a7ef7f5d7ec1a96620eda1f962fb2448c388873f8b8abea4d27a5da092833c43c57c4b14099597f83785a31190798826f4264ba8f998cfbf7f20f9678e10e05c793f5781f8accca245d047d3be6c10541b2610c02c6e916d3db9776c6964e4519cf2e30708c954ef2492d3418c552dd9b5db4320dab8be6ac3394cb4b3fb1b9d5222c6ca9bd06aae2fef510e541db1209cde21fae56507020e80862d0b875d958346c42ebb781955ab337be61a68534281100247904b81b86aed49544c2452ecffaf6cc116f9d3c7362fc2cc390ab2ad29928b6e8bf90a4f21442fb213dbeeea4b8f481792fc6579b608e3a9c4fbe2755010d7ab3cd122de7a40a1f7780350a31d83ee5006ade36854cbc8e8c648259b29f2f7042719ab4d4d4d1f0c5fe6b717d23a5504335922f84ea8b20c78a5f1ddf6009089ea221353c01963fb8cabd3d795831c86d084660fa7f7d08f3ff15780c5b301ee27ab8d98fb358b90e92de4c96687c37e327ac1f0f23208c41a36e67cc22356df854f2dc309c110cfae51c5cc69051d22477caa1d2a2f276ccfbe907b263bd79ad4c5f6ea2687466f325ff2b1a736fff687c14d477c4c744e9c82be5b8ebfb69db2b312ff540ec8cadfcba9b609cae7e54ff347ed3d2649f9214600870ecba27f98943b4fb72f93b5ecb6d64dc1c7b2e8c2f2cf1006e39a237c5818014df9281feb6e522f6cb2d5ca35aeada09a58d5a6bdc9a75cf81a1c51faa8a3824a58d192a27be9fee5098b2e71d0d3f12917d50667415e418b790e0942260f4d2589c57aa1bd36017bd2bece963f0776f9f76cc66876c3f88f8bdbc35e329ecb56887948fd2c05d49c664509a682c6ff60350070bfd111be86ad2eee8c0d76b851fdb75f08e11fa47b5fd29b57568abbf91d3760652d475558bce2a1393688c9e2b4ae06cb072c294e1396b58db00b09ba8dbdc047a1684cca6e5b04cb52a40dd7b7f72c55292e7af0f3b8dda380d45b4e71c6cf57179247923750551ffd955f815cfbc29dfe5e0b2689eafdf44ce362b9c5864e4003326b2f183df7d39de7632bf3b2a85dca04cda08d10a5bad9ed9b481227e39804c3fd52d8a8f03288e13eb09c9075e23f82123a416e58864d95a321a719f88c8633201eb7d5c429348dfd83b476510f71808f95ab3b11d521004acc6d9168771736ec0a5f7c73ca78a46787c19299a79b453e49317353d6bee5b", 0x2000, &(0x7f0000009600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
mount$incfs(&(0x7f0000000140)='./file0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000000), 0x0, 0x0)
r3 = openat$dir(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x10000, 0xa8)
openat$incfs(r3, &(0x7f0000000080)='.pending_reads\x00', 0x200, 0x110)
sendfile(r0, r1, 0x0, 0x5)
executing program 0:
r0 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
read$FUSE(r0, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x200202, 0x0) (async)
syz_open_dev$usbfs(&(0x7f0000000000), 0x200, 0x102)
r2 = socket$netlink(0x10, 0x3, 0x10) (async)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000780)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000700)=ANY=[@ANYBLOB="020b0f050f00000026bd7000fcdbdf25040004000900000001f8ffffffffffff0500000000000000ff0100000000000002001000000004d2000004d50000000002000a0030000000050000000000000005000500322000000a"], 0x78}}, 0x24048950)
setsockopt$sock_int(r2, 0x1, 0x8, &(0x7f0000000300), 0x4) (async)
r4 = dup(r2) (async)
r5 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r5, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) (async, rerun: 32)
setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x20000002}, 0x1c) (async, rerun: 32)
r6 = socket$inet(0x2, 0x4000000000000001, 0x0)
sendto$inet(r6, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) (async)
read$usbfs(r4, 0x0, 0x0)
syz_usb_connect(0x3, 0x35, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000b58f55408205d5b9f773000000010902230001000000000904080001fff56a00082502017f040e0009050b02"], 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1, 0x2010, r1, 0xfffff000)
executing program 2:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
dup3(r0, r1, 0x80000)
r5 = socket(0x11, 0x3, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'gre0\x00', <r7=>0x0})
bind$packet(r5, &(0x7f0000000180)={0x11, 0x0, r7}, 0x14)
r8 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r9 = socket$unix(0x1, 0x5, 0x0)
r10 = dup2(r9, r8)
close_range(r10, 0xffffffffffffffff, 0x0)
r11 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r11, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r11, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r11, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 1:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f0000000300)=""/4081, &(0x7f0000000080)=0xff1)
socket$nl_generic(0x10, 0x3, 0x10)
socket$packet(0x11, 0x2, 0x300)
socket$inet(0x2, 0xa, 0xfffffffc)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000760001"], 0x1c}], 0x1, 0x0, 0x0, 0x4004000}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = dup(r3)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x10003, 0x2, 0x8080000, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@textreal={0x8, &(0x7f0000000800)="ba4000b8e6008ed03b940f73da0eccb8f0028ed80f23d80f21f86635800000200f238c66b9800000c00f326635000400000f306c0ffcdf36efddc666b9800000c0c4c249cf9009186635004000000f300f01c4", 0x53}], 0x1, 0x1a, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x42, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
read$FUSE(r6, &(0x7f0000000f00)={0x2020}, 0x2020)
executing program 3:
r0 = fsopen(&(0x7f0000000080)='ramfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x18)
setreuid(0xffffffffffffffff, 0xee01) (async)
symlinkat(&(0x7f0000000000)='.\x00', r1, &(0x7f0000000140)='./file0\x00') (async)
openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)
executing program 32:
r0 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
read$FUSE(r0, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x200202, 0x0) (async)
syz_open_dev$usbfs(&(0x7f0000000000), 0x200, 0x102)
r2 = socket$netlink(0x10, 0x3, 0x10) (async)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000780)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000700)=ANY=[@ANYBLOB="020b0f050f00000026bd7000fcdbdf25040004000900000001f8ffffffffffff0500000000000000ff0100000000000002001000000004d2000004d50000000002000a0030000000050000000000000005000500322000000a"], 0x78}}, 0x24048950)
setsockopt$sock_int(r2, 0x1, 0x8, &(0x7f0000000300), 0x4) (async)
r4 = dup(r2) (async)
r5 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r5, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) (async, rerun: 32)
setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x20000002}, 0x1c) (async, rerun: 32)
r6 = socket$inet(0x2, 0x4000000000000001, 0x0)
sendto$inet(r6, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) (async)
read$usbfs(r4, 0x0, 0x0)
syz_usb_connect(0x3, 0x35, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000b58f55408205d5b9f773000000010902230001000000000904080001fff56a00082502017f040e0009050b02"], 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1, 0x2010, r1, 0xfffff000)
executing program 33:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f0000000300)=""/4081, &(0x7f0000000080)=0xff1)
socket$nl_generic(0x10, 0x3, 0x10)
socket$packet(0x11, 0x2, 0x300)
socket$inet(0x2, 0xa, 0xfffffffc)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000760001"], 0x1c}], 0x1, 0x0, 0x0, 0x4004000}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = dup(r3)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x10003, 0x2, 0x8080000, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@textreal={0x8, &(0x7f0000000800)="ba4000b8e6008ed03b940f73da0eccb8f0028ed80f23d80f21f86635800000200f238c66b9800000c00f326635000400000f306c0ffcdf36efddc666b9800000c0c4c249cf9009186635004000000f300f01c4", 0x53}], 0x1, 0x1a, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x42, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
read$FUSE(r6, &(0x7f0000000f00)={0x2020}, 0x2020)
executing program 34:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 35:
r0 = fsopen(&(0x7f0000000080)='ramfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x18)
setreuid(0xffffffffffffffff, 0xee01) (async)
symlinkat(&(0x7f0000000000)='.\x00', r1, &(0x7f0000000140)='./file0\x00') (async)
openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
bisect: bisecting 28 programs
bisect: split chunks (needed=false): <28>
bisect: split chunk #0 of len 28 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=6m4s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [18, 16, 30, 30, 10, 40, 9, 10, 17, 14, 24, 24, 18, 6, 17, 18, 24, 6]
detailed listing:
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002})
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r2 = dup3(r1, r0, 0x0)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000640)='./binderfs/binder0\x00', 0x0, 0x0)
syz_kvm_setup_syzos_vm$x86(r2, &(0x7f0000c00000/0x400000)=nil)
r4 = socket$inet6_udplite(0xa, 0x2, 0x88)
ioctl$VHOST_SET_VRING_ADDR(0xffffffffffffffff, 0x4028af11, &(0x7f0000000280)={0x0, 0x0, 0x0, &(0x7f0000000340)=""/185, 0x0, 0x80a0000})
syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000001180)={&(0x7f0000000240)={0x50, 0x0, 0xa6, {0x7, 0x2b, 0x6, 0x2000000, 0xa61, 0x8, 0xffff7161, 0x1, 0x0, 0x0, 0x4}}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
setsockopt$inet6_opts(r4, 0x29, 0x40, &(0x7f0000000240)=ANY=[], 0xd0060)
r5 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000080)={'tunl0\x00', <r6=>0x0})
sendto$packet(r5, &(0x7f00000002c0)="05", 0x1, 0x4, &(0x7f0000000140)={0x11, 0x86dd, r6, 0x1, 0x0, 0x6, @multicast}, 0x14)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1, 0x11, r3, 0x10000000000)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000340)=[@acquire={0x40046305, 0x3}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x4c, 0x0, &(0x7f0000000100)=[@transaction_sg={0x40486311, {0x1, 0x0, 0x0, 0x0, 0x31, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000280)={@ptr={0x73682a85, 0x0, 0x0, 0x0, 0x0, 0x80000000004}, @fd={0x66642a85, 0x0, r2}, @flat=@weak_handle={0x77682a85, 0x1, 0x2}}, &(0x7f0000000240)={0x0, 0x28, 0x40}}, 0x1000}], 0x0, 0x0, 0x0})
executing program 2:
openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r0 = syz_usb_connect$cdc_ncm(0x3, 0x7f, &(0x7f0000000240)={{0x12, 0x1, 0x200, 0x2, 0x0, 0x0, 0x20, 0x525, 0xa4a1, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x6d, 0x2, 0x1, 0x8, 0x0, 0x9, {{0x9, 0x4, 0x0, 0x0, 0x1, 0x2, 0xd, 0x0, 0x0, {{0xa, 0x24, 0x6, 0x0, 0x1, "7cc6a244db"}, {0x5, 0x24, 0x0, 0x3}, {0xd, 0x24, 0xf, 0x1, 0x5, 0x2, 0xf, 0x9}, {0x6, 0x24, 0x1a, 0x2, 0xd}, [@call_mgmt={0x5, 0x24, 0x1, 0x1, 0x9}, @dmm={0x7, 0x24, 0x14, 0x3, 0x7}]}, {{0x9, 0x5, 0x81, 0x3, 0x40, 0x2, 0x0, 0x6}}}, {}, {0x9, 0x4, 0x1, 0x1, 0x2, 0x2, 0xd, 0x0, 0x0, "", {{{0x9, 0x5, 0x82, 0x2, 0x40, 0x96, 0x3, 0x80}}, {{0x9, 0x5, 0x3, 0x2, 0x10, 0x0, 0xa, 0x3}}}}}}}]}}, &(0x7f00000004c0)={0xa, &(0x7f0000000100)={0xa, 0x6, 0x200, 0x5, 0xfd, 0x8, 0x20, 0x9}, 0x1f, &(0x7f00000002c0)={0x5, 0xf, 0x1f, 0x3, [@ss_container_id={0x14, 0x10, 0x4, 0x6, "e4a5ad9a8cde9c3e54e18f7865399127"}, @ptm_cap={0x3}, @ptm_cap={0x3}]}, 0x5, [{0x8b, &(0x7f0000000300)=@string={0x8b, 0x3, "7de45d845daf93585071e897f2dbfd4684a6061dde1c5c990a345f18d60a6dda8571d0839378ba34fa2ea9486f5330195dec4c815577336dd1bf1cc2024df0a0880076c686dbd4d3b64bea9eda09bb803d9a72bdcb7b32a0c1d0116a2597b6143e7dafbcba1b95ec56899359ea25365cb7b1828a2b88b2f53c94279d59b8cc4470c4373cd11c26171a"}}, {0x4, &(0x7f00000003c0)=@lang_id={0x4, 0x3, 0x2c09}}, {0x4, &(0x7f0000000400)=@lang_id={0x4, 0x3, 0x44d}}, {0x4, &(0x7f0000000440)=@lang_id={0x4, 0x3, 0x1007}}, {0x4, &(0x7f0000000480)=@lang_id={0x4, 0x3, 0x401}}]})
syz_usb_control_io(r0, &(0x7f0000000780)={0x2c, &(0x7f0000000540)={0x20, 0x1, 0x9d, {0x9d, 0x31, "b5a6786efd5f900ba546ea87ff1ea9b0ab5d37de432fa7c4ff06a861e46adc1b854969abbbfaf63c9d0ea90e537a7819c986118e1a99e484732e6f7e6082c0844e273338581bd0c293e7069b8842de58a32eb20f2dd45793419454f71e730b14a97468bd0411fa9749c6baf5adec906e5eb6d41797016f3b1bd188c1122b4cce21ffbf7e3166e57d4bdcd61ea2b55cec5253138b303abc91766ae1"}}, &(0x7f0000000680)={0x0, 0x3, 0x97, @string={0x97, 0x3, "a0a300286cca2c462ef7567dcd93696869b234fb5d14d9c37b5d2480f914b2f026a23a89622a8b1007e324e6496166ecd9a09220eb783103f59111ca54c33a2b3025aed6a36308628b8011b9e11be405c882f69e42ef7d74bf5ddf6f878ebd8d7e03d82002d2b439418f89b3d066f706d30d69c37c6573476f44736b25c8599efd4d45ca45e9ec7501c367242e18f598f194da866b"}}, &(0x7f0000000600)={0x0, 0xf, 0x8, {0x5, 0xf, 0x8, 0x1, [@ptm_cap={0x3}]}}, 0x0, &(0x7f0000000740)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0x9, 0x3, 0x6, 0x68, 0x7, 0x3, 0x7f}}}, &(0x7f0000000c40)={0x84, &(0x7f0000000d00)=ANY=[@ANYBLOB="00037f000000a5533f6b0bb66f5ff843f02da2b58d890bcbc4a74859943db962468a5c05a53f8cb05a1c94e36e4eaa48a89a12308183b82e93f82aa734a30396744eb96deb3df451c3b760840184851c5e8597a0dfed70a990b0ed10b851da7a7173ceafbc3d5604818c759873be1cdae4bf0b368d6c559c917f49c6ed147563ac9ed4c8c9f6a492c73d5bd2545a11410e3859b6c83ed1bedb72e3f76934bdb9c0a353cf826fc5b575622b59ee7f8d3b4cc3dfe883e58e2d59e8aed79ee7bab8cb84f8c04c34a943c81cc76a7b0a3b8218cc09c697863727ddb662785a29b5e20e650ab1ff656d2bc842069680b3a74c51958dda0117ee66c2275053"], &(0x7f0000000880)={0x0, 0xa, 0x1, 0xb}, &(0x7f00000008c0)={0x0, 0x8, 0x1, 0x4}, &(0x7f0000000900)={0x20, 0x0, 0x4, {0x2, 0x1}}, &(0x7f0000000940)={0x20, 0x0, 0x4, {0x4, 0x40}}, &(0x7f0000000980)={0x40, 0x7, 0x2, 0x7}, &(0x7f00000009c0)={0x40, 0x9, 0x1, 0x8}, &(0x7f0000000a00)={0x40, 0xb, 0x2, "8ff4"}, &(0x7f0000000a40)={0x40, 0xf, 0x2, 0x6}, &(0x7f0000000a80)={0x40, 0x13, 0x6, @multicast}, &(0x7f0000000ac0)={0x40, 0x17, 0x6, @multicast}, &(0x7f0000000b00)={0x40, 0x19, 0x2, "6210"}, &(0x7f0000000b40)={0x40, 0x1a, 0x2, 0xfff7}, &(0x7f0000000b80)={0x40, 0x1c, 0x1, 0x9}, &(0x7f0000000bc0)={0x40, 0x1e, 0x1, 0x3}, &(0x7f0000000c00)={0x40, 0x21, 0x1, 0x2}})
r1 = socket$can_raw(0x1d, 0x3, 0x1)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000000000)={'vcan0\x00', <r2=>0x0})
bind$can_raw(r1, &(0x7f0000000080)={0x1d, r2}, 0x10)
setsockopt$CAN_RAW_FILTER(r1, 0x65, 0x1, &(0x7f0000000140)=[{{0x4, 0x0, 0x1}, {0x4, 0x0, 0x0, 0x1}}, {{0x4, 0x0, 0x1}, {0x3, 0x1, 0x0, 0x1}}], 0x10)
bind$can_raw(r1, &(0x7f0000000040), 0x10)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000001c0)='./binderfs/binder1\x00', 0x800, 0x0)
syz_clone3(&(0x7f00000005c0)={0x11c103200, 0x0, 0x0, &(0x7f00000003c0), {}, 0x0, 0x0, 0x0, 0x0}, 0x58)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000200)={0x73622a85, 0x10a})
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000140)={0x8, 0x0, &(0x7f0000000040)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000640)={0x20, 0x0, &(0x7f0000000e00)=[@request_death={0x400c6313}, @clear_death={0x400c6313}], 0x0, 0x0, 0x0})
r5 = openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
openat$cgroup_ro(r5, &(0x7f0000000080)='devices.list\x00', 0x0, 0x0)
executing program 3:
r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f00000005c0), 0x420e43, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x11, r0, 0x45809000) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0)
mkdir(&(0x7f0000000100)='./file1\x00', 0x13b)
mkdir(&(0x7f0000000000)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000380)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}]})
setxattr$security_ima(&(0x7f0000000300)='./bus\x00', &(0x7f0000000340), &(0x7f0000000400)=@md5={0x1, "31a9c79fa63b95fe4578c4d8cfdc2ffd"}, 0x11, 0x1) (async)
r1 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
ioctl$VHOST_SET_VRING_BASE(r1, 0xaf01, 0x0) (async, rerun: 32)
r2 = openat$tcp_congestion(0xffffffffffffff9c, &(0x7f00000002c0), 0x10, 0x0) (rerun: 32)
read(r2, &(0x7f0000000240)=""/2, 0x2)
ioctl$VHOST_SET_LOG_BASE(r1, 0x4008af04, &(0x7f0000000300)=&(0x7f0000000240)) (async, rerun: 64)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f0000000000)={0x73622a85, 0x0, 0x3}) (async, rerun: 64)
ioctl$KVM_CLEAR_DIRTY_LOG(0xffffffffffffffff, 0xc018aec0, &(0x7f0000000140)={0x0, 0x2c0, 0x0, &(0x7f0000000180)=[0x6bd1a312, 0xec66, 0xff, 0x8, 0x98bd, 0x800000000000009, 0x0, 0x100000000000004, 0x10000, 0x100, 0x9004, 0x0, 0x3, 0x5, 0xffffffffffffffff, 0x49, 0x3ff, 0x5, 0x0, 0x9, 0x8, 0x7, 0x1c1, 0x1000000003, 0x2, 0x2, 0x6, 0x7, 0x96, 0xffffffff, 0xffffffff00000000, 0x0, 0x4, 0x7, 0x23b, 0x3, 0x2, 0x888f, 0x4, 0x8, 0x6, 0x6, 0x3, 0xa3de, 0x20000000006, 0x8, 0x5c3e, 0x400, 0x3, 0xfffffffffffffff7, 0xfffffffffffffffa, 0x2, 0xe, 0x7, 0x4, 0xe6, 0x200000000000101, 0x5, 0x9, 0x66, 0x6, 0x7, 0x40000005, 0xfffffffeffffffff, 0xc, 0xd, 0x9, 0xe8, 0x80000000, 0xfffffffffffffc00, 0x2, 0x4, 0x2, 0xcdc, 0x7, 0x2, 0x3, 0x2, 0x5, 0xfff, 0x6, 0x4, 0x6, 0xab6, 0x0, 0x8, 0xfff, 0xffffffffffffff81, 0x9, 0xff, 0x6, 0x28000000, 0x5, 0x400000000008061d, 0x3, 0x8, 0xf6, 0x4, 0x6, 0x200, 0x7, 0xe53e, 0x2c, 0x8, 0x22933333, 0x6, 0x5, 0x0, 0xd, 0x2, 0x5, 0x2, 0x2, 0x7, 0xdfd4, 0xfffd, 0x10, 0x8, 0x8, 0x1, 0x8000, 0xeb4, 0x2, 0xfffffffffffffffe, 0xb692, 0xcc, 0x8, 0x3]}) (async)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x40100, 0x0)
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x1000007, 0x2172, 0xffffffffffffffff, 0x0) (async)
mprotect(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x1000001) (async, rerun: 64)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) (rerun: 64)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) (async)
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x6, 0xfffffffffffffffd, 0x2, 0x5, 0x0, 0x4002004c4, 0x1000, 0x0, 0x0, 0x9, 0x0, 0x0, 0x2], 0x8080000, 0x1144})
mlock2(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x0) (async)
madvise(&(0x7f0000ff7000/0x6000)=nil, 0x6000, 0x17) (async)
ioctl$KVM_RUN(r5, 0xae80, 0x0)
ioctl$VHOST_SET_VRING_ADDR(r1, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000500)=""/67, 0x0}) (async)
msync(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0xf5e8d0b131c6a560)
ioctl$VHOST_SET_VRING_ADDR(r1, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, 0x0, &(0x7f00000000c0)=""/87, 0x0, 0xeeee0000})
ioctl$VHOST_SET_MEM_TABLE(r1, 0x4008af03, &(0x7f0000000680)) (async, rerun: 32)
write$tcp_congestion(r2, &(0x7f0000000580)='westwood\x00', 0x9) (async, rerun: 32)
ioctl$VHOST_VSOCK_SET_RUNNING(r1, 0x4004af61, &(0x7f0000000000)=0x1)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
r1 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x1c4f, 0x59, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x50, 0xb1, [{{0x9, 0x4, 0x0, 0x0, 0x2, 0x3, 0x0, 0x4, 0x0, {0x9, 0x21, 0x105, 0x2, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x10, 0xc, 0xa}}}}}]}}]}}, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io(r1, &(0x7f0000000340)={0x2c, &(0x7f0000000440)=ANY=[@ANYBLOB="000611001c001109c1658d2bf916ab9f996450b538eb645b0471b29323da4676b95b256bff3aba4967e1c45de0555dca0df284bae3e1a0742d6a2a8d00ca0bd6656b1a82d7503e49c095b032538420dd61542527f3b60b82241a6624a18899115cf7ff7e5378fed0fb9746bc35bb6697e5492570a18359efcdab4d8aab6860d5b8ee0f2f45ac1d12bea1679457b6a6e6dd22d3650930db251b013fd545e6a6317103f6398015555471760e2e4aee3b87392c0000000000"], 0x0, 0x0, 0x0, 0x0}, 0x0)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000280)={0x4000}, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=ANY=[@ANYBLOB="200000001600010a00"], 0x20}}, 0x40816)
r3 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
futex(&(0x7f000000cffc), 0x0, 0x0, 0x0, 0x0, 0x0)
setsockopt$WPAN_SECURITY_LEVEL(r3, 0x0, 0x2, &(0x7f00000000c0)=0x5, 0x4)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000100)={0xc, 0x0, &(0x7f0000000000)=[@free_buffer={0x40086315}], 0x0, 0x0, 0x0})
openat$selinux_mls(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
syz_genetlink_get_family_id$smc(&(0x7f00000001c0), r2)
r4 = socket(0x28, 0x5, 0x0)
bind$vsock_stream(r4, &(0x7f0000000040)={0x28, 0x0, 0x0, @local}, 0x10)
listen(r4, 0x0)
r5 = socket(0x28, 0x5, 0x0)
connect$vsock_stream(r5, &(0x7f0000000080)={0x28, 0x0, 0x0, @local}, 0x10)
write$binfmt_elf64(r5, &(0x7f0000000240)=ANY=[], 0x40000)
r6 = socket$inet6(0xa, 0x80002, 0x88)
setsockopt$inet6_udp_int(r6, 0x11, 0xa, &(0x7f0000000200)=0x40006, 0x4)
sendmmsg$inet(r6, &(0x7f0000000b00)=[{{&(0x7f0000000100)={0x2, 0x4e20, @local}, 0x10, 0x0}}], 0x1, 0x0)
socket$vsock_stream(0x28, 0x1, 0x0)
accept4$unix(r4, 0x0, 0x0, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='memory.events\x00', 0x275a, 0x0)
socket(0x10, 0x803, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
open(&(0x7f0000000140)='./file0\x00', 0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r7=>0xffffffffffffffff})
fstat(r7, &(0x7f00000000c0))
executing program 3:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
getsockopt$IPT_SO_GET_ENTRIES(r0, 0x0, 0x41, &(0x7f00000003c0)=ANY=[@ANYBLOB="66696c746572010000000000000000000000000000000000000000000000000007"], &(0x7f0000000200)=0x2f)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100})
r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000080)=0x3) (async)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000080)=0x3)
mmap$binder(&(0x7f00000a0000)=nil, 0x2000, 0x1, 0x11, r1, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0x4c, 0x0, &(0x7f00000002c0)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x18, 0x0, 0x0, 0x68, 0x18, &(0x7f0000000000)={@flat=@weak_binder={0x77622a85, 0x90e, 0x2}, @ptr={0x70742a85, 0x0, &(0x7f0000000140)=""/255, 0xff, 0x0, 0x33}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x0, 0x31}}, &(0x7f0000000280)={0x0, 0x18, 0x40}}, 0x10}], 0x50, 0x0, &(0x7f0000000380)="1920ff09471b1099c7961fdcc405843a41a786d3ed8ebe8e80e4b4144e1cf51c728b926c80eb2a8e4f6b2dab5b6ac95dd16066dc703442a9132a8dd210e45df98d795a638622681df1cb222612051f61"}) (async)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000100)={0x4c, 0x0, &(0x7f00000002c0)=[@transaction_sg={0x40486311, {0x0, 0x0, 0x0, 0x0, 0x18, 0x0, 0x0, 0x68, 0x18, &(0x7f0000000000)={@flat=@weak_binder={0x77622a85, 0x90e, 0x2}, @ptr={0x70742a85, 0x0, &(0x7f0000000140)=""/255, 0xff, 0x0, 0x33}, @ptr={0x70742a85, 0x0, 0x0, 0x0, 0x0, 0x31}}, &(0x7f0000000280)={0x0, 0x18, 0x40}}, 0x10}], 0x50, 0x0, &(0x7f0000000380)="1920ff09471b1099c7961fdcc405843a41a786d3ed8ebe8e80e4b4144e1cf51c728b926c80eb2a8e4f6b2dab5b6ac95dd16066dc703442a9132a8dd210e45df98d795a638622681df1cb222612051f61"})
executing program 3:
r0 = userfaultfd(0x801)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000001c0)={0xaa, 0x46}) (async)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000001c0)={0xaa, 0x46})
ioprio_set$uid(0x3, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x20040, 0x0)
r2 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r2, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4)
setsockopt$packet_rx_ring(r2, 0x107, 0x5, &(0x7f0000000140)=@req={0x35d, 0x1, 0x6, 0x2}, 0x10)
r3 = socket$inet(0x2, 0x4000000000000001, 0x0)
setsockopt$inet_tcp_int(r3, 0x6, 0x80000000000002, 0x0, 0x0)
bind$inet(r3, 0x0, 0x0)
sendto$inet(r3, 0x0, 0x0, 0x200007fd, 0x0, 0x0) (async)
sendto$inet(r3, 0x0, 0x0, 0x200007fd, 0x0, 0x0)
sendmmsg$inet(r3, 0x0, 0x0, 0xc0) (async)
sendmmsg$inet(r3, 0x0, 0x0, 0xc0)
close(0x4) (async)
close(0x4)
syz_usb_connect$hid(0x0, 0x0, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async)
r4 = openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
mlock(&(0x7f0000ffa000/0x3000)=nil, 0x3000)
prlimit64(0x0, 0x7, &(0x7f0000000180)={0x1, 0x8}, 0x0)
capset(&(0x7f0000000040)={0x20080522}, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x9})
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) (async)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000200)={'rose0\x00', 0x112})
ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(0xffffffffffffffff, 0xc0145401, 0x0)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1, 0x11, r4, 0x8001)
syz_io_uring_setup(0x1492, &(0x7f00000000c0)={0x0, 0xc494, 0x1000, 0x2, 0x21c}, &(0x7f0000000140), &(0x7f0000000240)) (async)
r6 = syz_io_uring_setup(0x1492, &(0x7f00000000c0)={0x0, 0xc494, 0x1000, 0x2, 0x21c}, &(0x7f0000000140), &(0x7f0000000240))
syz_io_uring_setup(0x5844, &(0x7f0000000000)={0x0, 0xc5f8, 0x40, 0x1, 0xc3, 0x0, r6}, 0x0, 0x0) (async)
syz_io_uring_setup(0x5844, &(0x7f0000000000)={0x0, 0xc5f8, 0x40, 0x1, 0xc3, 0x0, r6}, 0x0, 0x0)
socket$inet_udp(0x2, 0x2, 0x0) (async)
r7 = socket$inet_udp(0x2, 0x2, 0x0)
syz_open_dev$tty20(0xc, 0x4, 0x0) (async)
r8 = syz_open_dev$tty20(0xc, 0x4, 0x0)
ioctl$TCSBRKP(r8, 0x5425, 0x200000000000000)
setsockopt$inet_buf(r7, 0x0, 0x8008000000010, &(0x7f0000000000)="17000000020001000003d68c5ee1768812002b08020300ecff3f0002000300000a000000009afc5ad9485bbb6a880000d6c8db0000dba67e060180000a0000f10607bdff59100ab65761407a681f009cee4a5acb3da400001fb700674f39b44e09f9315033bf79ac2dff060115003901000000000000ea000000000000000009ffff02dfccebf6ba0008400200000000e90554062a80e605007f71174aa951f3c63e5c83f1ba2112ce68bf17a6e000"/184, 0xb8)
sendfile(r1, r1, 0x0, 0x7ffff000)
executing program 0:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000240))
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs2/binder0\x00', 0x2, 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_SET_CPUID(r4, 0x4008ae8a, &(0x7f0000000040)={0x0, 0x0, [{0x80000001, 0x6, 0x10800, 0x0, 0x1}]})
ioctl$KVM_SET_MSRS(r4, 0xc008ae88, &(0x7f0000000000)={0x1, 0x0, [{0x20e, 0x0, 0x2886}]})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x18, 0x0, &(0x7f0000000340)=[@increfs, @request_death={0x400c630e, 0x3}], 0x0, 0x0, 0x0})
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x1f0)
r2 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='net/route\x00')
read$FUSE(r2, &(0x7f0000004640)={0x2020}, 0x2020)
syz_fuse_handle_req(r2, &(0x7f0000000240)="26b2a8dd3bb50b8ceb62f430e5885746b5fd58b5a47a2bf28b373c8660a05cf8181b4b7a61b8ce127e9a2c0e92dea9379d5ca6b58c15037915bb4319621bdbead01cade5fc0535760d2286578af05881b83e2c2007508ed17ff1e44b5f91fd57e1077aaaf77b6741f58c4e426bb9b1ac269ddb81ba7c1d6ee457f1bb8ceb4e8a69db85ebb1df95fec7f3b5bd95dd726c920792e9a54f1641d5578f4347df0d583f76f962383980e8c6a1c123a70212d089e9b35900b052f0ee59eed7cf1e133398f5f5bd78d5c9820ee007f32894a57377a97af57c6d6dd108231b10a94c67f18552a65b870b7a9afcdfb72b57b81b1e424f739df21dfeebfaca906901b2626cfa482aabcc62b510255ee5010b4c1b260471011275c7f242659df63a8de398c2b0dfa67422e519853a439752898451f9f02defd4ae71ecc8aadd28d21a339d35cb425e109a5452d01d1ca2fc9cd2572a1252582d4b179876cc489b1b3fe4767d0356c29e6e0b891991f1dd5acc3c3e35f9d0048ed0e28b9771295729aeb5a1e262ec2fcbb545c3e24799bc424924294928312b42be902842083b4d7383ed289b307b66c8568277b3c17fea747ee49b750d83dd7ea1f18a5eae198451bd2968f823e03a4656cbbb154145465ddc7bcdd0c7b1d07366c0a4090e4023fd98d0f77d3949d7788bf0b31c52c7704bbfd681c4691d16ef610708ad2ae5af88301c5b0451ae9f292f16aa44230e53874a432be156fc74c9690983928aff88c8d817c86913fdc8425cf2cc43297e89321dfbbba3f4f1b8bcb602a17f1f5918c0657a9e0230f2722f2aca5f2f931c8c91dca589c02a711db5b7ca36f3a49282c4ec3b447ddcbb2f94e257a384d8c17980a3962b2c7b5c0b661899fd1451ce783dfb29355650454b65479ef40a319e37e90757ec3e3e08a2bbe0b9bed99d8bb31e5d240ffa66d5162748f30635658f92d864dc6ee1d95d9b6e19e554f6a4a5cb4a067b3c7d7d882ed4f908337febfd5cf00a6fd68e95fe62f5c374399f6d3201d3482a0637ac4d9d8253fbbf6bfdc3feb9db0a3d8a85cb337dc7a1328973e20bb82bcc2ec03a637f4f29e1efcf4fec09568a42ece4ee0508a0da8206989d12e522a65e76c4d64bbaec9f328b927391f2b15c7e8b3f138ef345afcac4d566448f327f84ed41f69b4d40c8309d9d5ed6846f788198e151a48f654d29b659f923858d443e118409541cea176cda5c518a938d10086148efdecda55cd4990922cffc06633c59db0c21d12e4b311e3858e82001c24c2225844019f9d633679ee75a70521da58cb8809c193c0f3389dcf540884ff0b44f224cbe03623ee16ad37e00abd1bdda5972379bfb097aa2ffe5e881ff988644b1364d8117feb6859fa4a942260aa6ac51387bc4c9173b8656813929744af772742e69d78f5b127b3ec8a64a3781a603a56e05eb948a003e54f3095e56899dc6413c4317e12141b3409ee8d33dc77ff33b10c5294c5e6b969848dee370c19e732f3e75a6bf21ad433c99d3978f8a8254fcc589eb067e3663e6179cd7904e080048565f0d8aae47d0dec7830d5eb48cd386ea8ff0cebf7bf86eda674cabd0d06f2068817d1d85f39bff655bda536ca5d9727545b8202a982818c388ab0219021fdf4dcdc5de8731edb03e9170a8867b614e5317f76f44c33563fabb73eb4cf8a766b6299e52d00646262e6e7704748a35322cdd7c52e6bae2654295f7804f68e807d5ce420213a278b751b360bffbc1bb9a027b98e65e9dab8fd143e02c2e6192eb8f411d80aad0fa5ff40ced48d26e076cda037ffed74f19b1a35839239b5d14e57fcba05aad705435f998d5a85c05d944bfc472ecda2974332b9b44c448365682d00e271f0fd2a436057adfb7b8eca4abdb8c1329121d6dae395dd1506a95c0de8191bd69cd1f68ec5af9a88fbb1a37c082b9df5cb390379f2db48c63e9f779b875ef9891a84181900bec4d6f512e4633f6b43b6abcb87e2e72f74d8cb0ea3019860339fdcff45dfe7e0817de819eef61d6e91b05a6b8ce8b0e1416e0210813429ff7a75cbd6e7a8f5c1e41012f8b092c6f0b45896a3de1a278b80104157dec7e210aab22aebb54ec881291fee48bc1c413f6a0704e45c1b00f39d4618147e4e11f429592bc92044a772bb33349d3ee4b6c2c5a5a8fdd5ad65434943c3987be2ab99807e23db8b9ec30a3030be076b7871c1bc7a9d4506f3a1e7b986d2ea1b60f9240db71a360c919dc6dc24f6af5878efd95d83f5a9529266f2fef29af2b60d214b21b6e3b8e5b3555849453f66e3b2fe46c2547690b745cf6b850312d825c73049a9a009d66d0d58801f254e2dc32897d9f3bf6fc3fd9ca6fef5d0f0dc55e85a99d735d1800f418010986d80f04e7f5a37109b73432db749b569966e781e646c0e373c94d7797960e1b73cb6cf58ffed290c567d7b5dc54f7a9c911d19fab72aded28cb7c063c46fd530b6ea9efef61c4da2bd5bad7d317743314ab01046b0f92d9d428a13bf5ff427fe25bdce29637f916b2da55f2f5ff05ea17002bf139a5740b7f2b60d6048844cc3909c76eb9ea0735ebed9c201efb8228245373c97d8c565e1ddb4c4d07c1ee7e3a942eea3cb88b2b263a0e4eef9b5cbc99f0b1fde017d01b15820f55f51d325c77c298b6973ad694b1f3bd5440fe8e8ea72fb10b53bbfb84c7d2b7be416df5cb60ad3607c71b387687752a119afb71cdc53b8a395e0398a5be4ac9a175df444ea715fbb2703911bcc6867a85ae2d76d25af06ed0e3688660dad6d69c1f356d43e655811e4169ff9f3f275a8417c44a9b7f5cc3e6ae05ed6a226da85946e84144191b4018d2a226e957e583fb34af3d4bdfbb59da087565fdd7faca17d652208c129549f16541f8addf7be170c6041459600364f025362ea0726f48cf82521d47eb478c341da8b0ba94e96942787d4046d04e86b3ecdbf4b3579aa8f00ca70e132609df358d9183f6cf6b200dfd16fac3e0bcdb13cc5bfb20bde3cc139967c70fefe3c39f484c442b75a5606a2b4952c799b04957e151d3dd76eeac764170a1929a88a668926fd6c22e9c2327f85fe88d388f4eed175a5c13e82bd6f42a7669341d2f3012c75c9871e419e0f3c7e50e347856415b8584eb2d2a0214d5bb03b10a26505ea9ffc7d5aca844e24af916eebe7513d8dd9145049aa0dd8e2a5a9fc53cef6239f56f2ba429601ead8223b5d89e5326e09f9d7c409a466fe5781435b9c324efc040cface76eb40b2da68b71a8baf2f916303726256c772cf27806d5208724cdf9f4eef7c7f3084a25242479fbe759bde637a7cb96d98510f0a68876d04cb47a3e7614b0b51f8812727b0881da22bf270d4a44206a581e71a7150c4096dc1fbd9e724ac572adfa13d6c2129e51df101bd5fd45bc57c356d67b65f270168bd0601e0241e887becb130fcb72c398c6e50d5123f5e8cef49d7ae92ae8e7de2221677a8aa6a285824ef679c68f87330224ce2c11299878adf4f46ed510fa4286f6110dd9965c189c21e85654d44992593ad75bb264fa4c9c7f600224b8eee14e6bac1aa0f9c9bc8c10caee2826cc6d8a787a9b98f908d062732ac0226268047fb44fd950d8ae380620c1f594a68a0813b492bfa3a8560dc1458ba84ddbf9b58f0f7317589a36c66493d1b1093c50719fe4e7b3a7f9dc61e961b0a36b0d65bd14029ad5b9dacdb4edbf090c2455c6c1af080e5447ec7aad8d1a532a48ce280decb70918738b3dcd49d3ffe16e1a2099f7e083aec3a97866e51d43e2581530e53d269c4ff2a6f576ecadc018f4e233b6e7da57130bdd369bdf5973031b7280d7bfcfc443dfb578de9d60be87e741e3aabedffd7b46e6a1c342661b0a122d579623e6e86e745e6ec3ee53545e9a1f63c1db363f68ee2a693a8f8bcd5f97c575db2ce1e03fee213bbd7a38a288fb83a07b1adeb99932fa55dda4b7e6be199f8f008abaa88c63f59179b47c541d8707709c7cd5f5aa5ed5c4dc63093596b09858952e64133cbe6b7d02b60528d6a263c9b72aa3e751a99e9fd1664121fc0ba9018d61011edd23d29d05c2080e33c721e503113be23973351a68fb5da582205a0e89e69fc84e24f3d4e8629847f9b6ba77e2ffe6ce394f99b1a94576c677e7433aa8bdc4d9779cbb706c6e2f426806d111173ffb0cd4f7be3ccffcfc9e66a16ab2806b6118ce28bc935624f1cbef0c9c4da396e6dc0e87ff20d0fd0e07d49327d8c0c97c7d70c50b584fbe563cde1cb17f36a73ebbe6b331b6321ac5ceba510a35ee913c5542a9d7b12805a29a99d25a5d3bc13a330435d6f0305bf522cc71e261c39d82584440d47fd82b9b31ad4ea0d2922558e6bab6fb6d3f6da9eb2a2e824af6928ee2ce41baee61fd4b5f896bf92bb1cf06c0c5a1b9b81a8216084c8e90451823d6be884a735a2be130304a22d8168c06db9cb6d62ba30079ecc831952f2564b760153311226d2188bc523928aa63223e785e6cf67a01962eed4195d5b06f06f272fe27d38660153c1727cfb438b5d98da5778070791c5ace1fd3ae756c8f261ad9d1c6aec5722a8e0609c3bb672c628879b65fbba3692070781c13bd34a93a5b9fff4f9ac4cd6aa3fdf076eeb4c0cfa14d2a41193e723d6d013995f34c97bd5d438eae8ca9a8a2dfdadec39c84c11cc9e9506020e072908178a6b60c53321c0b857d12b9adb58d90197c090e558d20a29bfd9f2ae297c23f47a544daa537f5780ec75b1824be5c92c20785499143252dd2f6d1f8aaf47deccbabf74ee0d55793b046aee7dc763353249f03cf2f0c60f6dd6ff082a051ffe2c8ef4ae9b1d8a046af67ffab68a4587ccd0a503906cca13aac0b7309d5fed12abd5303d2803f928651b51dd8747db79c56c3e3f89e6799a9dac3a7c57257c6575e133379b6c616dbab839b530e7ede62dc529acf5a6fa061fd1244fbc82d6e883388291ecaf1130151c8da538f8bccb9b871d2ce3417a9212ad94fe94c6e13e06975d8ba285d7e937ac4c6fd89aae06db06940670463d6b86a18856cc978a49f7e407f2e4f042d7ee1b7791cb33697824c68b2535af6c803e7940512da7db39c98ed1030e615569c200bc3ab833156187c25c1f659dcde3434f47a8cce56d821617c58907f80d5628214a0a8aad3fa2087647d52ac1c9692c6b57b85d70cd12875f110e631f3a9e34f21afc401797d9a13753deabb43fef92d691efb19a7120167f838d283fc5f2f1d7b4c2ef736fb1c8a47befcfd320f98461756d6908f00cea4a252733db78b6f67620e1a209e39f788a8360b8f42ccf1776259c6f70ef7ca2b0ee8caf4bf27017730236669eab62ada6db1d381ec2f8c60bebf555425bab9fa4d46823d3b0a1b1f51add64961aa2a073929116f02ea230bfb354019e47800415edeacf72a7daf8930c64adff306aba841fbe75bb18da73441721c86d3a70f9e6025e7fc95516703372fcae04421b08d0edbc5f1b6b6a3c66225011dc19f575111180e8d173922c2e28123347036b3ff2418dd529c49beb2e335801a3a5473c73d71d084c8271c10d86f283a659deaa57fff6673519645e0ee4c915cc3b8c440584fe222b1bc0cc0888142b9753ad409ed41ca16a92a3126ee73f7237523c6c781959fd255c5c0dff4ff324dc3e2246da77281809ead68df57e4ae6c1f8001e6d292e8e42f897b59770ec26b508ac5d57b47ee9696f9d40ceb39f9653a14737ede3f3213147381417d9633d30cc1107dde46e5ead6e4e4dec617202e10b9093e3bb2dfd785dd96a6a64f44bef7465552dc2e391c978c7ac1ce2b8f774d7b3934d15fc6d96eb3de6f0e9402a8538c6081712e5affa5b67b4153217b38f3248b2565c804226f4a31688d5fafacfe2e4fc191791c7164cfa33a474f4a9cd90fb5f37f5268e1801a2a762b00e8b7b2bda1db7a90ccc74ccc0fb015eb49a6ed0236d8b6b0e67bcaeeb750a499cfc3b2dc34e9024ea9bf00e5f0013a15509992979b50617dc14aeb0bac46c6961eca1e96ab2b45d342bc68e88b765a79d73f1eec58167e8ea4752981fd898f1ce528e9ba947723bd4d2ce228b6e5787227697d52f2bd0d4ecbebf5c6164f5819313060579ebb3ddb3c6423adb999975427c2d3da65b3cf52849c75464b46ede138be670742b175474222a47755f8006d4752b6c271643aa622f8439903abe53595792e7856a6e5a5e1b309fa139c2e64e927620c87aec8f36b9509c1d5cdee296bdde21d2cc54e7738070d93552d9ecd799325fe6fae9f3d7046ef1459d401922e3da284b7f6ef67ae196f274f6ce94887bb5ec25c0101618d6118b4cf47e0dfcb8dc89e8f44b47ba19c326db51a75a5b790620a2e460110dbc0f923a7d3825e4ac1d04597c0693fd05d93aabe907b47b1581f915de89c16580ae484f864e583b43ddc0991d716e401f60b6f62ebd52178a9e0adfbecc706dfffe8eee93f67ba2c9da4515bdfffd764741527ec04c3503da653271f2051ddad922ae38cae98c9a2eba5f8470d2551d2224add25a32b9c4d573f69ed15445d2b72ab20d1cd07c2d897dd7c97edab293db9f217a5eee5de9ad08da2f734e617b9f5268a3b91336237f5e9738a65f4adde4279eea09ce40e577b97eb5c67772e4ebee5a33afc7de28c70d97a514cdcd95908d26ad62800900a7cb9dcb88955b5401ccd4d965d00ebf0da48bf43cd2f5b61331894f523685b17beb253c3f50db89e11e664d6427a2551b5bfb2cbbfbf1e8240909d5eef23ccfa23d185391713d1205078be21e99063ff6316c06cd77969dda4d7f3350d4f2f29a23f12e14788fd60cbe4c3c00685a5e42b861597fd3b70c5e0e4d9f02355b754bf353fa2bd5dc0225080c26eb39be11a5b3cfe5264f39399167ab55ae7286f09c1d7fd0fc69bc9c7fca34867b5bf11c43612d3e010d2918a0d9b620549402f2c56e9cf3aa53b7614337f0867fe08170ffb272c5d340f237cdca3e023d2e65b250acf4f265ab8794a5388c5358d7e1cccbf82d99dd1aeba50f3363b9c3b6ac43542334bde8cf2ffd29da1d516bb5d950938f410829e2e37684916e1eac5c2ea1352e7cf6d0bc19bf16bf4ee61e44cd339fadcdf18126c46c0aba43c927510f3b876b32f606bfd2f657254e9715f8151099da8897c287ec1eb9077c72a0a31171f5e2672c16d3907caf659a73a15ec1bbdf240cf5796c22a99933999dd36ab3c354736b45b990e1631be048cad72829f782504ccff0cfc2e1eb5fb3e52e9fa4c3a39ec9ae7ef7b4b9e7e9a721a3f6addace5ca68d525ab9dc0d26b05333dd638bba4e40ec0a716b29172fc84a26c046dcdd0a744af3a7da0eb295a6b0d2a4e45bd6222464cae11bdb5a6c02f8ebb9c8846ca03175d4cab8b9c9531ae686029cc740c296feee12fda2cfb130808a3fd435c13bfca388ab530b8c4b546c4fc9af86596daec4569b5e82c8fd452731e27f9dffdc5713562b99fde6b59948a46f2a44ed0e539469040bb04a54fdf390f589c6491f1057b3d44573838dd2a1271ef8ccec3796012d2debeddb9dd0e252bf622f2671d6940f1c89b3ae38b4fcaa37103d96f4504c5654e603b80f710dc575bfdf2f4fa01741ab79057c15b627cd03e7dc24aab3ee312dd1d7e96731c28e24df9b051fa5972615858f07572d07f6a6f947fecf8acb05d220b68a4962b0bb9e2bb6341b97b0bfb18dc92764ceca8f723592c02104a020dfb9ff06bebc81ea80c68a1fa6175ab4042abd3305c1a17b72ba5491dc812def91672873fdd98632871ed0387e00a80c173b9e8c75e185149d32a9945e2f9707301c96337cd1c44cc13a9f38dc23720558c31c4cf6ff72559794c04af4deccbeddb04f267308e220963bf64d0aa830af54a91ae3ae0eb1aa3d48dde97ddd0916e3c16f4d90ef3e66f06f8c4c3d4fcfe41094708f49ac8d4e7150a74d9378a75018dba062fd1ec331776aafdb64e5e1732ab0f0ce0bd8985ec4b1374a6245b6d714a1c02ababcdc1fe22481a6ad3276662d4c9adf65e9d275afa6d57d6c3bcc6ab68234f4a1dade56c852c86c0bb4f427387bc9ea23e7361b7f518039af614141a12499b9602f95e2a969c7f31cf1056fe3b1954ecaa3db219f546a28e954964268be0296ea2765a8194d88b14869d388996d645f34511d63a602d92e795a0b29773052ce44b008556b6a0fb418a9233ed13edf3bda3db479211d00c16d40ee6321241d884fffeb3c1e2c01707c7aa387778779a241699ef4bd5d7cb8e40986539d0778cc242e98f17e630a09d62155b469ef5dba920d2ef80686c8f9eaf1965b42935d6dc470de7fbe0f5083a4b6ced2fa06b255fc35c3325bcc57ae3ef95ef58edb0b45bbff699de88afa565ab9f98b1c98255dfd6bd3eb18af00b94cbe5f94421b2828b0583c91e7cecd4754003ad8f46a206da99e75056705f9cccc481b591d4c33d96b21acbbdb4e70dfd9b6a2fccaa6a0af7f97fca9da759e62a6fb222341cbab0c808d320ff13a5989ce707aabd7f7c569b3e22e0c91613c483c136fb5b94ff7bdc1f51cbb9f5c46e4b62a19cca73057b78d1f3f8a9b0e2a20b8b8d9f2e8d0459df86c18353fbb3cb6e8b804e28dee571349e16b5df662cdedf1aa5a44eea00b778bc79c16138d85fab98c15ad9f2b83eebdb9432634280768397d2895c10012da8c6659e02295cfa52d6d06ef1e6ed0546d46c676048e5a455261659c83492d355eee56596e520962467fa8b3ae99cea9547d99a6d6b674682363c0dd5c8bd5c63d3bc2d45a94fb4e090ca27028b29a61c53d96ade29f1c60cffb5053b494dd2d7c7ccffc7006e16eb2bdcb360a1e0a3fa1f380616d0298e315808db7ae9ad16b6c4bb7dece5c2c4ba52d514f7fdc9b00e66302d1b6c6a7b5b58adb313e0cec67448238f66f69dd480d304a9831833a1b94f8109c0d2f85e646077bbaf140f9c7e72301d8e452f13711be18bdb48e2f0031c38da789a9e4161b7f0a6da09075414aaf9984ab7f141647c532e3b2530f3fd8a93b4218ecbbff44c4a58cdde1f9d89eb60ebe8033dc10116cbc09d4903bfd0830ef8b0d33572ce61bc028133be720544872e4a205fed6b005e8ed240ceb6e9efdd313b6eb0aed6bdcd335cb1765f2d7ed7f1819e0c04a8989183abcaa3677c35c33d95b139ed63f9f67e51386206ee2a3ad54bd4312b1178ece5a5a76eac9534faf2bb8c7b5105811a34a110553c63f1b9168ec5758e39d1f1baa4fd3e8dec73026c08ddf1568fa04b1a36a98055b6912f4faa0741e0bb5f063dfab6e6a8605b997affc69369980188967e4655c954d31b3ebea8dff5face904366191f0695fd3ccdc5e82c5982243e16a895f8aaf9d63d37ee1d323b296862ad265760a392378bc2ae5d7b75039b77aec33aa00c134f554ca9e5fd162296e915ccd359976e7ce4099bcaa5494c8eb6fa4da2a2e245920762f3639fa4fd4eb0e5e167a5f2111bfa669576ff3e0711a4ad78d2f8477363b03e6a13cd5b479817a62614ef613ac2b03a340114909c7b21ee93adf74c2ee2d4c666f1ab8bc43368e7643f3ea8da5a919b1e3078875228d2b519387ac49b7b9990d7dc229fb9ff0d551d3dfbeb843c8b2782f50cf8c575dec6836259a160a9a047165791d1e759c74ea65f4f9da990fc0e789bcd4ddf716442864788be6f2c5b607b6ddc7f9575b4e8375eea50e98cd9320fe736114e03aa0a2c1430d5cb507b29b388ace6ab58393513724607102a0458a458998e94d71b758df51ed4ecb6c6f2b94c31fb480745fbc6f6dc595c9558161fa14462779952982adb70d70a9f9a734fcbde17652e1a91422f93a6ff7d6c80fc92a5005bedf58aefe9bbba9d0ab3441e86b863bb5a3fdfd2a9c6f6d10717d2cd35d3c2a892f0e58545b1794d9aae993d72c215a6673bbe38976cc7d03cda84999c637aec8036ea1a23b143ed6288dcbc7d1ee487b1b6a4f6e8ef63b378acd4ff888bf95d86336907939c29695b2e0cc58efab49056f88a9027cad6d724e635f94f45f4cbddd8188608663ec7e46547e2aac7dec6cc5609e9f5f41ef26a1f16ecf6bfe200b0a955f98d9a4d41a2a268f8857670e33fbd4f076aa11c49cebd8306a4de3c86f7726fde93c7fc984079ae60e63854ee9a14162c749d7e308530c6b84cb5cafdd09ec3411cc0302c77d316beff973e3108ddb9b249e206d5476d605b7b24603ca344c2263bda8d7d3db55b9e2fcdce69be9b1ce24f8c4df129cd62a299fcbbff3309031973b5da452654c0b8ca4cf65891a8bdb8dedd20f631a34964e3bb0fa45c618861da79b259d79ecde8394061c99c661851c016c35ee8c91d52bbbc25f52b5e2f77ef2f63c764b717e8cce4d291742d5a7ef7f5d7ec1a96620eda1f962fb2448c388873f8b8abea4d27a5da092833c43c57c4b14099597f83785a31190798826f4264ba8f998cfbf7f20f9678e10e05c793f5781f8accca245d047d3be6c10541b2610c02c6e916d3db9776c6964e4519cf2e30708c954ef2492d3418c552dd9b5db4320dab8be6ac3394cb4b3fb1b9d5222c6ca9bd06aae2fef510e541db1209cde21fae56507020e80862d0b875d958346c42ebb781955ab337be61a68534281100247904b81b86aed49544c2452ecffaf6cc116f9d3c7362fc2cc390ab2ad29928b6e8bf90a4f21442fb213dbeeea4b8f481792fc6579b608e3a9c4fbe2755010d7ab3cd122de7a40a1f7780350a31d83ee5006ade36854cbc8e8c648259b29f2f7042719ab4d4d4d1f0c5fe6b717d23a5504335922f84ea8b20c78a5f1ddf6009089ea221353c01963fb8cabd3d795831c86d084660fa7f7d08f3ff15780c5b301ee27ab8d98fb358b90e92de4c96687c37e327ac1f0f23208c41a36e67cc22356df854f2dc309c110cfae51c5cc69051d22477caa1d2a2f276ccfbe907b263bd79ad4c5f6ea2687466f325ff2b1a736fff687c14d477c4c744e9c82be5b8ebfb69db2b312ff540ec8cadfcba9b609cae7e54ff347ed3d2649f9214600870ecba27f98943b4fb72f93b5ecb6d64dc1c7b2e8c2f2cf1006e39a237c5818014df9281feb6e522f6cb2d5ca35aeada09a58d5a6bdc9a75cf81a1c51faa8a3824a58d192a27be9fee5098b2e71d0d3f12917d50667415e418b790e0942260f4d2589c57aa1bd36017bd2bece963f0776f9f76cc66876c3f88f8bdbc35e329ecb56887948fd2c05d49c664509a682c6ff60350070bfd111be86ad2eee8c0d76b851fdb75f08e11fa47b5fd29b57568abbf91d3760652d475558bce2a1393688c9e2b4ae06cb072c294e1396b58db00b09ba8dbdc047a1684cca6e5b04cb52a40dd7b7f72c55292e7af0f3b8dda380d45b4e71c6cf57179247923750551ffd955f815cfbc29dfe5e0b2689eafdf44ce362b9c5864e4003326b2f183df7d39de7632bf3b2a85dca04cda08d10a5bad9ed9b481227e39804c3fd52d8a8f03288e13eb09c9075e23f82123a416e58864d95a321a719f88c8633201eb7d5c429348dfd83b476510f71808f95ab3b11d521004acc6d9168771736ec0a5f7c73ca78a46787c19299a79b453e49317353d6bee5b", 0x2000, &(0x7f0000009600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
mount$incfs(&(0x7f0000000140)='./file0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000000), 0x0, 0x0)
r3 = openat$dir(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x10000, 0xa8)
openat$incfs(r3, &(0x7f0000000080)='.pending_reads\x00', 0x200, 0x110)
sendfile(r0, r1, 0x0, 0x5)
executing program 0:
r0 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
read$FUSE(r0, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x200202, 0x0) (async)
syz_open_dev$usbfs(&(0x7f0000000000), 0x200, 0x102)
r2 = socket$netlink(0x10, 0x3, 0x10) (async)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000780)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000700)=ANY=[@ANYBLOB="020b0f050f00000026bd7000fcdbdf25040004000900000001f8ffffffffffff0500000000000000ff0100000000000002001000000004d2000004d50000000002000a0030000000050000000000000005000500322000000a"], 0x78}}, 0x24048950)
setsockopt$sock_int(r2, 0x1, 0x8, &(0x7f0000000300), 0x4) (async)
r4 = dup(r2) (async)
r5 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r5, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) (async, rerun: 32)
setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x20000002}, 0x1c) (async, rerun: 32)
r6 = socket$inet(0x2, 0x4000000000000001, 0x0)
sendto$inet(r6, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) (async)
read$usbfs(r4, 0x0, 0x0)
syz_usb_connect(0x3, 0x35, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000b58f55408205d5b9f773000000010902230001000000000904080001fff56a00082502017f040e0009050b02"], 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1, 0x2010, r1, 0xfffff000)
executing program 2:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
dup3(r0, r1, 0x80000)
r5 = socket(0x11, 0x3, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'gre0\x00', <r7=>0x0})
bind$packet(r5, &(0x7f0000000180)={0x11, 0x0, r7}, 0x14)
r8 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r9 = socket$unix(0x1, 0x5, 0x0)
r10 = dup2(r9, r8)
close_range(r10, 0xffffffffffffffff, 0x0)
r11 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r11, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r11, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r11, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 1:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f0000000300)=""/4081, &(0x7f0000000080)=0xff1)
socket$nl_generic(0x10, 0x3, 0x10)
socket$packet(0x11, 0x2, 0x300)
socket$inet(0x2, 0xa, 0xfffffffc)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000760001"], 0x1c}], 0x1, 0x0, 0x0, 0x4004000}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = dup(r3)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x10003, 0x2, 0x8080000, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@textreal={0x8, &(0x7f0000000800)="ba4000b8e6008ed03b940f73da0eccb8f0028ed80f23d80f21f86635800000200f238c66b9800000c00f326635000400000f306c0ffcdf36efddc666b9800000c0c4c249cf9009186635004000000f300f01c4", 0x53}], 0x1, 0x1a, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x42, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
read$FUSE(r6, &(0x7f0000000f00)={0x2020}, 0x2020)
executing program 3:
r0 = fsopen(&(0x7f0000000080)='ramfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x18)
setreuid(0xffffffffffffffff, 0xee01) (async)
symlinkat(&(0x7f0000000000)='.\x00', r1, &(0x7f0000000140)='./file0\x00') (async)
openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)
executing program 32:
r0 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
read$FUSE(r0, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x200202, 0x0) (async)
syz_open_dev$usbfs(&(0x7f0000000000), 0x200, 0x102)
r2 = socket$netlink(0x10, 0x3, 0x10) (async)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000780)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000700)=ANY=[@ANYBLOB="020b0f050f00000026bd7000fcdbdf25040004000900000001f8ffffffffffff0500000000000000ff0100000000000002001000000004d2000004d50000000002000a0030000000050000000000000005000500322000000a"], 0x78}}, 0x24048950)
setsockopt$sock_int(r2, 0x1, 0x8, &(0x7f0000000300), 0x4) (async)
r4 = dup(r2) (async)
r5 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r5, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) (async, rerun: 32)
setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x20000002}, 0x1c) (async, rerun: 32)
r6 = socket$inet(0x2, 0x4000000000000001, 0x0)
sendto$inet(r6, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) (async)
read$usbfs(r4, 0x0, 0x0)
syz_usb_connect(0x3, 0x35, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000b58f55408205d5b9f773000000010902230001000000000904080001fff56a00082502017f040e0009050b02"], 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1, 0x2010, r1, 0xfffff000)
executing program 33:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f0000000300)=""/4081, &(0x7f0000000080)=0xff1)
socket$nl_generic(0x10, 0x3, 0x10)
socket$packet(0x11, 0x2, 0x300)
socket$inet(0x2, 0xa, 0xfffffffc)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000760001"], 0x1c}], 0x1, 0x0, 0x0, 0x4004000}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = dup(r3)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x10003, 0x2, 0x8080000, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@textreal={0x8, &(0x7f0000000800)="ba4000b8e6008ed03b940f73da0eccb8f0028ed80f23d80f21f86635800000200f238c66b9800000c00f326635000400000f306c0ffcdf36efddc666b9800000c0c4c249cf9009186635004000000f300f01c4", 0x53}], 0x1, 0x1a, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x42, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
read$FUSE(r6, &(0x7f0000000f00)={0x2020}, 0x2020)
executing program 34:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 35:
r0 = fsopen(&(0x7f0000000080)='ramfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x18)
setreuid(0xffffffffffffffff, 0xee01) (async)
symlinkat(&(0x7f0000000000)='.\x00', r1, &(0x7f0000000140)='./file0\x00') (async)
openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)

program did not crash
bisect: testing without sub-chunk 2/3
testing program (duration=6m4s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 14, 30, 24, 6, 25, 24, 22, 14, 17, 24, 24, 18, 6, 17, 18, 24, 6]
detailed listing:
executing program 0:
r0 = openat$ptp0(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
ioctl$PTP_PEROUT_REQUEST2(r0, 0x40383d0c, &(0x7f0000000080)={{0x0, 0xfffffffb}, {0x7, 0x2800}, 0xf, 0x1})
ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100})
ioctl$PTP_EXTTS_REQUEST2(r0, 0x40603d10, &(0x7f0000000040))
r1 = openat$binderfs_ctrl(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs2/binder-control\x00', 0x2, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.time_recursive\x00', 0x275a, 0x0)
mmap(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x0, 0x13, r2, 0x0)
remap_file_pages(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x0, 0x8, 0x0)
mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x1, 0x32, 0xffffffffffffffff, 0x2ec37000)
ioctl$BINDER_CTL_ADD(r1, 0xc1086201, &(0x7f0000000540)={'binder1\x00'})
executing program 0:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680))
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 0:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
r2 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
mmap$binder(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x1, 0x11, r2, 0x8000)
r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000080)={'pimreg0\x00', 0x7c2})
ioctl$TUNATTACHFILTER(r3, 0x401054d5, &(0x7f0000000480)={0x2, &(0x7f00000004c0)=[{0x1d}, {0x6}]})
msync(&(0x7f0000ff9000/0x1000)=nil, 0x1000, 0x4)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r6, 0xc008ae88, &(0x7f0000000000)=ANY=[@ANYBLOB="0100000000ffffff040001c0"])
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r7 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r7, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
r8 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
write$vga_arbiter(r8, &(0x7f0000000080)=ANY=[@ANYBLOB='decodes '], 0xf)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
r9 = syz_usb_connect(0x0, 0x24, &(0x7f0000000cc0)=ANY=[@ANYBLOB="120100004f92b90857152077ebb7000000010902120001000000000904"], 0x0)
syz_usb_control_io(r9, 0x0, &(0x7f0000000140)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000000)={0x40, 0x13, 0x5e, @local}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io(r9, 0x0, &(0x7f0000001740)={0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)={0x40, 0x19, 0x2, "0200"}, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$uac1(r9, 0x0, &(0x7f00000000c0)={0x44, &(0x7f0000000080)=ANY=[@ANYBLOB="000101"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$printer(r9, 0x0, 0x0)
syz_usb_control_io$uac1(r9, 0x0, 0x0)
syz_usb_control_io$hid(r9, 0x0, 0x0)
executing program 1:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000500), 0x0, 0x0)
r1 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000002c0), 0x4b301, 0x0)
ioctl$TCSETSF(r1, 0x5404, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffa)
mmap(&(0x7f0000701000/0x1000)=nil, 0x1000, 0x0, 0x12, r0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
r3 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r3, &(0x7f0000f5dfe4)={0xa, 0x4e20, 0x0, @empty}, 0x1c)
recvmmsg(r3, &(0x7f0000002c80)=[{{0x0, 0x0, 0x0}, 0x7ff}], 0x1, 0x2b, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, &(0x7f0000000440)="f30fc7340366baf80cb84bbee38aef66bafc0cec3ef30fc770d966baf80cb8a04aa989ef66bafc0cedc4c125fa2166b8e6008ec8c4e3055ca4aaf00f000000c4c2f9aa0766baf80cb808da688aef66bafc0cb8d254e399ef0f004103", 0x5c}], 0x1, 0x10, 0x0, 0x0)
r4 = socket(0x11, 0x3, 0x0)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f00000005c0)={'gre0\x00', <r6=>0x0})
bind$packet(r4, &(0x7f0000000180)={0x11, 0x0, r6, 0x1, 0x0, 0x6, @dev}, 0x14)
r7 = open(&(0x7f0000000040)='./file0\x00', 0x30000, 0x182)
setsockopt$packet_int(r4, 0x107, 0xf, &(0x7f0000000240)=0xe9, 0x4)
cachestat(r2, &(0x7f0000000080)={0x481, 0x1}, &(0x7f00000000c0), 0x0)
sendmsg$netlink(r4, &(0x7f0000002ac0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000400)=ANY=[@ANYBLOB="02011400012918000e1a80009f00016d2900002f0600ac141430e0000003808a8972bd0b72e41082b1a3d206"], 0xdd12}], 0x1, 0x0, 0x0, 0x4000007}, 0x1)
setsockopt$inet6_int(r3, 0x29, 0x4, &(0x7f0000000000)=0x1, 0x4)
sendto$inet6(r3, 0x0, 0x0, 0x0, &(0x7f0000000300)={0xa, 0x4e20, 0x0, @mcast1}, 0x1c)
bind$xdp(r7, &(0x7f0000000100)={0x2c, 0xc, r6, 0x3b, r4}, 0x10)
r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff)
sendmsg$NL80211_CMD_PEER_MEASUREMENT_START(r2, &(0x7f0000001800)={0x0, 0x0, &(0x7f00000017c0)={&(0x7f0000000280)={0x1c, r8, 0x1, 0x70bd2c, 0x25dfdbfe, {{}, {@val={0x8}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x80}, 0x20000000)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x1000)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1002, 0x0)
r1 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r1, 0x29, 0x2e, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}, 0xfffffffd}}, {{0xa, 0x0, 0x0, @remote}}}, 0x108)
r2 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r2, 0x29, 0x2a, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x4e22, 0x0, @remote}}}, 0x108)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r12, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
dup3(r0, r1, 0x80000)
r5 = socket(0x11, 0x3, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'gre0\x00', <r7=>0x0})
bind$packet(r5, &(0x7f0000000180)={0x11, 0x0, r7}, 0x14)
r8 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r9 = socket$unix(0x1, 0x5, 0x0)
r10 = dup2(r9, r8)
close_range(r10, 0xffffffffffffffff, 0x0)
r11 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r11, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r11, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r11, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 2:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)
fstat(r7, &(0x7f00000001c0))
executing program 2:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 2:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0) (async)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1/file2\x00', 0x81c0, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x2040, 0x0) (async)
renameat2(0xffffffffffffff9c, &(0x7f0000000480)='./file1/file2\x00', 0xffffffffffffff9c, &(0x7f00000004c0)='./file0\x00', 0x2) (async, rerun: 64)
msync(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x5) (async, rerun: 64)
fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) (async)
r0 = fsmount(0xffffffffffffffff, 0x0, 0x3) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002}) (async)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) (async, rerun: 64)
r3 = dup3(r2, r1, 0x0) (rerun: 64)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x802, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a}) (async)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000340)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000001040)={0x8, 0x0, &(0x7f00000001c0)=[@increfs={0x40046304, 0x1}], 0x0, 0x0, 0x0})
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
dup3(r0, r1, 0x80000)
r5 = socket(0x11, 0x3, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'gre0\x00', <r7=>0x0})
bind$packet(r5, &(0x7f0000000180)={0x11, 0x0, r7}, 0x14)
r8 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r9 = socket$unix(0x1, 0x5, 0x0)
r10 = dup2(r9, r8)
close_range(r10, 0xffffffffffffffff, 0x0)
r11 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r11, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r11, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r11, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 2:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 1:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f0000000300)=""/4081, &(0x7f0000000080)=0xff1)
socket$nl_generic(0x10, 0x3, 0x10)
socket$packet(0x11, 0x2, 0x300)
socket$inet(0x2, 0xa, 0xfffffffc)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000760001"], 0x1c}], 0x1, 0x0, 0x0, 0x4004000}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = dup(r3)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x10003, 0x2, 0x8080000, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@textreal={0x8, &(0x7f0000000800)="ba4000b8e6008ed03b940f73da0eccb8f0028ed80f23d80f21f86635800000200f238c66b9800000c00f326635000400000f306c0ffcdf36efddc666b9800000c0c4c249cf9009186635004000000f300f01c4", 0x53}], 0x1, 0x1a, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x42, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
read$FUSE(r6, &(0x7f0000000f00)={0x2020}, 0x2020)
executing program 3:
r0 = fsopen(&(0x7f0000000080)='ramfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x18)
setreuid(0xffffffffffffffff, 0xee01) (async)
symlinkat(&(0x7f0000000000)='.\x00', r1, &(0x7f0000000140)='./file0\x00') (async)
openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)
executing program 32:
r0 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
read$FUSE(r0, 0x0, 0x0)
r1 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x200202, 0x0) (async)
syz_open_dev$usbfs(&(0x7f0000000000), 0x200, 0x102)
r2 = socket$netlink(0x10, 0x3, 0x10) (async)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000780)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000700)=ANY=[@ANYBLOB="020b0f050f00000026bd7000fcdbdf25040004000900000001f8ffffffffffff0500000000000000ff0100000000000002001000000004d2000004d50000000002000a0030000000050000000000000005000500322000000a"], 0x78}}, 0x24048950)
setsockopt$sock_int(r2, 0x1, 0x8, &(0x7f0000000300), 0x4) (async)
r4 = dup(r2) (async)
r5 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_int(r5, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) (async, rerun: 32)
setsockopt$packet_rx_ring(r5, 0x107, 0x5, &(0x7f0000000140)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x7ff, 0xf83, 0x20000002}, 0x1c) (async, rerun: 32)
r6 = socket$inet(0x2, 0x4000000000000001, 0x0)
sendto$inet(r6, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) (async)
read$usbfs(r4, 0x0, 0x0)
syz_usb_connect(0x3, 0x35, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000b58f55408205d5b9f773000000010902230001000000000904080001fff56a00082502017f040e0009050b02"], 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1, 0x2010, r1, 0xfffff000)
executing program 33:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f0000000300)=""/4081, &(0x7f0000000080)=0xff1)
socket$nl_generic(0x10, 0x3, 0x10)
socket$packet(0x11, 0x2, 0x300)
socket$inet(0x2, 0xa, 0xfffffffc)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$netlink(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000760001"], 0x1c}], 0x1, 0x0, 0x0, 0x4004000}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = dup(r3)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000080)={0x10003, 0x2, 0x8080000, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@textreal={0x8, &(0x7f0000000800)="ba4000b8e6008ed03b940f73da0eccb8f0028ed80f23d80f21f86635800000200f238c66b9800000c00f326635000400000f306c0ffcdf36efddc666b9800000c0c4c249cf9009186635004000000f300f01c4", 0x53}], 0x1, 0x1a, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r3, r5, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x42, 0x0, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r3, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)
r6 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
read$FUSE(r6, &(0x7f0000000f00)={0x2020}, 0x2020)
executing program 34:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 35:
r0 = fsopen(&(0x7f0000000080)='ramfs\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x18)
setreuid(0xffffffffffffffff, 0xee01) (async)
symlinkat(&(0x7f0000000000)='.\x00', r1, &(0x7f0000000140)='./file0\x00') (async)
openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
bisect: the chunk can be dropped
bisect: testing without sub-chunk 3/3
testing program (duration=6m2s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 14, 30, 24, 6, 25, 24, 22, 14, 17]
detailed listing:
executing program 0:
r0 = openat$ptp0(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
ioctl$PTP_PEROUT_REQUEST2(r0, 0x40383d0c, &(0x7f0000000080)={{0x0, 0xfffffffb}, {0x7, 0x2800}, 0xf, 0x1})
ioctl$BINDER_SET_CONTEXT_MGR_EXT(0xffffffffffffffff, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x100})
ioctl$PTP_EXTTS_REQUEST2(r0, 0x40603d10, &(0x7f0000000040))
r1 = openat$binderfs_ctrl(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs2/binder-control\x00', 0x2, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.time_recursive\x00', 0x275a, 0x0)
mmap(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x0, 0x13, r2, 0x0)
remap_file_pages(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x0, 0x8, 0x0)
mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x1, 0x32, 0xffffffffffffffff, 0x2ec37000)
ioctl$BINDER_CTL_ADD(r1, 0xc1086201, &(0x7f0000000540)={'binder1\x00'})
executing program 0:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680))
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 0:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
r2 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
mmap$binder(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x1, 0x11, r2, 0x8000)
r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000080)={'pimreg0\x00', 0x7c2})
ioctl$TUNATTACHFILTER(r3, 0x401054d5, &(0x7f0000000480)={0x2, &(0x7f00000004c0)=[{0x1d}, {0x6}]})
msync(&(0x7f0000ff9000/0x1000)=nil, 0x1000, 0x4)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r6, 0xc008ae88, &(0x7f0000000000)=ANY=[@ANYBLOB="0100000000ffffff040001c0"])
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r7 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r7, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
r8 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
write$vga_arbiter(r8, &(0x7f0000000080)=ANY=[@ANYBLOB='decodes '], 0xf)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
r9 = syz_usb_connect(0x0, 0x24, &(0x7f0000000cc0)=ANY=[@ANYBLOB="120100004f92b90857152077ebb7000000010902120001000000000904"], 0x0)
syz_usb_control_io(r9, 0x0, &(0x7f0000000140)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000000)={0x40, 0x13, 0x5e, @local}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io(r9, 0x0, &(0x7f0000001740)={0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)={0x40, 0x19, 0x2, "0200"}, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$uac1(r9, 0x0, &(0x7f00000000c0)={0x44, &(0x7f0000000080)=ANY=[@ANYBLOB="000101"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$printer(r9, 0x0, 0x0)
syz_usb_control_io$uac1(r9, 0x0, 0x0)
syz_usb_control_io$hid(r9, 0x0, 0x0)
executing program 1:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000500), 0x0, 0x0)
r1 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000002c0), 0x4b301, 0x0)
ioctl$TCSETSF(r1, 0x5404, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffa)
mmap(&(0x7f0000701000/0x1000)=nil, 0x1000, 0x0, 0x12, r0, 0x0)
r2 = socket$netlink(0x10, 0x3, 0x0)
r3 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r3, &(0x7f0000f5dfe4)={0xa, 0x4e20, 0x0, @empty}, 0x1c)
recvmmsg(r3, &(0x7f0000002c80)=[{{0x0, 0x0, 0x0}, 0x7ff}], 0x1, 0x2b, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe7000/0x18000)=nil, &(0x7f00000004c0)=[@text32={0x20, &(0x7f0000000440)="f30fc7340366baf80cb84bbee38aef66bafc0cec3ef30fc770d966baf80cb8a04aa989ef66bafc0cedc4c125fa2166b8e6008ec8c4e3055ca4aaf00f000000c4c2f9aa0766baf80cb808da688aef66bafc0cb8d254e399ef0f004103", 0x5c}], 0x1, 0x10, 0x0, 0x0)
r4 = socket(0x11, 0x3, 0x0)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f00000005c0)={'gre0\x00', <r6=>0x0})
bind$packet(r4, &(0x7f0000000180)={0x11, 0x0, r6, 0x1, 0x0, 0x6, @dev}, 0x14)
r7 = open(&(0x7f0000000040)='./file0\x00', 0x30000, 0x182)
setsockopt$packet_int(r4, 0x107, 0xf, &(0x7f0000000240)=0xe9, 0x4)
cachestat(r2, &(0x7f0000000080)={0x481, 0x1}, &(0x7f00000000c0), 0x0)
sendmsg$netlink(r4, &(0x7f0000002ac0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000400)=ANY=[@ANYBLOB="02011400012918000e1a80009f00016d2900002f0600ac141430e0000003808a8972bd0b72e41082b1a3d206"], 0xdd12}], 0x1, 0x0, 0x0, 0x4000007}, 0x1)
setsockopt$inet6_int(r3, 0x29, 0x4, &(0x7f0000000000)=0x1, 0x4)
sendto$inet6(r3, 0x0, 0x0, 0x0, &(0x7f0000000300)={0xa, 0x4e20, 0x0, @mcast1}, 0x1c)
bind$xdp(r7, &(0x7f0000000100)={0x2c, 0xc, r6, 0x3b, r4}, 0x10)
r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff)
sendmsg$NL80211_CMD_PEER_MEASUREMENT_START(r2, &(0x7f0000001800)={0x0, 0x0, &(0x7f00000017c0)={&(0x7f0000000280)={0x1c, r8, 0x1, 0x70bd2c, 0x25dfdbfe, {{}, {@val={0x8}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x80}, 0x20000000)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x1000)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x1002, 0x0)
r1 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r1, 0x29, 0x2e, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}, 0xfffffffd}}, {{0xa, 0x0, 0x0, @remote}}}, 0x108)
r2 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r2, 0x29, 0x2a, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x4e22, 0x0, @remote}}}, 0x108)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r12, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
dup3(r0, r1, 0x80000)
r5 = socket(0x11, 0x3, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'gre0\x00', <r7=>0x0})
bind$packet(r5, &(0x7f0000000180)={0x11, 0x0, r7}, 0x14)
r8 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r9 = socket$unix(0x1, 0x5, 0x0)
r10 = dup2(r9, r8)
close_range(r10, 0xffffffffffffffff, 0x0)
r11 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r11, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r11, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r11, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 2:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)
fstat(r7, &(0x7f00000001c0))
executing program 2:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 2:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0) (async)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1/file2\x00', 0x81c0, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x2040, 0x0) (async)
renameat2(0xffffffffffffff9c, &(0x7f0000000480)='./file1/file2\x00', 0xffffffffffffff9c, &(0x7f00000004c0)='./file0\x00', 0x2) (async, rerun: 64)
msync(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x5) (async, rerun: 64)
fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) (async)
r0 = fsmount(0xffffffffffffffff, 0x0, 0x3) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002}) (async)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) (async, rerun: 64)
r3 = dup3(r2, r1, 0x0) (rerun: 64)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x802, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a}) (async)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000340)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000001040)={0x8, 0x0, &(0x7f00000001c0)=[@increfs={0x40046304, 0x1}], 0x0, 0x0, 0x0})

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <10>
bisect: split chunk #0 of len 10 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=6m1s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [25, 24, 22, 14, 17]
detailed listing:
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r12, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
dup3(r0, r1, 0x80000)
r5 = socket(0x11, 0x3, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'gre0\x00', <r7=>0x0})
bind$packet(r5, &(0x7f0000000180)={0x11, 0x0, r7}, 0x14)
r8 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r9 = socket$unix(0x1, 0x5, 0x0)
r10 = dup2(r9, r8)
close_range(r10, 0xffffffffffffffff, 0x0)
r11 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r11, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r11, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r11, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 2:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)
fstat(r7, &(0x7f00000001c0))
executing program 2:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 2:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0) (async)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1/file2\x00', 0x81c0, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x2040, 0x0) (async)
renameat2(0xffffffffffffff9c, &(0x7f0000000480)='./file1/file2\x00', 0xffffffffffffff9c, &(0x7f00000004c0)='./file0\x00', 0x2) (async, rerun: 64)
msync(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x5) (async, rerun: 64)
fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) (async)
r0 = fsmount(0xffffffffffffffff, 0x0, 0x3) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002}) (async)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) (async, rerun: 64)
r3 = dup3(r2, r1, 0x0) (rerun: 64)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x802, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a}) (async)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000340)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000001040)={0x8, 0x0, &(0x7f00000001c0)=[@increfs={0x40046304, 0x1}], 0x0, 0x0, 0x0})

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <5>
bisect: split chunk #0 of len 5 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 17]
detailed listing:
executing program 2:
r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c, 0x0, 0x1ff)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
r1 = eventfd(0x4)
ioctl$VHOST_SET_VRING_BASE(r0, 0x4008af12, &(0x7f0000000080)={0x1, 0x7f})
ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1)
ioctl$VHOST_SET_VRING_KICK(r0, 0x4008af20, &(0x7f0000000040)={0x1, r1})
r2 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r2, 0xc018aa3f, &(0x7f0000000380))
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000180)=""/53, 0x0})
ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, &(0x7f0000000380)=""/236, &(0x7f00000000c0)=""/87, &(0x7f0000000480)=""/66})
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)={0x1, 0x0, [{0x0, 0xfffffeac, &(0x7f00000001c0)=""/115}]})
ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, 0x0)
ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000300)={0x1, 0x0, [{0xeeee8000, 0x49, &(0x7f00000002c0)=""/37}]})
executing program 2:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0) (async)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1/file2\x00', 0x81c0, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x2040, 0x0) (async)
renameat2(0xffffffffffffff9c, &(0x7f0000000480)='./file1/file2\x00', 0xffffffffffffff9c, &(0x7f00000004c0)='./file0\x00', 0x2) (async, rerun: 64)
msync(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x5) (async, rerun: 64)
fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0) (async)
r0 = fsmount(0xffffffffffffffff, 0x0, 0x3) (async)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002}) (async)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) (async, rerun: 64)
r3 = dup3(r2, r1, 0x0) (rerun: 64)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x802, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a}) (async)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000340)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000001040)={0x8, 0x0, &(0x7f00000001c0)=[@increfs={0x40046304, 0x1}], 0x0, 0x0, 0x0})

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [25, 24, 22]
detailed listing:
executing program 1:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
r5 = dup3(r0, r1, 0x80000)
r6 = socket(0x11, 0x3, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'gre0\x00', <r8=>0x0})
bind$packet(r6, &(0x7f0000000180)={0x11, 0x0, r8}, 0x14)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = socket$unix(0x1, 0x5, 0x0)
r11 = dup2(r10, r9)
close_range(r11, 0xffffffffffffffff, 0x0)
r12 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r12, 0x0, 0x0)
ioctl$TCSETAW(r5, 0x5407, &(0x7f0000000340)={0x200, 0x5, 0xbf, 0xffff, 0x12, "ec71529d32a9c301"})
syz_usb_control_io$cdc_ecm(r12, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r12, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r13, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 3:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder1\x00', 0x800, 0x0)
r1 = socket$inet6(0xa, 0x1, 0x3a)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x1002, 0x0)
r2 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$inet_msfilter(r2, 0x0, 0x29, 0x0, 0x0)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, &(0x7f0000000080)={0xffffffffffffffff, 0x1})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x2c, r4, 0x1, 0x0, 0x25dfdbfe, {}, [@ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xfc}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x2}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x8}]}, 0x2c}}, 0x0)
dup3(r0, r1, 0x80000)
r5 = socket(0x11, 0x3, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'gre0\x00', <r7=>0x0})
bind$packet(r5, &(0x7f0000000180)={0x11, 0x0, r7}, 0x14)
r8 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r9 = socket$unix(0x1, 0x5, 0x0)
r10 = dup2(r9, r8)
close_range(r10, 0xffffffffffffffff, 0x0)
r11 = syz_usb_connect(0x0, 0x68, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0xa1, 0x12, 0x17, 0x10, 0xb95, 0x172a, 0xf7f4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0xfb, 0x0, 0x2, 0x6c, 0x5d, 0x65, 0x0, [], [{{0x9, 0x5, 0x4, 0x2, 0x10, 0x0, 0xfa}}, {{0x9, 0x5, 0x82, 0x2, 0x40}}]}}]}}]}}, 0x0)
syz_usb_control_io$printer(r11, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r11, 0x0, &(0x7f0000000880)={0x1c, &(0x7f0000000740)=ANY=[@ANYBLOB="00148b"], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r11, &(0x7f0000000140)={0x14, &(0x7f0000000040)={0x0, 0xd, 0x8b, {0x8b, 0x2, "d0447b3c7e9c03b69594e2ccfba8f068473aeb34c1dc5e3f64d68734e53c5207b9c6f2febcae5a42ff16729ba6095fe47e0e32f138fd80e8d898da9de4377e6c3b4427a47a3adf687aa9b3d09db0546540739c04744b5af43bd360329c1060797010cb3c814efbfc3c707edfa46f04258ee32654be558df1ca2d1cb78aa0a5ac40fc0def7225027c10"}}, &(0x7f0000000100)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f00000002c0)={0x1c, &(0x7f0000000180)={0x40, 0x17, 0x7c, "acbe2d37bbcd3c9900aed6b85cd5da5f35020c79481f70dc71e5a3b37564821708f61e2155744c37ebe93571fa68934cb2bff75f50860635401b873a264a1021fc921e77f76f87bc0cced97ca42ee4ca3326c88ce0846cd64736846301a6c43c154c2db554ce7840065be8defb8338a58de16eead992601b3c1c118d"}, &(0x7f0000000240)={0x0, 0xa, 0x1, 0x6}, &(0x7f0000000280)={0x0, 0x8, 0x1, 0x10}})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$netlink(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000000)=ANY=[@ANYBLOB="340000001900150000000000000000000a"], 0x34}], 0x1, 0x0, 0x0, 0x4010}, 0x0)
executing program 2:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)
fstat(r7, &(0x7f00000001c0))

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <3>
bisect: split chunk #0 of len 3 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-mmap-ioctl$ASHMEM_SET_SIZE-socket$netlink-sendmsg$NFT_BATCH-openat$selinux_commit_pending_bools-write$cgroup_int-fstat
detailed listing:
executing program 2:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)
fstat(r7, &(0x7f00000001c0))

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <1>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 1 programs left: 

executing program 2:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)
fstat(r7, &(0x7f00000001c0))


bisect: trying to concatenate
bisect: concatenate 1 entries
testing program (duration=9m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-mmap-ioctl$ASHMEM_SET_SIZE-socket$netlink-sendmsg$NFT_BATCH-openat$selinux_commit_pending_bools-write$cgroup_int-fstat
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)
fstat(r7, &(0x7f00000001c0))

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
bisect: concatenation succeeded
found reproducer with 22 syscalls
minimizing guilty program
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-mmap-ioctl$ASHMEM_SET_SIZE-socket$netlink-sendmsg$NFT_BATCH-openat$selinux_commit_pending_bools-write$cgroup_int
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
r7 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)
write$cgroup_int(r7, &(0x7f0000000080)=0x5, 0x12) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-mmap-ioctl$ASHMEM_SET_SIZE-socket$netlink-sendmsg$NFT_BATCH-openat$selinux_commit_pending_bools
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)
openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000002080), 0x1, 0x0)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-mmap-ioctl$ASHMEM_SET_SIZE-socket$netlink-sendmsg$NFT_BATCH
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
r6 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$NFT_BATCH(r6, &(0x7f0000002600)={0x0, 0x0, &(0x7f00000025c0)={&(0x7f0000002080)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x3}}, [@NFT_MSG_NEWCHAIN={0x1c, 0x3, 0xa, 0x3, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_CHAIN_POLICY={0x8, 0x5, 0x1, 0x0, 0xffffffffffffffff}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x44}, 0x1, 0x0, 0x0, 0xc0}, 0x0)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-mmap-ioctl$ASHMEM_SET_SIZE-socket$netlink
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)
socket$netlink(0x10, 0x3, 0x4)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-mmap
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)

program did not crash
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-setsockopt$inet6_tcp_TCP_ULP-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r5, 0x6, 0x1f, &(0x7f00000003c0), 0x3) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program did not crash
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet6_tcp-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
socket$inet6_tcp(0xa, 0x1, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-write$cgroup_subtree-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-openat$cgroup_ro-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-capset-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000080)={0x0, 0x2})
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mincore-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mincore(&(0x7f0000ffd000/0x2000)=nil, 0x2000, &(0x7f0000000240)=""/243) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-ioctl$ASHMEM_SET_PROT_MASK-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
ioctl$ASHMEM_SET_PROT_MASK(r0, 0x40087705, 0x0) (async, rerun: 64)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-pwritev2-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
r1 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r2, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r3, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
pwritev2(r1, 0x0, 0x0, 0x24a, 0xfff, 0x4) (async, rerun: 64)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_DEL_MPATH-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_DEL_MPATH(r1, &(0x7f0000000180)={&(0x7f0000000000), 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x68, r2, 0x20, 0x70bd2d, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa}]}, 0x68}}, 0x0) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-syz_genetlink_get_family_id$nl80211-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-socket$nl_generic-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-openat$kvm-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-ioctl$ASHMEM_SET_SIZE-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0x8000) (async)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, 0xffffffffffffffff, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(0xffffffffffffffff, 0x40087703, 0xfffffffffffff8ed) (async)

program did not crash
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed)

program did not crash
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, 0x0, 0x280, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program did not crash
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed) (async)

program did not crash
testing program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
detailed listing:
executing program 0:
r0 = openat$ashmem(0xffffffffffffff9c, &(0x7f0000000040), 0x280, 0x0)
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x300000c, 0x12, r0, 0x4d75c000) (async)
ioctl$ASHMEM_SET_SIZE(r0, 0x40087703, 0xfffffffffffff8ed)

program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
extracting C reproducer
testing compiled C program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
simplifying C reproducer
testing compiled C program (duration=44.304887402s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
program did not crash
testing compiled C program (duration=44.304887402s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
program did not crash
testing compiled C program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing compiled C program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing compiled C program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing compiled C program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
testing compiled C program (duration=44.304887402s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ashmem-mmap-ioctl$ASHMEM_SET_SIZE
program crashed: attempt to add with overflow in <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap
reproducing took 1h36m22.867103863s
repro crashed as (corrupted=false):
rust_kernel: panicked at /syzkaller/managers/ci2-android-6-12-rust/kernel/rust/kernel/page_size_compat.rs:60:5:
attempt to add with overflow
------------[ cut here ]------------
kernel BUG at rust/helpers/bug.c:7!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 338 Comm: syz-executor747 Not tainted 6.12.23-syzkaller-gd9fd901baa98 #0 f1acc3ef52b3e732a05c4f7a2560722db90bb473
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:rust_helper_BUG+0x8/0x10 rust/helpers/bug.c:7
Code: cc cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 45 96 43 c1 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 <0f> 0b 66 0f 1f 44 00 00 b8 0f 52 0a 4d 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900011ff3f0 EFLAGS: 00010246
RAX: 000000000000008c RBX: 1ffff9200023fe80 RCX: b6f7291a154b3500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc900011ff3f0 R08: ffffc900011ff0e7 R09: 1ffff9200023fe1c
R10: dffffc0000000000 R11: fffff5200023fe1d R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc900011ff420 R15: ffffc900011ff450
FS:  00007f1fbd1516c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1fbd130d58 CR3: 00000001305cc000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __rustc::rust_begin_unwind+0x15b/0x160 rust/kernel/lib.rs:128
 core::panicking::panic_fmt+0x84/0x90 usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:75
 core::panicking::panic_const::panic_const_add_overflow+0xb2/0xc0 usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:178
 kernel::page_size_compat::__page_align rust/kernel/page_size_compat.rs:60 [inline]
 <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap+0xe44/0xfb0 drivers/staging/android/ashmem_rust.rs:165
 call_mmap include/linux/fs.h:2188 [inline]
 mmap_file mm/internal.h:124 [inline]
 __mmap_region mm/mmap.c:1471 [inline]
 mmap_region+0x1371/0x1bd0 mm/mmap.c:1634
 do_mmap+0xb6d/0x13c0 mm/mmap.c:508
 vm_mmap_pgoff+0x38f/0x4e0 mm/util.c:594
 ksys_mmap_pgoff+0x166/0x1e0 mm/mmap.c:557
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline]
 __x64_sys_mmap+0x121/0x140 arch/x86/kernel/sys_x86_64.c:79
 x64_sys_call+0x13bf/0x2ee0 arch/x86/include/generated/asm/syscalls_64.h:10
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x58/0xf0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f1fbd1a4369
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1fbd151208 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f1fbd22e308 RCX: 00007f1fbd1a4369
RDX: 000000000300000c RSI: 0000000000003000 RDI: 0000200000ffd000
RBP: 00007f1fbd22e300 R08: 0000000000000003 R09: 000000004d75c000
R10: 0000000000000012 R11: 0000000000000246 R12: 00007f1fbd22e30c
R13: 0000200000000040 R14: 6873612f7665642f R15: 0000200000ffd000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rust_helper_BUG+0x8/0x10 rust/helpers/bug.c:7
Code: cc cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 45 96 43 c1 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 <0f> 0b 66 0f 1f 44 00 00 b8 0f 52 0a 4d 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900011ff3f0 EFLAGS: 00010246
RAX: 000000000000008c RBX: 1ffff9200023fe80 RCX: b6f7291a154b3500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc900011ff3f0 R08: ffffc900011ff0e7 R09: 1ffff9200023fe1c
R10: dffffc0000000000 R11: fffff5200023fe1d R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc900011ff420 R15: ffffc900011ff450
FS:  00007f1fbd1516c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1fbd17f0d0 CR3: 00000001305cc000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

final repro crashed as (corrupted=false):
rust_kernel: panicked at /syzkaller/managers/ci2-android-6-12-rust/kernel/rust/kernel/page_size_compat.rs:60:5:
attempt to add with overflow
------------[ cut here ]------------
kernel BUG at rust/helpers/bug.c:7!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 338 Comm: syz-executor747 Not tainted 6.12.23-syzkaller-gd9fd901baa98 #0 f1acc3ef52b3e732a05c4f7a2560722db90bb473
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:rust_helper_BUG+0x8/0x10 rust/helpers/bug.c:7
Code: cc cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 45 96 43 c1 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 <0f> 0b 66 0f 1f 44 00 00 b8 0f 52 0a 4d 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900011ff3f0 EFLAGS: 00010246
RAX: 000000000000008c RBX: 1ffff9200023fe80 RCX: b6f7291a154b3500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc900011ff3f0 R08: ffffc900011ff0e7 R09: 1ffff9200023fe1c
R10: dffffc0000000000 R11: fffff5200023fe1d R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc900011ff420 R15: ffffc900011ff450
FS:  00007f1fbd1516c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1fbd130d58 CR3: 00000001305cc000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __rustc::rust_begin_unwind+0x15b/0x160 rust/kernel/lib.rs:128
 core::panicking::panic_fmt+0x84/0x90 usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:75
 core::panicking::panic_const::panic_const_add_overflow+0xb2/0xc0 usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:178
 kernel::page_size_compat::__page_align rust/kernel/page_size_compat.rs:60 [inline]
 <ashmem_rust::Ashmem as kernel::miscdevice::MiscDevice>::mmap+0xe44/0xfb0 drivers/staging/android/ashmem_rust.rs:165
 call_mmap include/linux/fs.h:2188 [inline]
 mmap_file mm/internal.h:124 [inline]
 __mmap_region mm/mmap.c:1471 [inline]
 mmap_region+0x1371/0x1bd0 mm/mmap.c:1634
 do_mmap+0xb6d/0x13c0 mm/mmap.c:508
 vm_mmap_pgoff+0x38f/0x4e0 mm/util.c:594
 ksys_mmap_pgoff+0x166/0x1e0 mm/mmap.c:557
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline]
 __x64_sys_mmap+0x121/0x140 arch/x86/kernel/sys_x86_64.c:79
 x64_sys_call+0x13bf/0x2ee0 arch/x86/include/generated/asm/syscalls_64.h:10
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x58/0xf0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f1fbd1a4369
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1fbd151208 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f1fbd22e308 RCX: 00007f1fbd1a4369
RDX: 000000000300000c RSI: 0000000000003000 RDI: 0000200000ffd000
RBP: 00007f1fbd22e300 R08: 0000000000000003 R09: 000000004d75c000
R10: 0000000000000012 R11: 0000000000000246 R12: 00007f1fbd22e30c
R13: 0000200000000040 R14: 6873612f7665642f R15: 0000200000ffd000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rust_helper_BUG+0x8/0x10 rust/helpers/bug.c:7
Code: cc cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 45 96 43 c1 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 <0f> 0b 66 0f 1f 44 00 00 b8 0f 52 0a 4d 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900011ff3f0 EFLAGS: 00010246
RAX: 000000000000008c RBX: 1ffff9200023fe80 RCX: b6f7291a154b3500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc900011ff3f0 R08: ffffc900011ff0e7 R09: 1ffff9200023fe1c
R10: dffffc0000000000 R11: fffff5200023fe1d R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc900011ff420 R15: ffffc900011ff450
FS:  00007f1fbd1516c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1fbd17f0d0 CR3: 00000001305cc000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400