Extracting prog: 8m22.036047143s
Minimizing prog: 20m15.828014996s
Simplifying prog options: 0s
Extracting C: 38.738350304s
Simplifying C: 25m12.386535847s


extracting reproducer from 35 programs
testing a last program of every proc
single: executing 7 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6-close-connect$vsock_stream-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-getsockopt$bt_hci
detailed listing:
executing program 0:
r0 = socket$inet6(0xa, 0x805, 0x0)
close(0x3)
connect$vsock_stream(0xffffffffffffffff, &(0x7f0000000080), 0x10)
r1 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r1, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10)
getsockopt$bt_hci(r0, 0x84, 0x81, &(0x7f0000000080)=""/4060, &(0x7f00000010c0)=0xfdc)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-socket$inet6_sctp-ioctl$sock_SIOCETHTOOL-socket$l2tp
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, 0x0)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
ioctl$sock_SIOCETHTOOL(r3, 0x8946, &(0x7f0000000040)={'netdevsim0\x00', &(0x7f0000000000)=@ethtool_pauseparam={0x13, 0x0, 0xff}})
socket$l2tp(0x2, 0x2, 0x73)

program did not crash
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat-ioctl$EXT4_IOC_MOVE_EXT-mkdirat-landlock_create_ruleset-syz_mount_image$ext4-sendmsg$nl_route_sched-sendmsg$nl_route_sched-sendmsg$BATADV_CMD_GET_ORIGINATORS-socket$nl_route-sendmsg$nl_route-openat-openat$ptmx-ioctl$TIOCSETD-ioctl$TCFLSH-ioctl$EXT4_IOC_GROUP_ADD
detailed listing:
executing program 0:
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000500)='./file2\x00', 0x8, &(0x7f0000000080)={[{@nodioread_nolock}, {@sb={'sb', 0x3d, 0x1}}]}, 0x4, 0x523, &(0x7f00000018c0)="$eJzs3cFvG1kZAPBvnLhJs+mmC3sABGxZFgqq6iTubrTqhfYCQlUlRMWJQxsSN4pi11Hsiib0kB65V6ISJ+A/4MYBqScO3LjBjUs5IBWoQA0SB6MZT1I3sZNAnbiJfz9pMvPeTP29F/e953mR5wUwtC5ExGZEnImIOxExlecn+RbX2lt63csXDxe2XjxcSKLVuvX3JDuf5kXHv0m9k7/meER8/zsRP0r2xm2sb6zMV6uVtTw93aytTjfWNy4vF/Kc8tzs3MynVz4p962uH9R+/fzbyzd+8NvffOnZHza/+ZO0WJM/PZed66xHP7WrXozJjrzRiLhxFMEGZDT//8PJk7a2z0TEh1n7n4qR7N0EAE6zVmsqWlOdaQDgtEvv/ycjKZTyuYDJKBRKpfYc3vsxUajWG81LU/X79xYjm8M6H8XC3eVqZSafKzwfxSRNz2bHr9Ll19KPK1ci4r2IeDx2NjtfWqhXFwf5wQcAhtg7u8b/f421x/9OxUEVDgA4OuODLgAAcOyM/wAwfIz/ADB8/ofx37cDAeCUcP8PAMPH+A8Aw+fA8f/R8ZQDADgW37t5M91aW+3nX28/qfvyYqWxUqrdXygt1NdWS0v1+lK1UlpotQ56vWq9vjr78U6ysb5xu1a/f695e7k2v1S5XfEsAQAYvPc+ePqndNDfvHo226JjLQdjNZxuhUEXABiYkUEXABgY3+eB4XWIe3zTAHDKdVmity2fIEh6XfDE4q9wUl38vPl/GFZvMv9v7gBOtv9v/v9bfS8HcPyM4TC8Wq3Emv8AMGTM8QM9//6f6/mIkCf9LwsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACcFJPZlhRK2Vrgm+nPQqkUcS4izkcxubtcrcxExLsR8cex4lianh10oQGAN1T4a5Kv/3Vx6qPJ3WfPJP8ey/YR8eOf3/rZg/lmc202zf/HTn7zSZp/trlWPjOICgAAna7tzcrG73K+77iRf/ni4cL2dpxFfH69vbhoGncr39pnRmM0249HMSIm/pnk6bb088pIH+JvPoqIz23XfzwedESYzOZA2iuf7o6fxj7X9/idv//d8Quv1beQnUv3xex38dnYVTjgQE+vt/vJvO2lTTxvf4W4kO27t//xrId6c2n/lzbXrT39X2Gn/xvZEz/J2vyFnfT+JXn+8e++uyezNdU+9yjiC6Pd4ic78ZPu/W/xo0PW8c9f/PKHvc61fhFxsWv9t1ekrmXd7HSztjrdWN+4vFybX6osVe6Vy3OzczOfXvmkPJ3NUbd//r5bjL9dvfRur/hp/Sd6xB/fv/7xtUPW/5f/ufPDr+wT/xtf7f7+v79P/HRM/Poh489PXOu5fHcaf7FH/Q94/+PSIeM/+8vG4iEvBQCOQWN9Y2W+Wq2sHXCQftY86BoHhz9I7+3fgmJkB7EZ0a8XzCYlIqLrNekn6rejykd1kAws+q/6/YKD7pmAo/aq0Q+6JAAAAAAAAAAAAAAAQC+N9Y2Vse7f1urbwaDrCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwOn13wAAAP//KHnENg==")
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file2\x00', 0x8000, 0x0)
ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
landlock_create_ruleset(&(0x7f0000000300)={0x8080, 0x1}, 0x18, 0x0)
syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000280)='./mnt\x00', 0x800810, &(0x7f0000000180)={[{@nobh}, {@max_dir_size_kb={'max_dir_size_kb', 0x3d, 0x4}}]}, 0xff, 0x23f, &(0x7f0000000540)="$eJzs3T1oLFUYBuB3Zne95t5FrtoI4g+IiAbCtRNsYqMQkBBEBBUiIjZKIsQEu8TKxkJrlVQ2QeyMlpIm2CiCVdQUsRE0WBgstFiZnURisuLPxh1xngdmZ2b3nPnOMPOe3WbYAK11Nclskk6S6SS9JMXpBnfWy9Xj3c2p3cVkMHjsh2LYrt6vnfS7kmQjyQNJdsoiL3STte2nDn7ae+Se11d7d7+7/eTURE/y2OHB/qNH78y/9sHc/WufffHdfJHZ9H93XhevGPFet0hu+jeK/UcU3aZHwF+x8Mr7X1a5vznJXcP891KmvnhvrFy308t9b/9R3ze///zWSY4VuHiDQa/6DtwYAK1TJumnKGeS1NtlOTNT/4b/qnO5fHF55eXp55dXl55reqYCLko/2X/4o0sfXjmT/287df6B/68q/48vbH1dbR91mh4NMBG31asq/9PPrN8b+YfWkX9oL/mH9pJ/aC/5h/aSf2gv+Yf2kn9oL/mH9pJ/aK/T+QcA2mVwqeknkIGmND3/AAAAAAAAAAAAAAAAAAAA521O7S6eLJOq+clbyeFDSbqj6neG/0ecXD98vfxjUTX7TVF3G8vTd4x5gDG91/DT1zd802z9T29vtv76UrLxapJr3e75+684vv/+uRv/5PPes2MW+JuKM/sPPjHZ+mf9stVs/bm95ONq/rk2av4pc8twPXr+6VfXb8z6L/085gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYmF8DAAD//xFQbUc=")
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd26, 0xffffffff, {0x0, 0x0, 0x0, 0x0, {0x0, 0xfff1}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x8, 0x4}}]}}]}, 0x48}}, 0x20040084)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000540)={&(0x7f00000008c0)=@newqdisc={0x8c, 0x28, 0x4ee4e6a52ff56541, 0x4001, 0xfffffdfc, {0x0, 0x0, 0x0, 0x0, {0xffff}, {0xffff, 0xffff}, {0x2, 0x1}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x5c, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x4, [0xc, 0x5, 0x0, 0xf, 0x10, 0xa, 0x4, 0x2, 0xf, 0x6, 0x3, 0x7, 0x8, 0x4, 0x10, 0x4], 0x3, [0xb, 0x3, 0xad1e, 0x2002, 0x1, 0x4, 0x2, 0xd06, 0xff05, 0x2, 0xb, 0x3, 0x5, 0x6, 0xd, 0x100], [0xfff1, 0x5, 0xffff, 0xfff5, 0x4, 0x8, 0x1, 0x9, 0x5, 0x2, 0xc, 0x40, 0xfffc, 0x3, 0x1]}}]}}]}, 0x8c}, 0x1, 0x0, 0x0, 0x4005c}, 0x0)
sendmsg$BATADV_CMD_GET_ORIGINATORS(r0, &(0x7f0000000940)={&(0x7f0000000440)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000000900)={&(0x7f0000000880)={0x54, 0x0, 0x0, 0x70bd28, 0x25dfdbfc, {}, [@BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x44c}, @BATADV_ATTR_MULTICAST_FORCEFLOOD_ENABLED={0x5, 0x37, 0x1}, @BATADV_ATTR_GW_SEL_CLASS={0x8, 0x34, 0x7ff}, @BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x1f88}, @BATADV_ATTR_GW_BANDWIDTH_DOWN={0x8, 0x31, 0x5}, @BATADV_ATTR_HARD_IFINDEX={0x8}, @BATADV_ATTR_ISOLATION_MASK={0x8, 0x2c, 0x1}, @BATADV_ATTR_FRAGMENTATION_ENABLED={0x5, 0x30, 0x1}]}, 0x54}, 0x1, 0x0, 0x0, 0x44080}, 0x40000)
r1 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=@newlink={0x4c, 0x10, 0x44b, 0x0, 0x25dfdbfc, {0x7a, 0x0, 0x0, 0x0, 0x49001}, [@IFLA_LINKINFO={0x2c, 0x12, 0x0, 0x1, @bridge={{0xb}, {0x1c, 0x2, 0x0, 0x1, [@IFLA_BR_MCAST_QUERIER_INTVL={0xc, 0x20, 0x8000000000000001}, @IFLA_BR_MCAST_MEMBERSHIP_INTVL={0xc, 0x1f, 0x480}]}}}]}, 0x4c}, 0x1, 0x0, 0x0, 0x4000851}, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000240)='.\x00', 0x0, 0x10)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000080)=0xf)
ioctl$TCFLSH(r3, 0x400455c8, 0x0)
ioctl$EXT4_IOC_GROUP_ADD(r2, 0x40286608, &(0x7f0000000000)={0x31, 0xdd, 0x479c28ee, 0x9, 0x4, 0xc680})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-openat$tun-close-socket$nl_generic-syz_genetlink_get_family_id$tipc-sendmsg$TIPC_CMD_ENABLE_BEARER-ioctl$SIOCSIFHWADDR-openat$tun-close-socket$unix-socket$nl_route-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route_sched-sendmsg$nl_route_sched-ioctl$SIOCSIFHWADDR
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2})
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r1)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000080), r2)
sendmsg$TIPC_CMD_ENABLE_BEARER(r2, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000680)=ANY=[@ANYBLOB='8\x00\x00\x00', @ANYRES16=r3, @ANYBLOB="010000000d0000000000010000000000000001410000001c001700000000000000006574683a73797a6b616c6c657230"], 0x38}}, 0x0)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast})
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x305200, 0x0)
close(r4)
r5 = socket$unix(0x1, 0x1, 0x0)
r6 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r7=>0x0})
sendmsg$nl_route_sched(r6, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000440)=@newqdisc={0x58, 0x24, 0x4ee4e6a52ff56541, 0x70bd2d, 0xffffffff, {0x0, 0x0, 0x0, r7, {0x0, 0xb}, {0xffff, 0xffff}, {0xb}}, [@qdisc_kind_options=@q_sfb={{0x8}, {0x2c, 0x2, @TCA_SFB_PARMS={0x28, 0x1, {0xa, 0x7f61, 0x1, 0xc5, 0xe23, 0x1, 0x1, 0x7fff, 0x1}}}}]}, 0x58}, 0x1, 0x0, 0x0, 0x20008001}, 0x0)
sendmsg$nl_route_sched(r6, &(0x7f0000000340)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x240000a0}, 0x4028040)
ioctl$SIOCSIFHWADDR(r4, 0x8922, &(0x7f0000002280)={'syzkaller0\x00', @random="2b0100004ec6"})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
single: successfully extracted reproducer
found reproducer with 9 syscalls
minimizing guilty program
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040))
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
ioctl$NBD_SET_SOCK(r1, 0xab00, 0xffffffffffffffff)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(0xffffffffffffffff, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(0xffffffffffffffff, 0xab07, 0x4)
ioctl$NBD_DO_IT(0xffffffffffffffff, 0xab03)
ioctl$NBD_CLEAR_SOCK(0xffffffffffffffff, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
gettid()
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
gettid()
timer_create(0x0, 0x0, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, 0x0)
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, 0x0, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(0x0, 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, 0x0)
ioctl$NBD_SET_SOCK(r1, 0xab00, 0xffffffffffffffff)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program did not crash
extracting C reproducer
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
simplifying C reproducer
testing compiled C program (duration=45.197040529s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program did not crash
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program did not crash
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program did not crash
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_done_softirq
a never seen crash title: WARNING: refcount bug in blk_done_softirq, ignore
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in bt_tags_iter
a never seen crash title: WARNING: refcount bug in bt_tags_iter, ignore
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_done_softirq
a never seen crash title: WARNING: refcount bug in blk_done_softirq, ignore
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in bt_tags_iter
a never seen crash title: WARNING: refcount bug in bt_tags_iter, ignore
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_done_softirq
a never seen crash title: WARNING: refcount bug in blk_done_softirq, ignore
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in bt_tags_iter
a never seen crash title: WARNING: refcount bug in bt_tags_iter, ignore
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in bt_tags_iter
a never seen crash title: WARNING: refcount bug in bt_tags_iter, ignore
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_done_softirq
a never seen crash title: WARNING: refcount bug in blk_done_softirq, ignore
testing compiled C program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_done_softirq
a never seen crash title: WARNING: refcount bug in blk_done_softirq, ignore
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program crashed: WARNING: refcount bug in blk_done_softirq
validation run: crashed=true
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program crashed: WARNING: refcount bug in blk_done_softirq
validation run: crashed=true
testing program (duration=45.197040529s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): gettid-timer_create-timer_settime-syz_open_dev$ndb-socketpair$nbd-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r2=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r1, 0xab00, r2)
ioctl$NBD_SET_SIZE_BLOCKS(r1, 0xab07, 0x4)
ioctl$NBD_DO_IT(r1, 0xab03)
ioctl$NBD_CLEAR_SOCK(r1, 0xab04)

program crashed: WARNING: refcount bug in blk_done_softirq
validation run: crashed=true
reproducing took 59m20.989720437s
repro crashed as (corrupted=false):
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 20 at lib/refcount.c:28 refcount_warn_saturate+0x11b/0x1a0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 20 Comm: ksoftirqd/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:refcount_warn_saturate+0x11b/0x1a0 lib/refcount.c:28
Code: 09 01 48 c7 c7 e0 67 59 8a e8 d1 91 c3 05 0f 0b eb c4 e8 28 f4 9c fd c6 05 7f 1a 7b 09 01 48 c7 c7 40 68 59 8a e8 b5 91 c3 05 <0f> 0b eb a8 e8 0c f4 9c fd c6 05 60 1a 7b 09 01 48 c7 c7 80 67 59
RSP: 0018:ffffc90000da7c78 EFLAGS: 00010246

RAX: 1708c79c29411400 RBX: 0000000000000003 RCX: ffff888016a90000
RDX: 0000000000000100 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000000001 R08: dffffc0000000000 R09: fffffbfff1ad32b6
R10: fffffbfff1ad32b6 R11: 1ffffffff1ad32b5 R12: dffffc0000000000
R13: 0000000000000005 R14: 0000000000000003 R15: ffffffff8a7ca320
FS:  0000000000000000(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c006cc3000 CR3: 000000007a5ea000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 blk_complete_reqs block/blk-mq.c:587 [inline]
 blk_done_softirq+0xfa/0x140 block/blk-mq.c:592
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 run_ksoftirqd+0x98/0xf0 kernel/softirq.c:943
 smpboot_thread_fn+0x4f6/0x970 kernel/smpboot.c:164
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

final repro crashed as (corrupted=false):
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 20 at lib/refcount.c:28 refcount_warn_saturate+0x11b/0x1a0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 20 Comm: ksoftirqd/1 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:refcount_warn_saturate+0x11b/0x1a0 lib/refcount.c:28
Code: 09 01 48 c7 c7 e0 67 59 8a e8 d1 91 c3 05 0f 0b eb c4 e8 28 f4 9c fd c6 05 7f 1a 7b 09 01 48 c7 c7 40 68 59 8a e8 b5 91 c3 05 <0f> 0b eb a8 e8 0c f4 9c fd c6 05 60 1a 7b 09 01 48 c7 c7 80 67 59
RSP: 0018:ffffc90000da7c78 EFLAGS: 00010246

RAX: 1708c79c29411400 RBX: 0000000000000003 RCX: ffff888016a90000
RDX: 0000000000000100 RSI: 0000000000000100 RDI: 0000000000000000
RBP: 0000000000000001 R08: dffffc0000000000 R09: fffffbfff1ad32b6
R10: fffffbfff1ad32b6 R11: 1ffffffff1ad32b5 R12: dffffc0000000000
R13: 0000000000000005 R14: 0000000000000003 R15: ffffffff8a7ca320
FS:  0000000000000000(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c006cc3000 CR3: 000000007a5ea000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 blk_complete_reqs block/blk-mq.c:587 [inline]
 blk_done_softirq+0xfa/0x140 block/blk-mq.c:592
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 run_ksoftirqd+0x98/0xf0 kernel/softirq.c:943
 smpboot_thread_fn+0x4f6/0x970 kernel/smpboot.c:164
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>