Extracting prog: 9m58.568225052s
Minimizing prog: 3h33m40.321906622s
Simplifying prog options: 0s
Extracting C: 1m5.197053057s
Simplifying C: 40m55.66806769s


extracting reproducer from 30 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-openat$binderfs-openat$ptmx-openat$sequencer-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80202, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 30s
testing program (duration=37s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 20, 19, 26, 24, 10, 14, 15, 17, 9, 3, 29, 26, 26, 26, 27, 29, 27, 6, 20, 12, 29, 19, 25, 28, 23, 26, 18, 24, 29]
detailed listing:
executing program 1:
openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8801}, 0x80)
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000740), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000080)=0xa0000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, 0x0)
ioctl$IOCTL_VMCI_DATAGRAM_SEND(r0, 0x7ab, 0x0)
ioctl$IOCTL_VMCI_NOTIFICATIONS_RECEIVE(r0, 0x7a6, &(0x7f0000000040)={0x1, 0xc8a3, 0x4, 0xf, 0x30000, 0xdb3})
syz_usb_connect(0x4, 0x0, 0x0, 0x0)
epoll_create1(0x0)
syz_open_procfs$namespace(0x0, &(0x7f0000001380)='ns/cgroup\x00')
r1 = syz_io_uring_setup(0xbdc, &(0x7f0000000640)={0x0, 0xec28, 0x400, 0x1, 0x40000333}, &(0x7f00000006c0)=<r2=>0x0, &(0x7f0000000240)=<r3=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, 0x0})
io_uring_enter(r1, 0x20af, 0x6d82, 0x0, 0x0, 0x0)
executing program 1:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x20024894)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
getpid()
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x707cb000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
prctl$PR_SET_MM(0x23, 0xa, &(0x7f00002d5000/0x2000)=nil)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000001c0)='environ\x00')
preadv(r3, &(0x7f0000001400)=[{&(0x7f0000000040)=""/113, 0x200000b1}], 0x1, 0xc002a0, 0x0)
syz_io_uring_setup(0x18d7, &(0x7f0000000040)={0x0, 0x0, 0x2, 0x0, 0x25b}, 0x0, &(0x7f0000ffe000))
syz_open_procfs(0x0, 0x0)
getsockopt$inet6_buf(0xffffffffffffffff, 0x29, 0x30, &(0x7f0000000180)=""/214, 0x0)
ioctl$BTRFS_IOC_TREE_SEARCH(r3, 0xd0009411, &(0x7f0000002440)={{0x0, 0xfffffffffffffff8, 0x5, 0x7, 0x6, 0x8000000000000000, 0x1, 0x3, 0x6, 0x5, 0x0, 0x5, 0x5, 0x4, 0x7}})
bind$inet(r0, &(0x7f00000000c0)={0x2, 0x4e20, @broadcast}, 0x10)
sendto$inet(r0, &(0x7f0000000140), 0xffffffffffffff58, 0x20008005, &(0x7f0000000100)={0x2, 0x4e20}, 0x10)
executing program 3:
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f00000003c0)={0x0, 0x0, 0x0}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000240)={0x8, 0x248}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x1, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0xffffe000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000001c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f00000004c0)=@abs={0x0, 0x0, 0x4e24}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x3fffffffffffeda, 0x2, 0x0)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xb, &(0x7f0000000180)=ANY=[], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x33, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r3}, 0x10)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000000)={0x0, &(0x7f00000000c0)})
fsopen(&(0x7f0000000040)='configfs\x00', 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000080)='.\x00', 0x0, 0x0, 0x0)
r4 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="020000000400000008f9000001"], 0x48)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0xd, 0x10, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff00000000b7080000000000007b8af0ff00000000bf8100000000000007080000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018210000", @ANYRES32=r4, @ANYBLOB="0000000008000000b705000008000000850000005d00000095"], &(0x7f0000000300)='GPL\x00', 0x2, 0x100a, &(0x7f0000002500)=""/4106, 0x0, 0x5}, 0x94)
executing program 3:
r0 = socket(0x1000000000000010, 0x80802, 0x0)
bind$netlink(r0, &(0x7f0000000340)={0x10, 0x0, 0x25dfdbfc, 0x10004400}, 0xc)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x0, &(0x7f0000001100)=ANY=[], 0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x29, 0xffffffffffffffff, 0x8, &(0x7f0000000180), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000000240)=0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00001e3000)=""/30, &(0x7f0000d23000)=0x1e)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000080)=0x83)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f00000000c0))
syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff)
read$dsp(r2, 0x0, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x32, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000480)={0x0, @in6={{0xa, 0x4e23, 0xfffffffc, @dev={0xfe, 0x80, '\x00', 0x3c}, 0x8}}, 0x4, 0x2, 0xe, 0x7588, 0x168, 0xfffffffc, 0x7}, &(0x7f0000000140)=0x9c)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000280)={'vxcan0\x00'})
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'pim6reg0\x00', 0x7101})
r3 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r3, 0x107, 0x8, &(0x7f0000000100)=0x40049, 0x4)
write(0xffffffffffffffff, &(0x7f0000000040)="2700000014000707030e0000120f0a0011000100f5fe009d2fb112ff000000008a151f75080039", 0x27)
executing program 3:
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
ioctl$EXT4_IOC_GETSTATE(r0, 0x40046629, 0x0)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f0000000080)={0xaa, 0x79})
ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000002, 0x8031, 0xffffffffffffffff, 0xfffff000)
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, 0x0)
r1 = socket(0x10, 0x2, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r1, 0x10e, 0xc, &(0x7f0000000080)={0x3, 0x2, 0x0, 0x3}, 0x10)
sendmsg$nl_route(r1, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r2 = socket(0x2, 0x2, 0x1)
syz_io_uring_setup(0x332e, &(0x7f0000000480)={0x0, 0xaeb7, 0x40, 0x3, 0x2d9}, 0x0, &(0x7f0000000400))
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
connect$inet6(r3, 0x0, 0x0)
connect$unix(r2, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f00000000c0)='contention_end\x00'}, 0x18)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='mmap_lock_acquire_returned\x00'}, 0x18)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffffffffe, 0x4031, 0xffffffffffffffff, 0x0)
userfaultfd(0x80001)
executing program 2:
openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
sendmsg$nl_xfrm(0xffffffffffffffff, 0x0, 0x80)
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000740), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000080)=0xa0000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, &(0x7f0000000000)={@my=0x0})
ioctl$IOCTL_VMCI_NOTIFICATIONS_RECEIVE(r0, 0x7a6, 0x0)
r1 = syz_io_uring_setup(0xbdc, &(0x7f0000000640)={0x0, 0xec28, 0x400, 0x1, 0x40000333}, 0x0, &(0x7f0000000240)=<r2=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(0x0, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(0x0, r2, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, 0x0})
io_uring_enter(r1, 0x20af, 0x6d82, 0x0, 0x0, 0x0)
executing program 4:
openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8801}, 0x80)
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000740), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000080)=0xa0000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, 0x0)
ioctl$IOCTL_VMCI_DATAGRAM_SEND(r0, 0x7ab, 0x0)
ioctl$IOCTL_VMCI_NOTIFICATIONS_RECEIVE(r0, 0x7a6, &(0x7f0000000040)={0x1, 0xc8a3, 0x4, 0xf, 0x30000, 0xdb3})
syz_usb_connect(0x4, 0x0, 0x0, 0x0)
epoll_create1(0x0)
syz_open_procfs$namespace(0x0, &(0x7f0000001380)='ns/cgroup\x00')
r1 = syz_io_uring_setup(0xbdc, &(0x7f0000000640)={0x0, 0xec28, 0x400, 0x1, 0x40000333}, &(0x7f00000006c0)=<r2=>0x0, &(0x7f0000000240)=<r3=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, 0x0})
io_uring_enter(r1, 0x20af, 0x6d82, 0x0, 0x0, 0x0)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$nl_netfilter(0x10, 0x3, 0xc)
setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, 0x0, 0x0)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000440)={&(0x7f0000000440)=ANY=[], 0x0, 0x39, 0x0, 0x1, 0x9}, 0x28)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1c0000, 0x1, &(0x7f0000000040))
userfaultfd(0x802)
openat$rfkill(0xffffff9c, &(0x7f00000003c0), 0x0, 0x0)
epoll_create1(0x0)
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000100), 0x1c3902, 0x0)
syz_io_uring_setup(0x32b7, &(0x7f0000000180)={0x0, 0x7f1, 0x1, 0x4, 0x41}, 0x0, 0x0)
sendfile(r0, r0, 0x0, 0x2000fb)
io_setup(0x4, &(0x7f00000014c0))
executing program 2:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000280)={{0x12, 0x1, 0x141, 0xf2, 0xc5, 0x96, 0x20, 0x16d0, 0x10b8, 0xde8e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x0, 0x2, 0x1, 0x0, 0x83, 0xec, 0x0, [], [{{0x9, 0x5, 0x6, 0x2, 0x200, 0x2, 0x0, 0xa}}]}}]}}]}}, 0x0)
syz_emit_ethernet(0x76, &(0x7f00000004c0)={@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x16}, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "d3ffff", 0x40, 0x3a, 0x0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @mcast2, {[], @param_prob={0x2, 0x0, 0x0, 0x502, {0x0, 0x6, "508359", 0x0, 0x0, 0x0, @private1, @remote, [@hopopts={0x3a}], "a87f7292fee6ad36"}}}}}}}, 0x0)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = socket$l2tp6(0xa, 0x2, 0x73)
mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x0, 0x0, &(0x7f0000006680))
rmdir(&(0x7f0000000080)='./cgroup/../file0\x00')
getsockopt$inet6_mreq(r1, 0x29, 0x15, 0x0, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000400)=@newqdisc={0x24, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0xffff, 0xffff}}}, 0x24}}, 0x0)
bpf$BPF_GET_PROG_INFO(0xf, 0x0, 0x0)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(0xffffffffffffffff, 0x89f1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000000)={0x8, 0x100008b}, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000180)=0x1400200bce)
sched_setscheduler(0x0, 0x1, &(0x7f0000002200)=0x1)
r2 = syz_open_dev$MSR(&(0x7f0000000200), 0x0, 0x0)
read$msr(r2, &(0x7f0000002700)=""/102392, 0x18ff8)
ioctl$sock_inet6_SIOCDELRT(r0, 0x890c, &(0x7f0000005fc0)={@remote, @empty, @empty, 0x7, 0x8000, 0x40, 0x400, 0x5, 0x18c0012})
executing program 1:
setresuid(0xffffffffffffffff, 0xee01, 0x0)
syz_usb_connect(0x0, 0x0, 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f0000000280)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r0 = socket(0x1e, 0x4, 0x0)
connect$tipc(r0, &(0x7f0000000040)=@nameseq={0x1e, 0x1, 0x1, {0x1, 0x0, 0x3}}, 0x10)
sendmmsg$unix(r0, &(0x7f0000004400), 0x400000000000203, 0x101d0)
executing program 3:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
connect$inet6(r0, &(0x7f0000000180)={0xa, 0x4001, 0x0, @dev={0xfe, 0x80, '\x00', 0x1b}, 0xd}, 0x1c)
write$binfmt_script(r0, 0x0, 0x0)
executing program 3:
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
clock_adjtime(0x0, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=@ipv4_delroute={0x1c, 0x18, 0x1, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0x0, 0x0, 0xff}}, 0x1c}}, 0x0)
write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, &(0x7f0000000140)={0x2, 0x1}, 0x2)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
r2 = socket$tipc(0x1e, 0x5, 0x0)
bind$tipc(r2, &(0x7f0000000340)=@nameseq={0x1e, 0x1, 0x3, {0x43}}, 0x10)
socket$tipc(0x1e, 0x5, 0x0)
setsockopt$TIPC_GROUP_JOIN(r2, 0x10f, 0x87, 0x0, 0x0)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
mremap(&(0x7f000054e000/0x1000)=nil, 0x1000, 0x3000, 0x3, &(0x7f000022c000/0x3000)=nil)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000500), 0x100, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r5, 0x4008ae89, &(0x7f0000000200)={0x1, 0x0, [{0x11, 0x0, 0x1}]})
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000000)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0xfffffc01, 0x400}}, './file0\x00'})
ioctl$KVM_GET_XSAVE(r5, 0x9000aea4, &(0x7f0000001540))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
remap_file_pages(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)
mremap(&(0x7f0000e2f000/0x1000)=nil, 0x1000, 0x3000, 0x7, &(0x7f0000c53000/0x3000)=nil)
executing program 0:
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000480), 0x129540, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1)
r1 = creat(&(0x7f00000002c0)='./file0\x00', 0x0)
open$dir(&(0x7f0000000080)='./file1\x00', 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00', <r4=>0x0})
sendmsg$NL80211_CMD_SET_TX_BITRATE_MASK(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000640)={0x40, r3, 0x1, 0xffffffff, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_TX_RATES={0x24, 0x5a, 0x0, 0x1, [@NL80211_BAND_5GHZ={0x20, 0x1, 0x0, 0x1, [@NL80211_TXRATE_VHT={0x14, 0x3, {[0x0, 0x0, 0x0, 0x8, 0x1]}}, @NL80211_TXRATE_HT={0x4}, @NL80211_TXRATE_LEGACY={0x4}]}]}]}, 0x40}}, 0x0)
write$qrtrtun(r1, &(0x7f0000000400)="0b8ca3756ea769f253", 0x9)
bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x2, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="180000000300000000000000fe020010"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x100, 0x70, '\x00', 0x0, @fallback=0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_LINK_CREATE_XDP(0x1c, 0x0, 0x0)
r5 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000003400), 0x42300, 0x0)
ioctl$VHOST_SET_FEATURES(r5, 0x4008af00, &(0x7f0000003b40)=0x4000000)
close(0x4)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r6, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)={0x14, 0x2e, 0x9, 0x70bd27, 0x0, {0x4}}, 0x14}, 0x1, 0x0, 0x0, 0x42804}, 0x0)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$NL802154_CMD_DEL_SEC_DEVKEY(r7, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=ANY=[], 0x54}, 0x1, 0x0, 0x0, 0x40c4}, 0x20040840)
ioctl$IOCTL_GET_NCIDEV_IDX(0xffffffffffffffff, 0x0, &(0x7f0000000140))
sendmsg$NFC_CMD_LLC_SET_PARAMS(r7, &(0x7f0000000300)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000200)=ANY=[], 0x44}, 0x1, 0x0, 0x0, 0x8000}, 0x12)
executing program 4:
r0 = socket(0x1000000000000010, 0x80802, 0x0)
bind$netlink(r0, &(0x7f0000000340)={0x10, 0x0, 0x25dfdbfc, 0x10004400}, 0xc)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x0, &(0x7f0000001100)=ANY=[], 0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x29, 0xffffffffffffffff, 0x8, &(0x7f0000000180), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000000240)=0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00001e3000)=""/30, &(0x7f0000d23000)=0x1e)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000080)=0x83)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f00000000c0))
syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff)
read$dsp(r2, 0x0, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x32, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000480)={0x0, @in6={{0xa, 0x4e23, 0xfffffffc, @dev={0xfe, 0x80, '\x00', 0x3c}, 0x8}}, 0x4, 0x2, 0xe, 0x7588, 0x168, 0xfffffffc, 0x7}, &(0x7f0000000140)=0x9c)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000280)={'vxcan0\x00'})
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'pim6reg0\x00', 0x7101})
r3 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r3, 0x107, 0x8, &(0x7f0000000100)=0x40049, 0x4)
write(0xffffffffffffffff, &(0x7f0000000040)="2700000014000707030e0000120f0a0011000100f5fe009d2fb112ff000000008a151f75080039", 0x27)
executing program 2:
getpid()
r0 = socket(0x10, 0x3, 0x0)
socket$key(0xf, 0x3, 0x2)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="05000000810000000200000009"], 0x48)
bpf$MAP_DELETE_BATCH(0x18, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x5, r2, 0x0, 0x20}, 0x38)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/custom1\x00', 0x802, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f00000000c0)=0x3)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r3 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101)
r4 = dup(r3)
write$6lowpan_enable(r4, &(0x7f0000000000)='0', 0xfffffd2c)
r5 = syz_io_uring_setup(0xef4, &(0x7f00000003c0)={0x0, 0x26c3, 0x1, 0x3, 0x0, 0x0, r4}, &(0x7f0000000180)=<r6=>0x0, &(0x7f00000001c0)=<r7=>0x0)
syz_io_uring_submit(r6, r7, 0x0)
io_uring_enter(r5, 0x2ded, 0x4000, 0x10, 0x0, 0x0)
ioprio_get$uid(0x3, 0x0)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
write$bt_hci(r1, 0x0, 0xb)
r8 = syz_open_dev$vim2m(&(0x7f0000000580), 0x4, 0x2)
ioctl$vim2m_VIDIOC_REQBUFS(r8, 0xc0145608, &(0x7f00000000c0)={0x2, 0x1, 0x1})
ioctl$vim2m_VIDIOC_STREAMOFF(r8, 0x40045612, &(0x7f0000000100)=0x1)
openat$qrtrtun(0xffffffffffffff9c, &(0x7f0000000140), 0x52ec3)
bind$packet(0xffffffffffffffff, 0x0, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0xc, &(0x7f0000000040)={0x5}, 0x10)
executing program 4:
openat$binderfs(0xffffffffffffff9c, 0x0, 0x801, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000480), 0x129540, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1)
r1 = creat(&(0x7f00000002c0)='./file0\x00', 0x0)
open$dir(&(0x7f0000000080)='./file1\x00', 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00', <r4=>0x0})
sendmsg$NL80211_CMD_SET_TX_BITRATE_MASK(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000640)={0x40, r3, 0x1, 0xffffffff, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_TX_RATES={0x24, 0x5a, 0x0, 0x1, [@NL80211_BAND_5GHZ={0x20, 0x1, 0x0, 0x1, [@NL80211_TXRATE_VHT={0x14, 0x3, {[0x0, 0x0, 0x0, 0x8, 0x1]}}, @NL80211_TXRATE_HT={0x4}, @NL80211_TXRATE_LEGACY={0x4}]}]}]}, 0x40}}, 0x0)
write$qrtrtun(r1, &(0x7f0000000400)="0b8ca3756ea769f253", 0x9)
bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x2, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="180000000300000000000000fe020010"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x100, 0x70, '\x00', 0x0, @fallback=0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_LINK_CREATE_XDP(0x1c, 0x0, 0x0)
r5 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000003400), 0x42300, 0x0)
ioctl$VHOST_SET_FEATURES(r5, 0x4008af00, &(0x7f0000003b40)=0x4000000)
close(0x4)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r6, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)={0x14, 0x2e, 0x9, 0x70bd27, 0x0, {0x4}}, 0x14}, 0x1, 0x0, 0x0, 0x42804}, 0x0)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$NL802154_CMD_DEL_SEC_DEVKEY(r7, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=ANY=[], 0x54}, 0x1, 0x0, 0x0, 0x40c4}, 0x20040840)
ioctl$IOCTL_GET_NCIDEV_IDX(0xffffffffffffffff, 0x0, &(0x7f0000000140))
sendmsg$NFC_CMD_LLC_SET_PARAMS(r7, &(0x7f0000000300)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000200)=ANY=[], 0x44}, 0x1, 0x0, 0x0, 0x8000}, 0x12)
executing program 1:
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
clock_adjtime(0x0, &(0x7f0000000100)={0x2, 0x6a, 0x5, 0x8000000000000001, 0x48c, 0x5, 0xd, 0x424, 0x2, 0xffffffffffffffff, 0xf423f, 0xfffffffffffffff9, 0x7, 0x2, 0x1000000081, 0x5, 0x0, 0x5, 0x0, 0x9220000000000000, 0x3, 0x0, 0x80000001, 0x0, 0x5, 0x7})
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=@ipv4_delroute={0x1c, 0x18, 0x1, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0x0, 0x0, 0xff}}, 0x1c}}, 0x0)
write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, &(0x7f0000000140)={0x2, 0x1}, 0x2)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
r3 = socket$tipc(0x1e, 0x5, 0x0)
bind$tipc(r3, &(0x7f0000000340)=@nameseq={0x1e, 0x1, 0x3, {0x43}}, 0x10)
socket$tipc(0x1e, 0x5, 0x0)
setsockopt$TIPC_GROUP_JOIN(r3, 0x10f, 0x87, 0x0, 0x0)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000500), 0x100, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r6, 0x4008ae89, &(0x7f0000000200)={0x1, 0x0, [{0x11, 0x0, 0x1}]})
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000000)={{0x1, 0x1, 0x18, r2, {0xfffffc01, 0x400}}, './file0\x00'})
ioctl$KVM_GET_XSAVE(r6, 0x9000aea4, &(0x7f0000001540))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
remap_file_pages(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)
mremap(&(0x7f0000e2f000/0x1000)=nil, 0x1000, 0x3000, 0x7, &(0x7f0000c53000/0x3000)=nil)
executing program 0:
openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
r2 = socket(0x28, 0x5, 0x0)
bind$vsock_stream(r2, &(0x7f0000000040), 0x10)
r3 = socket$rxrpc(0x21, 0x2, 0x2)
setsockopt$RXRPC_MIN_SECURITY_LEVEL(r3, 0x110, 0x4, &(0x7f0000000040), 0x4)
r4 = socket(0x28, 0x5, 0x0)
connect$vsock_stream(r4, &(0x7f0000000080), 0x10)
setsockopt$sock_linger(r4, 0x1, 0x3c, &(0x7f0000000180)={0x1, 0x5}, 0x8)
sendmmsg(r4, 0x0, 0x0, 0x24008094)
recvmsg(0xffffffffffffffff, 0x0, 0x10000)
r5 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="1b0000000000000000000000000004"], 0x48)
r6 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0x6, &(0x7f0000000cc0)=ANY=[@ANYBLOB="050000000000000061110c00000000008510000002000000850000000500000095000000000000009500a5050000000077d8f3b423cdac8d80000000000000002be16ad10a48b243ccc42606d25dfd73a015e0ca7fc2506a0f7535f7866907dc0200000000000000ae669e17fd6587d452d6453559c3421eed73d56615fe6c54c3b3ffe1b4ce25d7c983c044c03bf3a48dfe47ec9dd6c091c30b93bfae76d9ebacd3ed3e26e7a23129d6606fd28a69989d552af6bda9df2c3af36effff9af2551ce896165127cb3f011a7d06602e2fc40848228567ffb400000000003ed38ae89d24e1cebfba2f87925bfacba83109751fe6c05405d027edd68149ee99eef6a6992308a4fc0b7c70bc677d6dd4aed4af7500d7900a820b6347184e9a217b5614cd50cbe43a1ed2526814bc0000e9e086ce48e90defb6670c3df2624f56da648d28ad0a97aec7291c25447c106a99893e10db21901eb397b2f5fd71400fa7a050fbbef9e326ea27e513e96068fd1e8a43e89f9c85c822a961546ed5363c17ff1432d08806bc376e3e49ee52b59d13182e1f24ed200ada10eb1affb87ba55b2d72078e9f40b4ae7d01000000d11cd22c35d32940000088dde499000000fdffffff00000000000f000000ef0000000000000000000000000c52f4ebd2c893bb97a068bd10734a83584898eccb26f7b789cfc4cd995fa3e11a5c74c85404e2df3ad37b729ac83b0dcb4f48f3c3356b9997fc455a17690b6f7f9ccbe4b1701941b18aba6b16455a66c3b84b138efc20a546d3d5227e23b03f2a834391ade2ff3e93ee296c4082ee73e7c353312c9d75711ce1623e9c54bdff59d2a69dcb7d84c235b23a4480c2461b405cfd1a38992f295ad3adc94cd07c850d1ce6d0b2fea02c24e9280333152fb794e4ddea02017a6c139b50101caecaf2abc0847a1ff2f7fc3c2b99a96fc4275ad107274e2934a87a4ddcdb112754ca5bdec0ead14b6c0f19a43a2f05c7f0be31491eb8c9ff68236c8600040000000000000000000066e034c81c3cab64e4fc8dc55ce0ada18dcbf31c6e82893add3bee3e10fc873d1d922b0877cbcd95b839d3059d5140a1f742f6e75741e39e5cb6a193e06a1043375b0f61b5d4e17c81baa31b924d84f224baf1221c15fa12313ffbfa7c2730309f66705b71e6205e7cbf3643561eabb9a63fcd604d5cc27e1317ad94cf438d71873e540be16b6ca205081173bd03c4754fc4674812daab482fd390a1c903b5d28a1eb247b5837d7603b92495d5c569f6433c3fca5206cb0000003fdbbd3892c52c2e7612e05de32322e980a3d69931e2c9312dd517c96f2ee90362476ed853c4c9b7d4ebf13cbaa795860e92a3d7d004f2c491db38eb769f094d5d48b262cc35c40682138cf13a49aa9f27abec00002f01ba1251aaf2385416ca719300"], &(0x7f0000000080)='GPL\x00', 0x5, 0x29e, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x6}, 0x70)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r6}, 0x10)
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0xf, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r5, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf0900000000000055090100000000009500000800000000bf91000000000000b702000043e7b5538500000085000000b70000000000000095"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x43, '\x00', 0x0, @fallback=0xa, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000140)='kmem_cache_free\x00', r7, 0x0, 0x8}, 0x18)
pselect6(0x40, &(0x7f00000001c0)={0x0, 0x0, 0x3, 0x7fffffffff, 0x1}, 0x0, &(0x7f0000000280)={0x3ff, 0x0, 0x0, 0x3, 0x0, 0x0, 0x4, 0xfffffffffffffffc}, 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(r1, 0x40946400, 0x0)
sendmsg$IPCTNL_MSG_TIMEOUT_DEFAULT_GET(0xffffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000), 0xc, &(0x7f0000000200)={&(0x7f0000000540)=ANY=[@ANYBLOB="a80000000408050000000000000000000200000244000480080005400000004008000740000000070800014000000fff08000640000000070800014000000fff0800054000000002080008400000000208000640000000100900010073797a30000000000600024086dd000014000480080002400000003408000740000000051c0044800800014000000008080001400000008c080001400000000b0900010073797a31000000"], 0xa8}, 0x1, 0x0, 0x0, 0x10}, 0x4000081)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2)
timerfd_create(0x7, 0x80800)
pselect6(0x40, &(0x7f0000000100), &(0x7f0000000000)={0x1f}, 0x0, 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(r1, 0x40946400, &(0x7f00000000c0)={'adq12b\x00', [0x4f27, 0x2, 0x10000, 0x4, 0xe, 0x0, 0x3, 0x7, 0xa, 0x1, 0x8001, 0x4, 0xff6b, 0x801, 0xfffffffe, 0xb4b, 0x0, 0xfffffffe, 0x3, 0x40000003, 0x89, 0xcaa7, 0x201ff, 0x20001e58, 0xb, 0xe6b, 0x3c, 0x6, 0x65c, 0x0, 0xfffffff8]})
sendmsg$nl_route_sched(r0, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000300)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb01001800000000000000180000001800000007000000050000000100000f100000000700004820000000080e0000006f61303061"], &(0x7f0000005bc0)=""/255, 0x37, 0xff, 0x9, 0x1000}, 0x28)
executing program 2:
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000100)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x0, @loopback}, 0x4}}, 0x2e)
syz_emit_ethernet(0x46, &(0x7f0000000140)={@link_local, @random="dce65fbcee55", @void, {@ipv6={0x86dd, @udp={0x0, 0x6, "010100", 0x10, 0x11, 0x0, @remote, @local, {[], {0x0, 0xe22, 0x10, 0x0, @gue={{0x2, 0x0, 0x0, 0x3}}}}}}}}, 0x0)
recvmmsg(r1, &(0x7f0000000340), 0x4000000000000da, 0xda, 0x0)
executing program 3:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x20024894)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
getpid()
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x707cb000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
prctl$PR_SET_MM(0x23, 0xa, &(0x7f00002d5000/0x2000)=nil)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000001c0)='environ\x00')
preadv(r3, &(0x7f0000001400)=[{&(0x7f0000000040)=""/113, 0x200000b1}], 0x1, 0xc002a0, 0x0)
syz_io_uring_setup(0x18d7, &(0x7f0000000040)={0x0, 0x0, 0x2, 0x0, 0x25b}, 0x0, &(0x7f0000ffe000))
syz_open_procfs(0x0, 0x0)
getsockopt$inet6_buf(0xffffffffffffffff, 0x29, 0x30, &(0x7f0000000180)=""/214, 0x0)
ioctl$BTRFS_IOC_TREE_SEARCH(r3, 0xd0009411, &(0x7f0000002440)={{0x0, 0xfffffffffffffff8, 0x5, 0x7, 0x6, 0x8000000000000000, 0x1, 0x3, 0x6, 0x5, 0x0, 0x5, 0x5, 0x4, 0x7}})
bind$inet(r0, &(0x7f00000000c0)={0x2, 0x4e20, @broadcast}, 0x10)
sendto$inet(r0, &(0x7f0000000140), 0xffffffffffffff58, 0x20008005, &(0x7f0000000100)={0x2, 0x4e20}, 0x10)
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0xc)
bind$netlink(r0, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc)
setsockopt$netlink_NETLINK_BROADCAST_ERROR(r0, 0x10e, 0x4, &(0x7f0000000140)=0x6, 0x4)
setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000200), 0x4)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0)
sendmsg$IPCTNL_MSG_CT_DELETE(r1, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000640)={0x14, 0x2, 0x1, 0x5, 0x0, 0x0, {0x2, 0x0, 0x8}}, 0x14}, 0x1, 0x0, 0x0, 0x20044804}, 0x40040)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000001c0)=ANY=[@ANYBLOB="980000000001010400000000000000000a0000003c0001802c00018014000300fe8000000000000000000000000000aa14000400ff0100000000000000000000000000010c00028005000100000000003c0002802c00018014000300fe8000000000000000000000000000aa14000400fe8800000000000000000000000000010c0002800500010000000000080007"], 0x98}}, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x0)
executing program 2:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f00000005c0)=ANY=[], 0x64}}, 0x0)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_ADD(r1, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000780)=ANY=[@ANYBLOB="74000000090601020000000000000000030000000900020073797a310000000005000100070000004c0007801800018014000240fe8000000000000000000300000000aa1800148014000240fc000000000000000000000000000000060004404e1f0000050007008400000006000540"], 0x74}, 0x1, 0x0, 0x0, 0x10040003}, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket(0x200000000000011, 0x2, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000640)=ANY=[], 0x48)
r3 = signalfd(0xffffffffffffffff, &(0x7f0000000140), 0x8)
r4 = syz_io_uring_setup(0x38a9, &(0x7f0000000540)={0x0, 0x0, 0x10100, 0x0, 0xfffffffe}, &(0x7f0000000040)=<r5=>0x0, &(0x7f0000000140)=<r6=>0x0)
syz_io_uring_submit(r5, r6, &(0x7f00000001c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x3, r3})
io_uring_enter(r4, 0x40044fd, 0xb780, 0x0, 0x0, 0xfffffe71)
r7 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180100001c0000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x3, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000100)={&(0x7f00000000c0)='sys_enter\x00', r7}, 0x10)
rt_sigprocmask(0x0, &(0x7f0000000000)={[0xfffffffffffffffd]}, 0x0, 0x8)
rt_sigsuspend(&(0x7f0000000040)={[0xfffffffffffbfefd]}, 0x8)
ioctl$TIOCSETD(0xffffffffffffffff, 0x5423, &(0x7f0000000040)=0xd)
rt_sigsuspend(&(0x7f0000000400), 0x8)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bridge0\x00'})
sendmsg$nl_route(r2, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000680)=ANY=[@ANYBLOB="5c00000000000304000000000700000000000000", @ANYRESDEC=r4, @ANYBLOB="00000000033a01003c0012800b00010062726964676500002c00028005001700"], 0x5c}, 0x1, 0x0, 0x0, 0x4000004}, 0x0)
r8 = openat$dsp(0xffffff9c, &(0x7f0000000040), 0x200, 0x0)
ioctl(0xffffffffffffffff, 0x5, &(0x7f0000000800)="0f467e311e965f2cdf70fcaf152d6e85fe717bb8bdebed3e4a1cc2a73a2c294398aee4f581c66ea8a056bd64b428a63393b7eaa8fce8a634eda1777846e67a041895422e405ef300b03c0957fd7af15410b0aace0767efb5ea47ccee3a7b10ed17d3debf36c88ca3279ba406ad641f56fcc83dfb5a698ced45dcd82ba2df2e027f725bbafa3eccc84114d867a5459d2ea366dbcb828e0612f55f58ea2c0b61c2c25c177f6deb93109be80a9767c9d86840d0576a59c4c69196bae6fa1dfe81e45bdd3243cd5270b0a0237c44ebd0f4024f3599d20c65b272bca686d857cc2d5f3a00b9ece8c0915e2733c6dbba861d93d7097263859e7e85f774bb300849041e6dda93fa286ad90355bbc11d6d0903fec948bbf482f5e2d8f104f8a1118625a5c4f3550930af6e3274ed801a2bd2a9d66db0988757affd8530895090e3946f7108fe7fdbd0b32925cfafe980c97c8c7645bf6dc0389f3abc3903c505145f0b6ba3ee7881c770319123d7f8829afb25633ded1a501fdf24755e4be0a50033c14ff770dbbce30cb955a953696cf539404662292cc36dab8a88b2983abbc8d1bfe3c72a80970d7727a1dfc29a2d6280d3daaa36b019500fb01d07fc34cb1a18ed8925da7750686ed8d7157825b95781ad77b6f67240b2b1494c500c6242f7a5af4f681a7f25f12ff4398bb0605af5f0214825483753f4deccf230bf07d6678efe69f2dec3638e65cad64729a5ece4b70d1ab0c108771ddc7ca0c5f4c4c9f42ba225e3f6c9adc1253a269573d93ca145ed69821a6025c6053a2d84ce958bc6982fac4e079b610e36b2925768339026d974d38ec8e330ddcbf51db84ff1b9283edf9bbdc4f08b5797cc1a2d36b2da3282e409dc1ea7366db5ae7baee67e33aec33ebd1221e39b168e88c5cb1caf95cda6675407e219d8a58941a7f621cbb0536f3d59dca5576c2160ac3bc4bcf03835ba25d09471f887fffd2c12e8acb0d4a9736deaae89f5e7e2ddb3d8b9ab02e22f3a6eea5162d5d2baf55c1db4eda4c89886842ce912b06d7f7e798a602874078895d353b543e501b4f841e998e49b8d6556b2e3a53cc8a43f87ee67da3a566e9f3ff63e394a491c2854f660912d23c2eb669b68f8e304d6ca8e8d1dc34239af9ae92df25a7cc8d5127397f7cd1c4c3009cfa427693c0648e5576462604baa4f11e42b06b5c06a20008dbba90613983cd92af7e2ad21c20b9bb6cf4ad8796d5ec22b3ca9e478b872813970be1e25d8c3615828a9fd3227d8e6dbe722682e01aa055799ab6daba93a4a1414b84e1cac932a3d18705387bee98bceae1056e0a1942cdfe6831849658f0b5c1ce63e89c104974025c9bf0df2c0f8308e50e9e02e4ad0ced7abd8c8d915c7075211239a510315f08a665a2c1fb8de744b05711e5a9902d9cde75515d51d190a062c229be43cd847799a7d35daf379dc9a20ac3211fe0d39315c19555619b4f0a5f5640f0571878cc91c18b19ab28b002c0bd8b6e77b4498dd525e6b23b68713dadd2a258530544a38960dd9a1ba0406ad23a72e7641212a17c970a190fa26b2499421682111dd0f4d1de47924f985ca6303d2ab007df3e644a8a3b699e0e71756953f9d43618a6551209fad267a98bb600631f8627a084fc2aac35d57eddd21096cf1fdb9c7423404e7b3090cb870fca66c2082acd26c9e10a73836b79bb580ec665f4899cad30c7ba44709d5bd27d8764a1df164f4867c4a02e767445f75a7ab3c366813dc0e0f8be9ccbb64f0a44fcc1d2ed3301eaa7d4591497405c4421f1b42273dcead093f32a98cad82f67dc645cbe913d319f6fd180d0c76bddaf1a5ee82cd5c07ba717b23e0e60f3d38f668c95ea166f234abf5771b7fee8355a7e81ee0f97d7f7f02c8c5c7640fd9a335019e3b069e2c0dc6289deed9f2db56b246f0450843bbdc98d30dbc063946d082151a24ce78d6c051d44e87682d964d4e7b2bf431f66eece38f4e3d8ba78c646e75351ad7784cde4bb858ab9c688338ed2fb22d237d296b49ad762ce7caa63d4542846ab79b4dcbac6d3bbaa81e290d452ca5ad80b9bf85fc6481bec9fb41525184cbc5e0cca65cf510b65f1cff7c56f698969570f5b5c64dae2648340e3f2a3b5dca146b37121934a7bbf99575f6ae04b8081b3ada675a5cc2ed9819075e9093f0307222c9d2fa8defc24bf2f23c8e539aad8454ab176b5a1cc7d81bff36b60a7ff6d863fba7d8894826fca9c024043f4979edf9f26a0825365cd2489ea762c9f2ed8ffe53168159cfaf1bdc392cf2ad3c2dc1d6eadb04553fc31b24b4e655324c679c781942c916ca3027125c52fbc0270a7e34d4e95e4d1af1663803df214d7a8704ab1872b285c1e2ada8af5e137749535f3f5ca9a128844e65853e22883f9a535a5c9abf4a966077e7cd77c5cdef8fd6a5d2d8ac2bdaf98b1f33cd17afd8a93078588037b26b410c247463dc296aa81a0a62232e31c24730550c42791411569ec88ed36fbe150f59e9a58cfc1d4b45cabb1225ff554e398f6e02a22e67abab25299de6add3f96c6925cfd0a213107f578fbabc93a50708930a54c8af6466c9e5ca75b99f9ee7a41eae3f5f5fac5db6bc2d4077d8b5e71432f2b70db1c8540b67a8c1291014856ac8a5464d63e982e43415cccd0120c18b783cc85f30aab9f20717d4a904d2026d4ccf91e18ed7fa21cf34f980d4b34439aa1736509449638a86abe526089554c4357055bc5887096c5a80812b98747b4a8846bc81529414168459fe6c696fc9c67228586194d4ce30e05c9e1877581ea31d7d20144747e20ab3a51ea999fd002880f44dc91a652b039e626ec76c1a42ba7e98cc01c74a9f9fc2f182af0179e91bf2cdbd8f7b6744c484c146b73fb96c8c3b41b44cc9415fcfaf815760f0abc28af3388c2caf73935158a5e25d6baa387a2a33211123f498dc44385c611889b6bd67b00ad01ea6fdfd5f56c02b80ec4c0ded52bd7e899b0a27cb286453910d5ca20ec868adbcb5815c26a18328836dd77203e1ada4ddf6dab25756de9ec78e1084d66b2f05ed844466775cc2eb155eeec94568cfc8989957f1f93330a0585dfc6a3554d75a55d492dd777f9d4f2e2ecbb0977e0efc1e217af7fb59d498adf1432b656580e97400d142d75a44da71bfae8de196dc3eb6c72135cd5875e0e18d234ecb30da7310086fed88e7790707e618f18fb9f72deb68e0b208497be17af1dc246827472b153f94f2ff024e2b502afd3880780ce018ba02981fe05b0502d51ae37409b87a19b9d13675815a038bcba54eaa2605a4db871cc4c9b126190fd7ec459e9f96fd3b8d9db2e7a65b8a92dbd0e71374f384e530fc9bc5ed2930e995fca6f792deb99cd5e0d4e3dd4d64a8e046ec11106a96146761a685c48730fc7cda4198d2b150b8ee76314211127144cf97a48e2b33df6a544e2a31ec166289fd030c7885c72e75f550131e3aab08553f722f5ded628823a9e0fa8539a9ae64b3989356ddcb72e5a006ae0dc826d5b86e7dbc672ec4b1932ef3d85aab0448ac742dfb5c73786b16b1e8f06ac6d84a9426c7cd6501816fbd7393f6986e0e829d5bab4e61e4754fb4f4d43b338a751355f53c646b25a99abf2a55184cfe6fb89a1af07060d8d9a0b4e6eae2f4bdf9d25e20793861951e00c2fcc384db942af3018bf32642f7f02009078bba263878923452926add6aa05d48da2d60a369565d047cf6c3b5d1046eeb29f4805d0ba569e9552237e7acdfa8fbfca58f553a3d3e106b6a39259e3c190aa8b8b94c6821f3da34f60574b9e3d44550cabb699e722bfafb8dff5498fc51856751ad80f118964fd60af05f350451ca7f1c1b3c838d3c15b2e280f7c69a1e3ea406069b08612c1b3c269c740382a869bf535d05eb66ee63c8f254279733b136d8946a351c9619a79a3d73632c3c10046da2e1249a6630a89190fd223c5cd64350510b7536be3cb0680b43cc70e093712eecd094082222059821a2c9ec0e1d9a906c2c7390d8e17749a7d2073c179067d61cb83b6a9eda5f816e44683b082e0931e94c6c549c31da197d83df3a25db88eaba9404a219f3841177fa922596b69cdccd2c63f295a68702b4763bc1b11c29eec11361b911a73e03389641a026f961cc321b10af3dc909b6b914602a4218a1276c826a728231cac77a95a40ab71e62e202b162c5290506cbe3a073481ce1828203169ba922012b4b7c02833eefa026aa53fff889e7351d5b9ef491615daf869f4b8ccb23395ea9f67dbe6e26533b96dff1956f185dabbefa6c817f5b769d058402c5574b7f1f16aba7b6f82a5ab1055581c01bcfa3bc701ac0eeea84c58080234ad6441fe423ef48fc622197e2c63478ddf998bbddda91835489d08e9ea24b8d69c6d777d88555a44404457fa82d414fc7877e13b43201274fd446eaaac6a19c2782ba7ad6398d8668de675489dad05d25ed1e7ab66ee8c075e31f3bbf55e0f2f5192bd3aa30c07872144f1562660314d1b5d15a8c6fc8b83c9a2b5fa0e8f525510eaf3ba33f55fcdcfc0c504b4c1f2de293bbe304b7845c3157004567fff98f43a61bb8222d82fd8e987178b7080a7602602140130b574e8364af63e6eb9dcc39a83936c8f8a08794c392cd7b67573f5997f4ed161493a0fbf27852fb988b619b5b34e24458a64bfac11a7cacfc04563182b76fe2cef6219b06ebfc7b24302270bd43a90bb86e539bb8b484a20424862ae6dfa64c005f15e57065a33f4b8587d5e3e5fea941a384d77c200340d47ae0f89fe36e91801f9317a7308190ad9ae431eb21e5445dc491247111a3c0ee16f2a79db878b686a198c9344f48e7fb09bc2db9f5409cbb070a633fcf2e5959e64d1e68a903b42179684a795167a5ca3c20cc0c207035ecf037fca5d5348da91adf72bd624b6d7d59d280bb37322bd336d9c2e736d4d689c8fb57c47c96fb04dcc6bca698b05eaa303674ca5a2395e0f7cc8a641a32e8510f90e4c404d55c48b8cfe84a587700d1ae5a9cf4eed4e61d8ec4c1c409761ee1db0d359ffc2f715d7b8e12fd215de84b2389eb6d09375d2e7e076dcc2cd9710e1972241f44da9da2cf832269472bde28140d472c1a113329a47012f6091804f5f6ddd45397b9dfd62b771d45fc42aa683c100557d797a046587da64fea628ea82bc74910d28b3396021ba44dbac4a1b577847f0ef6d623401261c9ecbc9d9ba6cf9efbeacb310e1c73e7b6c575d31b2d3f5c9333ce6ed0a4e75014f6df828809c6bd6c90f9f994e71a04a74b20d4a33613400b438f80fa2f4642612c383985fa04c1b1e70fc10cfb305bc7e061ec43bf4a3ede77ff3bebdcf7d1dfe77a42e01f22a34bc3dfbc8998f5c8825cbea6a2b10a4b2a1023a5be516d09de9786fcb755ce8a57a9453921064b71587ca70e2da33e0d6535e5642f6aedbf342db5448b6a48b2225de6c04068a581688f0d3fe5c85c9cd7d3822bc63a6f092c5ca00f237fb0a8d1dafa96788b68fd0706e3202c9896f1cf4ca692526a37c6d25127409a50b336d120d48494a59d8a005dbecd3084cac7cd340c4eaf63b872d9e8f6c67d1008123d339399db48c63c47a992089dfbbcb40e608e0b7d94a449ca9bc41f14bfb217d9b3360e424a85dfeff7657102a89cde659c1289a72fcb4befc830653167c837b11ce64f6e1122ede019a5eec02693cdf50030f7bc15b75e15bd21fea74bc9ad7eaea55895d229153988eb2e6459876d1d9c2b8486c6b8c1d5a2ccf49393e806f0ff44b14fd830dfc740e3f37910284e458edb70")
write$dsp(r8, &(0x7f0000000180)="27b6407e9ac147085035a5fc41a6d87d0a5fdcc9395388fbbc6191794eddc8d7f969c9a16eecb0b5acc1a95350d5467160a95be8bb234500f9865d30a173137fe7b24fc9bb0d8d94c996601860a9ba68b2b14cbbea5626e3602c7a4698861abb42f5999acccc3bd47753c779e8735301d0a2c48af6614cc083", 0x79)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f00000000c0)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$DMA_HEAP_IOCTL_ALLOC(r10, 0xc0184800, &(0x7f0000000100)={0x4, <r11=>r9})
ioctl$DMA_BUF_IOCTL_SYNC(r11, 0x40086200, &(0x7f0000000080)=0x7)
r12 = syz_open_dev$tty1(0xc, 0x4, 0x3)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f00000004c0)={&(0x7f0000000380), &(0x7f00000003c0)=[0x0, 0x0, 0x0], &(0x7f0000000440)=[0x0, 0x0, 0x0], &(0x7f0000000480)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x3, 0x3, 0x8})
ioctl$KDDELIO(r12, 0x4b34, 0x3bf)
executing program 0:
syz_open_dev$tty1(0xc, 0x4, 0x1)
mremap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x4000, 0x3, &(0x7f0000005000/0x4000)=nil)
openat(0xffffffffffffff9c, 0x0, 0x42, 0x1ff)
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000380)={0x11, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="1801000000000000000000000000ea04850000005000000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={&(0x7f0000000040)='sched_switch\x00', r0}, 0x10)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0xa, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000280)=0x8)
r1 = getpid()
sched_setscheduler(r1, 0x2, &(0x7f0000000180)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r3, 0x0, 0x0, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r4, 0x0, 0x0)
bind$alg(0xffffffffffffffff, 0x0, 0x0)
r5 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
ioctl$COMEDI_DEVCONFIG(r5, 0x40946400, 0x0)
executing program 4:
r0 = socket(0x1000000000000010, 0x80802, 0x0)
bind$netlink(r0, &(0x7f0000000340)={0x10, 0x0, 0x25dfdbfc, 0x10004400}, 0xc)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x0, &(0x7f0000001100)=ANY=[], 0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x29, 0xffffffffffffffff, 0x8, &(0x7f0000000180), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000000240)=0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00001e3000)=""/30, &(0x7f0000d23000)=0x1e)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000080)=0x83)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f00000000c0))
syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_NL_LINK_SET(0xffffffffffffffff, 0x0, 0xc000)
read$dsp(r2, 0x0, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x32, 0x0, 0x0)
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'pim6reg0\x00', 0x7101})
socket$packet(0x11, 0x3, 0x300)
r3 = socket$netlink(0x10, 0x3, 0x4)
write(r3, &(0x7f0000000040)="2700000014000707030e0000120f0a0011000100f5fe009d2fb112ff000000008a151f75080039", 0x27)
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$NL80211_CMD_GET_INTERFACE(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8010}, 0x95)
r0 = fsopen(&(0x7f0000000080)='securityfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = syz_open_procfs$namespace(0x0, &(0x7f0000001380)='ns/cgroup\x00')
open_by_handle_at(r1, &(0x7f00000018c0)=ANY=[@ANYBLOB="20ff0300f10000000100000000000000000000000000000005010000f8ffffff3d0000000000d9085370e929719bbdff239cd183f7f71df61a60bfc5844f6630d08f3bd32fd92c5defead90f3bf164b78f87a04abb0c3b2cedceaee99003090c77f6426d0436b4733a77d7c1f414a29b2b19852d39c4d42e40968f3030c4250d07b46ead8569536898b9ac"], 0x10040)
r2 = fsmount(r0, 0x0, 0xf)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$TIOCPKT(r2, 0x5420, 0x0)
r3 = bpf$MAP_CREATE(0x0, 0x0, 0x50)
r4 = bpf$MAP_CREATE(0x0, 0x0, 0x50)
r5 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0x10, &(0x7f0000000180)=ANY=[@ANYRES32=r3, @ANYBLOB, @ANYRES32=r4, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa2f8dcc29250"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1a, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='tlb_flush\x00', r5}, 0x10)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7)
ioctl$BTRFS_IOC_BALANCE_PROGRESS(r1, 0x84009422, &(0x7f0000001d80)={0x0, 0x0, {0x0, @struct}, {}, {0x0, @struct, <r6=>0x0}})
ioctl$BTRFS_IOC_SNAP_DESTROY_V2(0xffffffffffffffff, 0x5000943f, &(0x7f00000008c0)={{}, 0x0, 0x2, @inherit={0x68, 0x0}, @devid=r6})
ioctl$BTRFS_IOC_SCRUB(0xffffffffffffffff, 0xc400941b, &(0x7f0000019080)={r6, 0x80, 0x3ff, 0x1})
ioctl$BTRFS_IOC_SCRUB(r0, 0xc400941b, &(0x7f0000000880)={r6, 0x6, 0x8})
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r7 = syz_open_dev$sndmidi(&(0x7f0000000240), 0x2, 0x40102)
writev(r7, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2f)
r8 = syz_io_uring_setup(0x49c, &(0x7f0000000400)={0x0, 0x7078, 0x0, 0x0, 0x284}, &(0x7f0000000100)=<r9=>0x0, &(0x7f00000001c0)=<r10=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r9, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r9, r10, &(0x7f00000002c0)=@IORING_OP_FADVISE={0x18, 0x1, 0x0, @fd, 0x7, 0x0, 0x3c, 0x2, 0x1})
syz_open_dev$vbi(&(0x7f0000000000), 0x2, 0x2)
io_uring_enter(r8, 0x3516, 0x0, 0x4, 0x0, 0x0)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$nl_netfilter(0x10, 0x3, 0xc)
setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x7)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080), 0x48c00, 0x0)
r0 = gettid()
timer_create(0x2, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x1, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x9}}, 0x0)
timer_delete(0x0)
r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
userfaultfd(0x802)
epoll_create1(0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000100), 0x1c3902, 0x0)
syz_io_uring_setup(0x32b7, &(0x7f0000000180)={0x0, 0x7f1, 0x1, 0x4, 0x41}, 0x0, 0x0)
sendfile(r2, r2, 0x0, 0x2000fb)
io_setup(0x4, &(0x7f00000014c0))
executing program 1:
r0 = socket(0x1000000000000010, 0x80802, 0x0)
bind$netlink(r0, &(0x7f0000000340)={0x10, 0x0, 0x25dfdbfc, 0x10004400}, 0xc)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x0, &(0x7f0000001100)=ANY=[], 0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x29, 0xffffffffffffffff, 0x8, &(0x7f0000000180), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000000240)=0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00001e3000)=""/30, &(0x7f0000d23000)=0x1e)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000080)=0x83)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f00000000c0))
sendmsg$TIPC_NL_LINK_SET(0xffffffffffffffff, 0x0, 0xc000)
read$dsp(r2, 0x0, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x32, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000480)={0x0, @in6={{0xa, 0x4e23, 0xfffffffc, @dev={0xfe, 0x80, '\x00', 0x3c}, 0x8}}, 0x4, 0x2, 0xe, 0x7588, 0x168, 0xfffffffc, 0x7}, &(0x7f0000000140)=0x9c)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000280)={'vxcan0\x00'})
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'pim6reg0\x00', 0x7101})
r3 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r3, 0x107, 0x8, &(0x7f0000000100)=0x40049, 0x4)
write(0xffffffffffffffff, &(0x7f0000000040)="2700000014000707030e0000120f0a0011000100f5fe009d2fb112ff000000008a151f75080039", 0x27)
executing program 2:
openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
r0 = socket(0x28, 0x5, 0x0)
bind$vsock_stream(r0, &(0x7f0000000040), 0x10)
r1 = socket$rxrpc(0x21, 0x2, 0x2)
setsockopt$RXRPC_MIN_SECURITY_LEVEL(r1, 0x110, 0x4, &(0x7f0000000040), 0x4)
r2 = socket(0x28, 0x5, 0x0)
connect$vsock_stream(r2, &(0x7f0000000080), 0x10)
setsockopt$sock_linger(r2, 0x1, 0x3c, &(0x7f0000000180)={0x1, 0x5}, 0x8)
sendmmsg(r2, 0x0, 0x0, 0x24008094)
recvmsg(0xffffffffffffffff, 0x0, 0x10000)
r3 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="1b0000000000000000000000000004"], 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0x6, &(0x7f0000000cc0)=ANY=[@ANYBLOB="050000000000000061110c00000000008510000002000000850000000500000095000000000000009500a5050000000077d8f3b423cdac8d80000000000000002be16ad10a48b243ccc42606d25dfd73a015e0ca7fc2506a0f7535f7866907dc0200000000000000ae669e17fd6587d452d6453559c3421eed73d56615fe6c54c3b3ffe1b4ce25d7c983c044c03bf3a48dfe47ec9dd6c091c30b93bfae76d9ebacd3ed3e26e7a23129d6606fd28a69989d552af6bda9df2c3af36effff9af2551ce896165127cb3f011a7d06602e2fc40848228567ffb400000000003ed38ae89d24e1cebfba2f87925bfacba83109751fe6c05405d027edd68149ee99eef6a6992308a4fc0b7c70bc677d6dd4aed4af7500d7900a820b6347184e9a217b5614cd50cbe43a1ed2526814bc0000e9e086ce48e90defb6670c3df2624f56da648d28ad0a97aec7291c25447c106a99893e10db21901eb397b2f5fd71400fa7a050fbbef9e326ea27e513e96068fd1e8a43e89f9c85c822a961546ed5363c17ff1432d08806bc376e3e49ee52b59d13182e1f24ed200ada10eb1affb87ba55b2d72078e9f40b4ae7d01000000d11cd22c35d32940000088dde499000000fdffffff00000000000f000000ef0000000000000000000000000c52f4ebd2c893bb97a068bd10734a83584898eccb26f7b789cfc4cd995fa3e11a5c74c85404e2df3ad37b729ac83b0dcb4f48f3c3356b9997fc455a17690b6f7f9ccbe4b1701941b18aba6b16455a66c3b84b138efc20a546d3d5227e23b03f2a834391ade2ff3e93ee296c4082ee73e7c353312c9d75711ce1623e9c54bdff59d2a69dcb7d84c235b23a4480c2461b405cfd1a38992f295ad3adc94cd07c850d1ce6d0b2fea02c24e9280333152fb794e4ddea02017a6c139b50101caecaf2abc0847a1ff2f7fc3c2b99a96fc4275ad107274e2934a87a4ddcdb112754ca5bdec0ead14b6c0f19a43a2f05c7f0be31491eb8c9ff68236c8600040000000000000000000066e034c81c3cab64e4fc8dc55ce0ada18dcbf31c6e82893add3bee3e10fc873d1d922b0877cbcd95b839d3059d5140a1f742f6e75741e39e5cb6a193e06a1043375b0f61b5d4e17c81baa31b924d84f224baf1221c15fa12313ffbfa7c2730309f66705b71e6205e7cbf3643561eabb9a63fcd604d5cc27e1317ad94cf438d71873e540be16b6ca205081173bd03c4754fc4674812daab482fd390a1c903b5d28a1eb247b5837d7603b92495d5c569f6433c3fca5206cb0000003fdbbd3892c52c2e7612e05de32322e980a3d69931e2c9312dd517c96f2ee90362476ed853c4c9b7d4ebf13cbaa795860e92a3d7d004f2c491db38eb769f094d5d48b262cc35c40682138cf13a49aa9f27abec00002f01ba1251aaf2385416ca719300"], &(0x7f0000000080)='GPL\x00', 0x5, 0x29e, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x6}, 0x70)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r4}, 0x10)
r5 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0xf, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf0900000000000055090100000000009500000800000000bf91000000000000b702000043e7b5538500000085000000b70000000000000095"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x43, '\x00', 0x0, @fallback=0xa, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000140)='kmem_cache_free\x00', r5, 0x0, 0x8}, 0x18)
pselect6(0x40, &(0x7f00000001c0)={0x0, 0x0, 0x3, 0x7fffffffff, 0x1}, 0x0, &(0x7f0000000280)={0x3ff, 0x0, 0x0, 0x3, 0x0, 0x0, 0x4, 0xfffffffffffffffc}, 0x0, 0x0)
executing program 0:
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
ioctl$EXT4_IOC_GETSTATE(r0, 0x40046629, 0x0)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f0000000080)={0xaa, 0x79})
ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000002, 0x8031, 0xffffffffffffffff, 0xfffff000)
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, 0x0)
r1 = socket(0x10, 0x2, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r1, 0x10e, 0xc, &(0x7f0000000080)={0x3, 0x2, 0x0, 0x3}, 0x10)
sendmsg$nl_route(r1, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r2 = socket(0x2, 0x2, 0x1)
syz_io_uring_setup(0x332e, &(0x7f0000000480)={0x0, 0xaeb7, 0x40, 0x3, 0x2d9}, 0x0, &(0x7f0000000400))
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
connect$inet6(r3, 0x0, 0x0)
connect$unix(r2, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f00000000c0)='contention_end\x00'}, 0x18)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='mmap_lock_acquire_returned\x00'}, 0x18)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffffffffe, 0x4031, 0xffffffffffffffff, 0x0)
userfaultfd(0x80001)
executing program 1:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80202, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-openat$binderfs-openat$ptmx-openat$sequencer-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80202, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 1m40s
testing program (duration=1m47s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 20, 19, 26, 24, 10, 14, 15, 17, 9, 3, 29, 26, 26, 26, 27, 29, 27, 6, 20, 12, 29, 19, 25, 28, 23, 26, 18, 24, 29]
detailed listing:
executing program 1:
openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8801}, 0x80)
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000740), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000080)=0xa0000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, 0x0)
ioctl$IOCTL_VMCI_DATAGRAM_SEND(r0, 0x7ab, 0x0)
ioctl$IOCTL_VMCI_NOTIFICATIONS_RECEIVE(r0, 0x7a6, &(0x7f0000000040)={0x1, 0xc8a3, 0x4, 0xf, 0x30000, 0xdb3})
syz_usb_connect(0x4, 0x0, 0x0, 0x0)
epoll_create1(0x0)
syz_open_procfs$namespace(0x0, &(0x7f0000001380)='ns/cgroup\x00')
r1 = syz_io_uring_setup(0xbdc, &(0x7f0000000640)={0x0, 0xec28, 0x400, 0x1, 0x40000333}, &(0x7f00000006c0)=<r2=>0x0, &(0x7f0000000240)=<r3=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, 0x0})
io_uring_enter(r1, 0x20af, 0x6d82, 0x0, 0x0, 0x0)
executing program 1:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x20024894)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
getpid()
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x707cb000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
prctl$PR_SET_MM(0x23, 0xa, &(0x7f00002d5000/0x2000)=nil)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000001c0)='environ\x00')
preadv(r3, &(0x7f0000001400)=[{&(0x7f0000000040)=""/113, 0x200000b1}], 0x1, 0xc002a0, 0x0)
syz_io_uring_setup(0x18d7, &(0x7f0000000040)={0x0, 0x0, 0x2, 0x0, 0x25b}, 0x0, &(0x7f0000ffe000))
syz_open_procfs(0x0, 0x0)
getsockopt$inet6_buf(0xffffffffffffffff, 0x29, 0x30, &(0x7f0000000180)=""/214, 0x0)
ioctl$BTRFS_IOC_TREE_SEARCH(r3, 0xd0009411, &(0x7f0000002440)={{0x0, 0xfffffffffffffff8, 0x5, 0x7, 0x6, 0x8000000000000000, 0x1, 0x3, 0x6, 0x5, 0x0, 0x5, 0x5, 0x4, 0x7}})
bind$inet(r0, &(0x7f00000000c0)={0x2, 0x4e20, @broadcast}, 0x10)
sendto$inet(r0, &(0x7f0000000140), 0xffffffffffffff58, 0x20008005, &(0x7f0000000100)={0x2, 0x4e20}, 0x10)
executing program 3:
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f00000003c0)={0x0, 0x0, 0x0}, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000240)={0x8, 0x248}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x1, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0xffffe000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000001c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f00000004c0)=@abs={0x0, 0x0, 0x4e24}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x3fffffffffffeda, 0x2, 0x0)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xb, &(0x7f0000000180)=ANY=[], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x33, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r3}, 0x10)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000000)={0x0, &(0x7f00000000c0)})
fsopen(&(0x7f0000000040)='configfs\x00', 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000080)='.\x00', 0x0, 0x0, 0x0)
r4 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="020000000400000008f9000001"], 0x48)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0xd, 0x10, &(0x7f0000000180)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff00000000b7080000000000007b8af0ff00000000bf8100000000000007080000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018210000", @ANYRES32=r4, @ANYBLOB="0000000008000000b705000008000000850000005d00000095"], &(0x7f0000000300)='GPL\x00', 0x2, 0x100a, &(0x7f0000002500)=""/4106, 0x0, 0x5}, 0x94)
executing program 3:
r0 = socket(0x1000000000000010, 0x80802, 0x0)
bind$netlink(r0, &(0x7f0000000340)={0x10, 0x0, 0x25dfdbfc, 0x10004400}, 0xc)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x0, &(0x7f0000001100)=ANY=[], 0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x29, 0xffffffffffffffff, 0x8, &(0x7f0000000180), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000000240)=0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00001e3000)=""/30, &(0x7f0000d23000)=0x1e)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000080)=0x83)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f00000000c0))
syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff)
read$dsp(r2, 0x0, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x32, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000480)={0x0, @in6={{0xa, 0x4e23, 0xfffffffc, @dev={0xfe, 0x80, '\x00', 0x3c}, 0x8}}, 0x4, 0x2, 0xe, 0x7588, 0x168, 0xfffffffc, 0x7}, &(0x7f0000000140)=0x9c)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000280)={'vxcan0\x00'})
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'pim6reg0\x00', 0x7101})
r3 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r3, 0x107, 0x8, &(0x7f0000000100)=0x40049, 0x4)
write(0xffffffffffffffff, &(0x7f0000000040)="2700000014000707030e0000120f0a0011000100f5fe009d2fb112ff000000008a151f75080039", 0x27)
executing program 3:
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
ioctl$EXT4_IOC_GETSTATE(r0, 0x40046629, 0x0)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f0000000080)={0xaa, 0x79})
ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000002, 0x8031, 0xffffffffffffffff, 0xfffff000)
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, 0x0)
r1 = socket(0x10, 0x2, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r1, 0x10e, 0xc, &(0x7f0000000080)={0x3, 0x2, 0x0, 0x3}, 0x10)
sendmsg$nl_route(r1, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r2 = socket(0x2, 0x2, 0x1)
syz_io_uring_setup(0x332e, &(0x7f0000000480)={0x0, 0xaeb7, 0x40, 0x3, 0x2d9}, 0x0, &(0x7f0000000400))
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
connect$inet6(r3, 0x0, 0x0)
connect$unix(r2, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f00000000c0)='contention_end\x00'}, 0x18)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='mmap_lock_acquire_returned\x00'}, 0x18)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffffffffe, 0x4031, 0xffffffffffffffff, 0x0)
userfaultfd(0x80001)
executing program 2:
openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
sendmsg$nl_xfrm(0xffffffffffffffff, 0x0, 0x80)
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000740), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000080)=0xa0000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, &(0x7f0000000000)={@my=0x0})
ioctl$IOCTL_VMCI_NOTIFICATIONS_RECEIVE(r0, 0x7a6, 0x0)
r1 = syz_io_uring_setup(0xbdc, &(0x7f0000000640)={0x0, 0xec28, 0x400, 0x1, 0x40000333}, 0x0, &(0x7f0000000240)=<r2=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(0x0, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(0x0, r2, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, 0x0})
io_uring_enter(r1, 0x20af, 0x6d82, 0x0, 0x0, 0x0)
executing program 4:
openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8801}, 0x80)
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000740), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000080)=0xa0000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, 0x0)
ioctl$IOCTL_VMCI_DATAGRAM_SEND(r0, 0x7ab, 0x0)
ioctl$IOCTL_VMCI_NOTIFICATIONS_RECEIVE(r0, 0x7a6, &(0x7f0000000040)={0x1, 0xc8a3, 0x4, 0xf, 0x30000, 0xdb3})
syz_usb_connect(0x4, 0x0, 0x0, 0x0)
epoll_create1(0x0)
syz_open_procfs$namespace(0x0, &(0x7f0000001380)='ns/cgroup\x00')
r1 = syz_io_uring_setup(0xbdc, &(0x7f0000000640)={0x0, 0xec28, 0x400, 0x1, 0x40000333}, &(0x7f00000006c0)=<r2=>0x0, &(0x7f0000000240)=<r3=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r2, 0x4, &(0x7f0000000180)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r2, r3, &(0x7f0000000200)=@IORING_OP_READV=@pass_iovec={0x1, 0x0, 0x0, @fd_index=0x4, 0x0, 0x0})
io_uring_enter(r1, 0x20af, 0x6d82, 0x0, 0x0, 0x0)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$nl_netfilter(0x10, 0x3, 0xc)
setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, 0x0, 0x0)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000440)={&(0x7f0000000440)=ANY=[], 0x0, 0x39, 0x0, 0x1, 0x9}, 0x28)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1c0000, 0x1, &(0x7f0000000040))
userfaultfd(0x802)
openat$rfkill(0xffffff9c, &(0x7f00000003c0), 0x0, 0x0)
epoll_create1(0x0)
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000100), 0x1c3902, 0x0)
syz_io_uring_setup(0x32b7, &(0x7f0000000180)={0x0, 0x7f1, 0x1, 0x4, 0x41}, 0x0, 0x0)
sendfile(r0, r0, 0x0, 0x2000fb)
io_setup(0x4, &(0x7f00000014c0))
executing program 2:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000280)={{0x12, 0x1, 0x141, 0xf2, 0xc5, 0x96, 0x20, 0x16d0, 0x10b8, 0xde8e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x0, 0x2, 0x1, 0x0, 0x83, 0xec, 0x0, [], [{{0x9, 0x5, 0x6, 0x2, 0x200, 0x2, 0x0, 0xa}}]}}]}}]}}, 0x0)
syz_emit_ethernet(0x76, &(0x7f00000004c0)={@link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x16}, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "d3ffff", 0x40, 0x3a, 0x0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @mcast2, {[], @param_prob={0x2, 0x0, 0x0, 0x502, {0x0, 0x6, "508359", 0x0, 0x0, 0x0, @private1, @remote, [@hopopts={0x3a}], "a87f7292fee6ad36"}}}}}}}, 0x0)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = socket$l2tp6(0xa, 0x2, 0x73)
mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x0, 0x0, &(0x7f0000006680))
rmdir(&(0x7f0000000080)='./cgroup/../file0\x00')
getsockopt$inet6_mreq(r1, 0x29, 0x15, 0x0, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000400)=@newqdisc={0x24, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0xffff, 0xffff}}}, 0x24}}, 0x0)
bpf$BPF_GET_PROG_INFO(0xf, 0x0, 0x0)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(0xffffffffffffffff, 0x89f1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000000)={0x8, 0x100008b}, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000180)=0x1400200bce)
sched_setscheduler(0x0, 0x1, &(0x7f0000002200)=0x1)
r2 = syz_open_dev$MSR(&(0x7f0000000200), 0x0, 0x0)
read$msr(r2, &(0x7f0000002700)=""/102392, 0x18ff8)
ioctl$sock_inet6_SIOCDELRT(r0, 0x890c, &(0x7f0000005fc0)={@remote, @empty, @empty, 0x7, 0x8000, 0x40, 0x400, 0x5, 0x18c0012})
executing program 1:
setresuid(0xffffffffffffffff, 0xee01, 0x0)
syz_usb_connect(0x0, 0x0, 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f0000000280)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r0 = socket(0x1e, 0x4, 0x0)
connect$tipc(r0, &(0x7f0000000040)=@nameseq={0x1e, 0x1, 0x1, {0x1, 0x0, 0x3}}, 0x10)
sendmmsg$unix(r0, &(0x7f0000004400), 0x400000000000203, 0x101d0)
executing program 3:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
connect$inet6(r0, &(0x7f0000000180)={0xa, 0x4001, 0x0, @dev={0xfe, 0x80, '\x00', 0x1b}, 0xd}, 0x1c)
write$binfmt_script(r0, 0x0, 0x0)
executing program 3:
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
clock_adjtime(0x0, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=@ipv4_delroute={0x1c, 0x18, 0x1, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0x0, 0x0, 0xff}}, 0x1c}}, 0x0)
write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, &(0x7f0000000140)={0x2, 0x1}, 0x2)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
r2 = socket$tipc(0x1e, 0x5, 0x0)
bind$tipc(r2, &(0x7f0000000340)=@nameseq={0x1e, 0x1, 0x3, {0x43}}, 0x10)
socket$tipc(0x1e, 0x5, 0x0)
setsockopt$TIPC_GROUP_JOIN(r2, 0x10f, 0x87, 0x0, 0x0)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
mremap(&(0x7f000054e000/0x1000)=nil, 0x1000, 0x3000, 0x3, &(0x7f000022c000/0x3000)=nil)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000500), 0x100, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r5, 0x4008ae89, &(0x7f0000000200)={0x1, 0x0, [{0x11, 0x0, 0x1}]})
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000000)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0xfffffc01, 0x400}}, './file0\x00'})
ioctl$KVM_GET_XSAVE(r5, 0x9000aea4, &(0x7f0000001540))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
remap_file_pages(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)
mremap(&(0x7f0000e2f000/0x1000)=nil, 0x1000, 0x3000, 0x7, &(0x7f0000c53000/0x3000)=nil)
executing program 0:
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000480), 0x129540, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1)
r1 = creat(&(0x7f00000002c0)='./file0\x00', 0x0)
open$dir(&(0x7f0000000080)='./file1\x00', 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00', <r4=>0x0})
sendmsg$NL80211_CMD_SET_TX_BITRATE_MASK(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000640)={0x40, r3, 0x1, 0xffffffff, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_TX_RATES={0x24, 0x5a, 0x0, 0x1, [@NL80211_BAND_5GHZ={0x20, 0x1, 0x0, 0x1, [@NL80211_TXRATE_VHT={0x14, 0x3, {[0x0, 0x0, 0x0, 0x8, 0x1]}}, @NL80211_TXRATE_HT={0x4}, @NL80211_TXRATE_LEGACY={0x4}]}]}]}, 0x40}}, 0x0)
write$qrtrtun(r1, &(0x7f0000000400)="0b8ca3756ea769f253", 0x9)
bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x2, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="180000000300000000000000fe020010"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x100, 0x70, '\x00', 0x0, @fallback=0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_LINK_CREATE_XDP(0x1c, 0x0, 0x0)
r5 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000003400), 0x42300, 0x0)
ioctl$VHOST_SET_FEATURES(r5, 0x4008af00, &(0x7f0000003b40)=0x4000000)
close(0x4)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r6, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)={0x14, 0x2e, 0x9, 0x70bd27, 0x0, {0x4}}, 0x14}, 0x1, 0x0, 0x0, 0x42804}, 0x0)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$NL802154_CMD_DEL_SEC_DEVKEY(r7, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=ANY=[], 0x54}, 0x1, 0x0, 0x0, 0x40c4}, 0x20040840)
ioctl$IOCTL_GET_NCIDEV_IDX(0xffffffffffffffff, 0x0, &(0x7f0000000140))
sendmsg$NFC_CMD_LLC_SET_PARAMS(r7, &(0x7f0000000300)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000200)=ANY=[], 0x44}, 0x1, 0x0, 0x0, 0x8000}, 0x12)
executing program 4:
r0 = socket(0x1000000000000010, 0x80802, 0x0)
bind$netlink(r0, &(0x7f0000000340)={0x10, 0x0, 0x25dfdbfc, 0x10004400}, 0xc)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x0, &(0x7f0000001100)=ANY=[], 0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x29, 0xffffffffffffffff, 0x8, &(0x7f0000000180), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000000240)=0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00001e3000)=""/30, &(0x7f0000d23000)=0x1e)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000080)=0x83)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f00000000c0))
syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff)
read$dsp(r2, 0x0, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x32, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000480)={0x0, @in6={{0xa, 0x4e23, 0xfffffffc, @dev={0xfe, 0x80, '\x00', 0x3c}, 0x8}}, 0x4, 0x2, 0xe, 0x7588, 0x168, 0xfffffffc, 0x7}, &(0x7f0000000140)=0x9c)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000280)={'vxcan0\x00'})
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'pim6reg0\x00', 0x7101})
r3 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r3, 0x107, 0x8, &(0x7f0000000100)=0x40049, 0x4)
write(0xffffffffffffffff, &(0x7f0000000040)="2700000014000707030e0000120f0a0011000100f5fe009d2fb112ff000000008a151f75080039", 0x27)
executing program 2:
getpid()
r0 = socket(0x10, 0x3, 0x0)
socket$key(0xf, 0x3, 0x2)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="05000000810000000200000009"], 0x48)
bpf$MAP_DELETE_BATCH(0x18, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x5, r2, 0x0, 0x20}, 0x38)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/custom1\x00', 0x802, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f00000000c0)=0x3)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r3 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101)
r4 = dup(r3)
write$6lowpan_enable(r4, &(0x7f0000000000)='0', 0xfffffd2c)
r5 = syz_io_uring_setup(0xef4, &(0x7f00000003c0)={0x0, 0x26c3, 0x1, 0x3, 0x0, 0x0, r4}, &(0x7f0000000180)=<r6=>0x0, &(0x7f00000001c0)=<r7=>0x0)
syz_io_uring_submit(r6, r7, 0x0)
io_uring_enter(r5, 0x2ded, 0x4000, 0x10, 0x0, 0x0)
ioprio_get$uid(0x3, 0x0)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
write$bt_hci(r1, 0x0, 0xb)
r8 = syz_open_dev$vim2m(&(0x7f0000000580), 0x4, 0x2)
ioctl$vim2m_VIDIOC_REQBUFS(r8, 0xc0145608, &(0x7f00000000c0)={0x2, 0x1, 0x1})
ioctl$vim2m_VIDIOC_STREAMOFF(r8, 0x40045612, &(0x7f0000000100)=0x1)
openat$qrtrtun(0xffffffffffffff9c, &(0x7f0000000140), 0x52ec3)
bind$packet(0xffffffffffffffff, 0x0, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0xc, &(0x7f0000000040)={0x5}, 0x10)
executing program 4:
openat$binderfs(0xffffffffffffff9c, 0x0, 0x801, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000480), 0x129540, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1)
r1 = creat(&(0x7f00000002c0)='./file0\x00', 0x0)
open$dir(&(0x7f0000000080)='./file1\x00', 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000080)={'wlan0\x00', <r4=>0x0})
sendmsg$NL80211_CMD_SET_TX_BITRATE_MASK(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000640)={0x40, r3, 0x1, 0xffffffff, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_TX_RATES={0x24, 0x5a, 0x0, 0x1, [@NL80211_BAND_5GHZ={0x20, 0x1, 0x0, 0x1, [@NL80211_TXRATE_VHT={0x14, 0x3, {[0x0, 0x0, 0x0, 0x8, 0x1]}}, @NL80211_TXRATE_HT={0x4}, @NL80211_TXRATE_LEGACY={0x4}]}]}]}, 0x40}}, 0x0)
write$qrtrtun(r1, &(0x7f0000000400)="0b8ca3756ea769f253", 0x9)
bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x2, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="180000000300000000000000fe020010"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x100, 0x70, '\x00', 0x0, @fallback=0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_LINK_CREATE_XDP(0x1c, 0x0, 0x0)
r5 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000003400), 0x42300, 0x0)
ioctl$VHOST_SET_FEATURES(r5, 0x4008af00, &(0x7f0000003b40)=0x4000000)
close(0x4)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r6, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)={0x14, 0x2e, 0x9, 0x70bd27, 0x0, {0x4}}, 0x14}, 0x1, 0x0, 0x0, 0x42804}, 0x0)
r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$NL802154_CMD_DEL_SEC_DEVKEY(r7, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000100)=ANY=[], 0x54}, 0x1, 0x0, 0x0, 0x40c4}, 0x20040840)
ioctl$IOCTL_GET_NCIDEV_IDX(0xffffffffffffffff, 0x0, &(0x7f0000000140))
sendmsg$NFC_CMD_LLC_SET_PARAMS(r7, &(0x7f0000000300)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000200)=ANY=[], 0x44}, 0x1, 0x0, 0x0, 0x8000}, 0x12)
executing program 1:
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
clock_adjtime(0x0, &(0x7f0000000100)={0x2, 0x6a, 0x5, 0x8000000000000001, 0x48c, 0x5, 0xd, 0x424, 0x2, 0xffffffffffffffff, 0xf423f, 0xfffffffffffffff9, 0x7, 0x2, 0x1000000081, 0x5, 0x0, 0x5, 0x0, 0x9220000000000000, 0x3, 0x0, 0x80000001, 0x0, 0x5, 0x7})
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=@ipv4_delroute={0x1c, 0x18, 0x1, 0x0, 0x0, {0x2, 0x18, 0x0, 0x0, 0x0, 0x0, 0xff}}, 0x1c}}, 0x0)
write$USERIO_CMD_SEND_INTERRUPT(0xffffffffffffffff, &(0x7f0000000140)={0x2, 0x1}, 0x2)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
r3 = socket$tipc(0x1e, 0x5, 0x0)
bind$tipc(r3, &(0x7f0000000340)=@nameseq={0x1e, 0x1, 0x3, {0x43}}, 0x10)
socket$tipc(0x1e, 0x5, 0x0)
setsockopt$TIPC_GROUP_JOIN(r3, 0x10f, 0x87, 0x0, 0x0)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x800000, 0x3, &(0x7f0000130000/0x800000)=nil)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000500), 0x100, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r6, 0x4008ae89, &(0x7f0000000200)={0x1, 0x0, [{0x11, 0x0, 0x1}]})
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000000)={{0x1, 0x1, 0x18, r2, {0xfffffc01, 0x400}}, './file0\x00'})
ioctl$KVM_GET_XSAVE(r6, 0x9000aea4, &(0x7f0000001540))
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
remap_file_pages(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)
mremap(&(0x7f0000e2f000/0x1000)=nil, 0x1000, 0x3000, 0x7, &(0x7f0000c53000/0x3000)=nil)
executing program 0:
openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
r2 = socket(0x28, 0x5, 0x0)
bind$vsock_stream(r2, &(0x7f0000000040), 0x10)
r3 = socket$rxrpc(0x21, 0x2, 0x2)
setsockopt$RXRPC_MIN_SECURITY_LEVEL(r3, 0x110, 0x4, &(0x7f0000000040), 0x4)
r4 = socket(0x28, 0x5, 0x0)
connect$vsock_stream(r4, &(0x7f0000000080), 0x10)
setsockopt$sock_linger(r4, 0x1, 0x3c, &(0x7f0000000180)={0x1, 0x5}, 0x8)
sendmmsg(r4, 0x0, 0x0, 0x24008094)
recvmsg(0xffffffffffffffff, 0x0, 0x10000)
r5 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="1b0000000000000000000000000004"], 0x48)
r6 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0x6, &(0x7f0000000cc0)=ANY=[@ANYBLOB="050000000000000061110c00000000008510000002000000850000000500000095000000000000009500a5050000000077d8f3b423cdac8d80000000000000002be16ad10a48b243ccc42606d25dfd73a015e0ca7fc2506a0f7535f7866907dc0200000000000000ae669e17fd6587d452d6453559c3421eed73d56615fe6c54c3b3ffe1b4ce25d7c983c044c03bf3a48dfe47ec9dd6c091c30b93bfae76d9ebacd3ed3e26e7a23129d6606fd28a69989d552af6bda9df2c3af36effff9af2551ce896165127cb3f011a7d06602e2fc40848228567ffb400000000003ed38ae89d24e1cebfba2f87925bfacba83109751fe6c05405d027edd68149ee99eef6a6992308a4fc0b7c70bc677d6dd4aed4af7500d7900a820b6347184e9a217b5614cd50cbe43a1ed2526814bc0000e9e086ce48e90defb6670c3df2624f56da648d28ad0a97aec7291c25447c106a99893e10db21901eb397b2f5fd71400fa7a050fbbef9e326ea27e513e96068fd1e8a43e89f9c85c822a961546ed5363c17ff1432d08806bc376e3e49ee52b59d13182e1f24ed200ada10eb1affb87ba55b2d72078e9f40b4ae7d01000000d11cd22c35d32940000088dde499000000fdffffff00000000000f000000ef0000000000000000000000000c52f4ebd2c893bb97a068bd10734a83584898eccb26f7b789cfc4cd995fa3e11a5c74c85404e2df3ad37b729ac83b0dcb4f48f3c3356b9997fc455a17690b6f7f9ccbe4b1701941b18aba6b16455a66c3b84b138efc20a546d3d5227e23b03f2a834391ade2ff3e93ee296c4082ee73e7c353312c9d75711ce1623e9c54bdff59d2a69dcb7d84c235b23a4480c2461b405cfd1a38992f295ad3adc94cd07c850d1ce6d0b2fea02c24e9280333152fb794e4ddea02017a6c139b50101caecaf2abc0847a1ff2f7fc3c2b99a96fc4275ad107274e2934a87a4ddcdb112754ca5bdec0ead14b6c0f19a43a2f05c7f0be31491eb8c9ff68236c8600040000000000000000000066e034c81c3cab64e4fc8dc55ce0ada18dcbf31c6e82893add3bee3e10fc873d1d922b0877cbcd95b839d3059d5140a1f742f6e75741e39e5cb6a193e06a1043375b0f61b5d4e17c81baa31b924d84f224baf1221c15fa12313ffbfa7c2730309f66705b71e6205e7cbf3643561eabb9a63fcd604d5cc27e1317ad94cf438d71873e540be16b6ca205081173bd03c4754fc4674812daab482fd390a1c903b5d28a1eb247b5837d7603b92495d5c569f6433c3fca5206cb0000003fdbbd3892c52c2e7612e05de32322e980a3d69931e2c9312dd517c96f2ee90362476ed853c4c9b7d4ebf13cbaa795860e92a3d7d004f2c491db38eb769f094d5d48b262cc35c40682138cf13a49aa9f27abec00002f01ba1251aaf2385416ca719300"], &(0x7f0000000080)='GPL\x00', 0x5, 0x29e, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x6}, 0x70)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r6}, 0x10)
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0xf, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r5, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf0900000000000055090100000000009500000800000000bf91000000000000b702000043e7b5538500000085000000b70000000000000095"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x43, '\x00', 0x0, @fallback=0xa, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000140)='kmem_cache_free\x00', r7, 0x0, 0x8}, 0x18)
pselect6(0x40, &(0x7f00000001c0)={0x0, 0x0, 0x3, 0x7fffffffff, 0x1}, 0x0, &(0x7f0000000280)={0x3ff, 0x0, 0x0, 0x3, 0x0, 0x0, 0x4, 0xfffffffffffffffc}, 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(r1, 0x40946400, 0x0)
sendmsg$IPCTNL_MSG_TIMEOUT_DEFAULT_GET(0xffffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000), 0xc, &(0x7f0000000200)={&(0x7f0000000540)=ANY=[@ANYBLOB="a80000000408050000000000000000000200000244000480080005400000004008000740000000070800014000000fff08000640000000070800014000000fff0800054000000002080008400000000208000640000000100900010073797a30000000000600024086dd000014000480080002400000003408000740000000051c0044800800014000000008080001400000008c080001400000000b0900010073797a31000000"], 0xa8}, 0x1, 0x0, 0x0, 0x10}, 0x4000081)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2)
timerfd_create(0x7, 0x80800)
pselect6(0x40, &(0x7f0000000100), &(0x7f0000000000)={0x1f}, 0x0, 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(r1, 0x40946400, &(0x7f00000000c0)={'adq12b\x00', [0x4f27, 0x2, 0x10000, 0x4, 0xe, 0x0, 0x3, 0x7, 0xa, 0x1, 0x8001, 0x4, 0xff6b, 0x801, 0xfffffffe, 0xb4b, 0x0, 0xfffffffe, 0x3, 0x40000003, 0x89, 0xcaa7, 0x201ff, 0x20001e58, 0xb, 0xe6b, 0x3c, 0x6, 0x65c, 0x0, 0xfffffff8]})
sendmsg$nl_route_sched(r0, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000300)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb01001800000000000000180000001800000007000000050000000100000f100000000700004820000000080e0000006f61303061"], &(0x7f0000005bc0)=""/255, 0x37, 0xff, 0x9, 0x1000}, 0x28)
executing program 2:
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000100)=@pppol2tpv3={0x18, 0x1, {0x0, r0, {0x2, 0x0, @loopback}, 0x4}}, 0x2e)
syz_emit_ethernet(0x46, &(0x7f0000000140)={@link_local, @random="dce65fbcee55", @void, {@ipv6={0x86dd, @udp={0x0, 0x6, "010100", 0x10, 0x11, 0x0, @remote, @local, {[], {0x0, 0xe22, 0x10, 0x0, @gue={{0x2, 0x0, 0x0, 0x3}}}}}}}}, 0x0)
recvmmsg(r1, &(0x7f0000000340), 0x4000000000000da, 0xda, 0x0)
executing program 3:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x20024894)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
getpid()
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x707cb000)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
prctl$PR_SET_MM(0x23, 0xa, &(0x7f00002d5000/0x2000)=nil)
r3 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000001c0)='environ\x00')
preadv(r3, &(0x7f0000001400)=[{&(0x7f0000000040)=""/113, 0x200000b1}], 0x1, 0xc002a0, 0x0)
syz_io_uring_setup(0x18d7, &(0x7f0000000040)={0x0, 0x0, 0x2, 0x0, 0x25b}, 0x0, &(0x7f0000ffe000))
syz_open_procfs(0x0, 0x0)
getsockopt$inet6_buf(0xffffffffffffffff, 0x29, 0x30, &(0x7f0000000180)=""/214, 0x0)
ioctl$BTRFS_IOC_TREE_SEARCH(r3, 0xd0009411, &(0x7f0000002440)={{0x0, 0xfffffffffffffff8, 0x5, 0x7, 0x6, 0x8000000000000000, 0x1, 0x3, 0x6, 0x5, 0x0, 0x5, 0x5, 0x4, 0x7}})
bind$inet(r0, &(0x7f00000000c0)={0x2, 0x4e20, @broadcast}, 0x10)
sendto$inet(r0, &(0x7f0000000140), 0xffffffffffffff58, 0x20008005, &(0x7f0000000100)={0x2, 0x4e20}, 0x10)
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0xc)
bind$netlink(r0, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc)
setsockopt$netlink_NETLINK_BROADCAST_ERROR(r0, 0x10e, 0x4, &(0x7f0000000140)=0x6, 0x4)
setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000200), 0x4)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0)
sendmsg$IPCTNL_MSG_CT_DELETE(r1, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000640)={0x14, 0x2, 0x1, 0x5, 0x0, 0x0, {0x2, 0x0, 0x8}}, 0x14}, 0x1, 0x0, 0x0, 0x20044804}, 0x40040)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000001c0)=ANY=[@ANYBLOB="980000000001010400000000000000000a0000003c0001802c00018014000300fe8000000000000000000000000000aa14000400ff0100000000000000000000000000010c00028005000100000000003c0002802c00018014000300fe8000000000000000000000000000aa14000400fe8800000000000000000000000000010c0002800500010000000000080007"], 0x98}}, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x0)
executing program 2:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f00000005c0)=ANY=[], 0x64}}, 0x0)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_ADD(r1, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000780)=ANY=[@ANYBLOB="74000000090601020000000000000000030000000900020073797a310000000005000100070000004c0007801800018014000240fe8000000000000000000300000000aa1800148014000240fc000000000000000000000000000000060004404e1f0000050007008400000006000540"], 0x74}, 0x1, 0x0, 0x0, 0x10040003}, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket(0x200000000000011, 0x2, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000640)=ANY=[], 0x48)
r3 = signalfd(0xffffffffffffffff, &(0x7f0000000140), 0x8)
r4 = syz_io_uring_setup(0x38a9, &(0x7f0000000540)={0x0, 0x0, 0x10100, 0x0, 0xfffffffe}, &(0x7f0000000040)=<r5=>0x0, &(0x7f0000000140)=<r6=>0x0)
syz_io_uring_submit(r5, r6, &(0x7f00000001c0)=@IORING_OP_RECV=@use_registered_buffer={0x1b, 0x20, 0x3, r3})
io_uring_enter(r4, 0x40044fd, 0xb780, 0x0, 0x0, 0xfffffe71)
r7 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180100001c0000000000000000000000850000006d00000095"], &(0x7f0000000100)='GPL\x00', 0x3, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000100)={&(0x7f00000000c0)='sys_enter\x00', r7}, 0x10)
rt_sigprocmask(0x0, &(0x7f0000000000)={[0xfffffffffffffffd]}, 0x0, 0x8)
rt_sigsuspend(&(0x7f0000000040)={[0xfffffffffffbfefd]}, 0x8)
ioctl$TIOCSETD(0xffffffffffffffff, 0x5423, &(0x7f0000000040)=0xd)
rt_sigsuspend(&(0x7f0000000400), 0x8)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bridge0\x00'})
sendmsg$nl_route(r2, &(0x7f0000000500)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000680)=ANY=[@ANYBLOB="5c00000000000304000000000700000000000000", @ANYRESDEC=r4, @ANYBLOB="00000000033a01003c0012800b00010062726964676500002c00028005001700"], 0x5c}, 0x1, 0x0, 0x0, 0x4000004}, 0x0)
r8 = openat$dsp(0xffffff9c, &(0x7f0000000040), 0x200, 0x0)
ioctl(0xffffffffffffffff, 0x5, &(0x7f0000000800)="0f467e311e965f2cdf70fcaf152d6e85fe717bb8bdebed3e4a1cc2a73a2c294398aee4f581c66ea8a056bd64b428a63393b7eaa8fce8a634eda1777846e67a041895422e405ef300b03c0957fd7af15410b0aace0767efb5ea47ccee3a7b10ed17d3debf36c88ca3279ba406ad641f56fcc83dfb5a698ced45dcd82ba2df2e027f725bbafa3eccc84114d867a5459d2ea366dbcb828e0612f55f58ea2c0b61c2c25c177f6deb93109be80a9767c9d86840d0576a59c4c69196bae6fa1dfe81e45bdd3243cd5270b0a0237c44ebd0f4024f3599d20c65b272bca686d857cc2d5f3a00b9ece8c0915e2733c6dbba861d93d7097263859e7e85f774bb300849041e6dda93fa286ad90355bbc11d6d0903fec948bbf482f5e2d8f104f8a1118625a5c4f3550930af6e3274ed801a2bd2a9d66db0988757affd8530895090e3946f7108fe7fdbd0b32925cfafe980c97c8c7645bf6dc0389f3abc3903c505145f0b6ba3ee7881c770319123d7f8829afb25633ded1a501fdf24755e4be0a50033c14ff770dbbce30cb955a953696cf539404662292cc36dab8a88b2983abbc8d1bfe3c72a80970d7727a1dfc29a2d6280d3daaa36b019500fb01d07fc34cb1a18ed8925da7750686ed8d7157825b95781ad77b6f67240b2b1494c500c6242f7a5af4f681a7f25f12ff4398bb0605af5f0214825483753f4deccf230bf07d6678efe69f2dec3638e65cad64729a5ece4b70d1ab0c108771ddc7ca0c5f4c4c9f42ba225e3f6c9adc1253a269573d93ca145ed69821a6025c6053a2d84ce958bc6982fac4e079b610e36b2925768339026d974d38ec8e330ddcbf51db84ff1b9283edf9bbdc4f08b5797cc1a2d36b2da3282e409dc1ea7366db5ae7baee67e33aec33ebd1221e39b168e88c5cb1caf95cda6675407e219d8a58941a7f621cbb0536f3d59dca5576c2160ac3bc4bcf03835ba25d09471f887fffd2c12e8acb0d4a9736deaae89f5e7e2ddb3d8b9ab02e22f3a6eea5162d5d2baf55c1db4eda4c89886842ce912b06d7f7e798a602874078895d353b543e501b4f841e998e49b8d6556b2e3a53cc8a43f87ee67da3a566e9f3ff63e394a491c2854f660912d23c2eb669b68f8e304d6ca8e8d1dc34239af9ae92df25a7cc8d5127397f7cd1c4c3009cfa427693c0648e5576462604baa4f11e42b06b5c06a20008dbba90613983cd92af7e2ad21c20b9bb6cf4ad8796d5ec22b3ca9e478b872813970be1e25d8c3615828a9fd3227d8e6dbe722682e01aa055799ab6daba93a4a1414b84e1cac932a3d18705387bee98bceae1056e0a1942cdfe6831849658f0b5c1ce63e89c104974025c9bf0df2c0f8308e50e9e02e4ad0ced7abd8c8d915c7075211239a510315f08a665a2c1fb8de744b05711e5a9902d9cde75515d51d190a062c229be43cd847799a7d35daf379dc9a20ac3211fe0d39315c19555619b4f0a5f5640f0571878cc91c18b19ab28b002c0bd8b6e77b4498dd525e6b23b68713dadd2a258530544a38960dd9a1ba0406ad23a72e7641212a17c970a190fa26b2499421682111dd0f4d1de47924f985ca6303d2ab007df3e644a8a3b699e0e71756953f9d43618a6551209fad267a98bb600631f8627a084fc2aac35d57eddd21096cf1fdb9c7423404e7b3090cb870fca66c2082acd26c9e10a73836b79bb580ec665f4899cad30c7ba44709d5bd27d8764a1df164f4867c4a02e767445f75a7ab3c366813dc0e0f8be9ccbb64f0a44fcc1d2ed3301eaa7d4591497405c4421f1b42273dcead093f32a98cad82f67dc645cbe913d319f6fd180d0c76bddaf1a5ee82cd5c07ba717b23e0e60f3d38f668c95ea166f234abf5771b7fee8355a7e81ee0f97d7f7f02c8c5c7640fd9a335019e3b069e2c0dc6289deed9f2db56b246f0450843bbdc98d30dbc063946d082151a24ce78d6c051d44e87682d964d4e7b2bf431f66eece38f4e3d8ba78c646e75351ad7784cde4bb858ab9c688338ed2fb22d237d296b49ad762ce7caa63d4542846ab79b4dcbac6d3bbaa81e290d452ca5ad80b9bf85fc6481bec9fb41525184cbc5e0cca65cf510b65f1cff7c56f698969570f5b5c64dae2648340e3f2a3b5dca146b37121934a7bbf99575f6ae04b8081b3ada675a5cc2ed9819075e9093f0307222c9d2fa8defc24bf2f23c8e539aad8454ab176b5a1cc7d81bff36b60a7ff6d863fba7d8894826fca9c024043f4979edf9f26a0825365cd2489ea762c9f2ed8ffe53168159cfaf1bdc392cf2ad3c2dc1d6eadb04553fc31b24b4e655324c679c781942c916ca3027125c52fbc0270a7e34d4e95e4d1af1663803df214d7a8704ab1872b285c1e2ada8af5e137749535f3f5ca9a128844e65853e22883f9a535a5c9abf4a966077e7cd77c5cdef8fd6a5d2d8ac2bdaf98b1f33cd17afd8a93078588037b26b410c247463dc296aa81a0a62232e31c24730550c42791411569ec88ed36fbe150f59e9a58cfc1d4b45cabb1225ff554e398f6e02a22e67abab25299de6add3f96c6925cfd0a213107f578fbabc93a50708930a54c8af6466c9e5ca75b99f9ee7a41eae3f5f5fac5db6bc2d4077d8b5e71432f2b70db1c8540b67a8c1291014856ac8a5464d63e982e43415cccd0120c18b783cc85f30aab9f20717d4a904d2026d4ccf91e18ed7fa21cf34f980d4b34439aa1736509449638a86abe526089554c4357055bc5887096c5a80812b98747b4a8846bc81529414168459fe6c696fc9c67228586194d4ce30e05c9e1877581ea31d7d20144747e20ab3a51ea999fd002880f44dc91a652b039e626ec76c1a42ba7e98cc01c74a9f9fc2f182af0179e91bf2cdbd8f7b6744c484c146b73fb96c8c3b41b44cc9415fcfaf815760f0abc28af3388c2caf73935158a5e25d6baa387a2a33211123f498dc44385c611889b6bd67b00ad01ea6fdfd5f56c02b80ec4c0ded52bd7e899b0a27cb286453910d5ca20ec868adbcb5815c26a18328836dd77203e1ada4ddf6dab25756de9ec78e1084d66b2f05ed844466775cc2eb155eeec94568cfc8989957f1f93330a0585dfc6a3554d75a55d492dd777f9d4f2e2ecbb0977e0efc1e217af7fb59d498adf1432b656580e97400d142d75a44da71bfae8de196dc3eb6c72135cd5875e0e18d234ecb30da7310086fed88e7790707e618f18fb9f72deb68e0b208497be17af1dc246827472b153f94f2ff024e2b502afd3880780ce018ba02981fe05b0502d51ae37409b87a19b9d13675815a038bcba54eaa2605a4db871cc4c9b126190fd7ec459e9f96fd3b8d9db2e7a65b8a92dbd0e71374f384e530fc9bc5ed2930e995fca6f792deb99cd5e0d4e3dd4d64a8e046ec11106a96146761a685c48730fc7cda4198d2b150b8ee76314211127144cf97a48e2b33df6a544e2a31ec166289fd030c7885c72e75f550131e3aab08553f722f5ded628823a9e0fa8539a9ae64b3989356ddcb72e5a006ae0dc826d5b86e7dbc672ec4b1932ef3d85aab0448ac742dfb5c73786b16b1e8f06ac6d84a9426c7cd6501816fbd7393f6986e0e829d5bab4e61e4754fb4f4d43b338a751355f53c646b25a99abf2a55184cfe6fb89a1af07060d8d9a0b4e6eae2f4bdf9d25e20793861951e00c2fcc384db942af3018bf32642f7f02009078bba263878923452926add6aa05d48da2d60a369565d047cf6c3b5d1046eeb29f4805d0ba569e9552237e7acdfa8fbfca58f553a3d3e106b6a39259e3c190aa8b8b94c6821f3da34f60574b9e3d44550cabb699e722bfafb8dff5498fc51856751ad80f118964fd60af05f350451ca7f1c1b3c838d3c15b2e280f7c69a1e3ea406069b08612c1b3c269c740382a869bf535d05eb66ee63c8f254279733b136d8946a351c9619a79a3d73632c3c10046da2e1249a6630a89190fd223c5cd64350510b7536be3cb0680b43cc70e093712eecd094082222059821a2c9ec0e1d9a906c2c7390d8e17749a7d2073c179067d61cb83b6a9eda5f816e44683b082e0931e94c6c549c31da197d83df3a25db88eaba9404a219f3841177fa922596b69cdccd2c63f295a68702b4763bc1b11c29eec11361b911a73e03389641a026f961cc321b10af3dc909b6b914602a4218a1276c826a728231cac77a95a40ab71e62e202b162c5290506cbe3a073481ce1828203169ba922012b4b7c02833eefa026aa53fff889e7351d5b9ef491615daf869f4b8ccb23395ea9f67dbe6e26533b96dff1956f185dabbefa6c817f5b769d058402c5574b7f1f16aba7b6f82a5ab1055581c01bcfa3bc701ac0eeea84c58080234ad6441fe423ef48fc622197e2c63478ddf998bbddda91835489d08e9ea24b8d69c6d777d88555a44404457fa82d414fc7877e13b43201274fd446eaaac6a19c2782ba7ad6398d8668de675489dad05d25ed1e7ab66ee8c075e31f3bbf55e0f2f5192bd3aa30c07872144f1562660314d1b5d15a8c6fc8b83c9a2b5fa0e8f525510eaf3ba33f55fcdcfc0c504b4c1f2de293bbe304b7845c3157004567fff98f43a61bb8222d82fd8e987178b7080a7602602140130b574e8364af63e6eb9dcc39a83936c8f8a08794c392cd7b67573f5997f4ed161493a0fbf27852fb988b619b5b34e24458a64bfac11a7cacfc04563182b76fe2cef6219b06ebfc7b24302270bd43a90bb86e539bb8b484a20424862ae6dfa64c005f15e57065a33f4b8587d5e3e5fea941a384d77c200340d47ae0f89fe36e91801f9317a7308190ad9ae431eb21e5445dc491247111a3c0ee16f2a79db878b686a198c9344f48e7fb09bc2db9f5409cbb070a633fcf2e5959e64d1e68a903b42179684a795167a5ca3c20cc0c207035ecf037fca5d5348da91adf72bd624b6d7d59d280bb37322bd336d9c2e736d4d689c8fb57c47c96fb04dcc6bca698b05eaa303674ca5a2395e0f7cc8a641a32e8510f90e4c404d55c48b8cfe84a587700d1ae5a9cf4eed4e61d8ec4c1c409761ee1db0d359ffc2f715d7b8e12fd215de84b2389eb6d09375d2e7e076dcc2cd9710e1972241f44da9da2cf832269472bde28140d472c1a113329a47012f6091804f5f6ddd45397b9dfd62b771d45fc42aa683c100557d797a046587da64fea628ea82bc74910d28b3396021ba44dbac4a1b577847f0ef6d623401261c9ecbc9d9ba6cf9efbeacb310e1c73e7b6c575d31b2d3f5c9333ce6ed0a4e75014f6df828809c6bd6c90f9f994e71a04a74b20d4a33613400b438f80fa2f4642612c383985fa04c1b1e70fc10cfb305bc7e061ec43bf4a3ede77ff3bebdcf7d1dfe77a42e01f22a34bc3dfbc8998f5c8825cbea6a2b10a4b2a1023a5be516d09de9786fcb755ce8a57a9453921064b71587ca70e2da33e0d6535e5642f6aedbf342db5448b6a48b2225de6c04068a581688f0d3fe5c85c9cd7d3822bc63a6f092c5ca00f237fb0a8d1dafa96788b68fd0706e3202c9896f1cf4ca692526a37c6d25127409a50b336d120d48494a59d8a005dbecd3084cac7cd340c4eaf63b872d9e8f6c67d1008123d339399db48c63c47a992089dfbbcb40e608e0b7d94a449ca9bc41f14bfb217d9b3360e424a85dfeff7657102a89cde659c1289a72fcb4befc830653167c837b11ce64f6e1122ede019a5eec02693cdf50030f7bc15b75e15bd21fea74bc9ad7eaea55895d229153988eb2e6459876d1d9c2b8486c6b8c1d5a2ccf49393e806f0ff44b14fd830dfc740e3f37910284e458edb70")
write$dsp(r8, &(0x7f0000000180)="27b6407e9ac147085035a5fc41a6d87d0a5fdcc9395388fbbc6191794eddc8d7f969c9a16eecb0b5acc1a95350d5467160a95be8bb234500f9865d30a173137fe7b24fc9bb0d8d94c996601860a9ba68b2b14cbbea5626e3602c7a4698861abb42f5999acccc3bd47753c779e8735301d0a2c48af6614cc083", 0x79)
r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f00000000c0)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r10 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$DMA_HEAP_IOCTL_ALLOC(r10, 0xc0184800, &(0x7f0000000100)={0x4, <r11=>r9})
ioctl$DMA_BUF_IOCTL_SYNC(r11, 0x40086200, &(0x7f0000000080)=0x7)
r12 = syz_open_dev$tty1(0xc, 0x4, 0x3)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f00000004c0)={&(0x7f0000000380), &(0x7f00000003c0)=[0x0, 0x0, 0x0], &(0x7f0000000440)=[0x0, 0x0, 0x0], &(0x7f0000000480)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x3, 0x3, 0x8})
ioctl$KDDELIO(r12, 0x4b34, 0x3bf)
executing program 0:
syz_open_dev$tty1(0xc, 0x4, 0x1)
mremap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x4000, 0x3, &(0x7f0000005000/0x4000)=nil)
openat(0xffffffffffffff9c, 0x0, 0x42, 0x1ff)
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000380)={0x11, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="1801000000000000000000000000ea04850000005000000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={&(0x7f0000000040)='sched_switch\x00', r0}, 0x10)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0xa, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000280)=0x8)
r1 = getpid()
sched_setscheduler(r1, 0x2, &(0x7f0000000180)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r3, 0x0, 0x0, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r4, 0x0, 0x0)
bind$alg(0xffffffffffffffff, 0x0, 0x0)
r5 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
ioctl$COMEDI_DEVCONFIG(r5, 0x40946400, 0x0)
executing program 4:
r0 = socket(0x1000000000000010, 0x80802, 0x0)
bind$netlink(r0, &(0x7f0000000340)={0x10, 0x0, 0x25dfdbfc, 0x10004400}, 0xc)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x0, &(0x7f0000001100)=ANY=[], 0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x29, 0xffffffffffffffff, 0x8, &(0x7f0000000180), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000000240)=0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00001e3000)=""/30, &(0x7f0000d23000)=0x1e)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000080)=0x83)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f00000000c0))
syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_NL_LINK_SET(0xffffffffffffffff, 0x0, 0xc000)
read$dsp(r2, 0x0, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x32, 0x0, 0x0)
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'pim6reg0\x00', 0x7101})
socket$packet(0x11, 0x3, 0x300)
r3 = socket$netlink(0x10, 0x3, 0x4)
write(r3, &(0x7f0000000040)="2700000014000707030e0000120f0a0011000100f5fe009d2fb112ff000000008a151f75080039", 0x27)
executing program 0:
socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$NL80211_CMD_GET_INTERFACE(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8010}, 0x95)
r0 = fsopen(&(0x7f0000000080)='securityfs\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = syz_open_procfs$namespace(0x0, &(0x7f0000001380)='ns/cgroup\x00')
open_by_handle_at(r1, &(0x7f00000018c0)=ANY=[@ANYBLOB="20ff0300f10000000100000000000000000000000000000005010000f8ffffff3d0000000000d9085370e929719bbdff239cd183f7f71df61a60bfc5844f6630d08f3bd32fd92c5defead90f3bf164b78f87a04abb0c3b2cedceaee99003090c77f6426d0436b4733a77d7c1f414a29b2b19852d39c4d42e40968f3030c4250d07b46ead8569536898b9ac"], 0x10040)
r2 = fsmount(r0, 0x0, 0xf)
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$TIOCPKT(r2, 0x5420, 0x0)
r3 = bpf$MAP_CREATE(0x0, 0x0, 0x50)
r4 = bpf$MAP_CREATE(0x0, 0x0, 0x50)
r5 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0x10, &(0x7f0000000180)=ANY=[@ANYRES32=r3, @ANYBLOB, @ANYRES32=r4, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa2f8dcc29250"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1a, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='tlb_flush\x00', r5}, 0x10)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7)
ioctl$BTRFS_IOC_BALANCE_PROGRESS(r1, 0x84009422, &(0x7f0000001d80)={0x0, 0x0, {0x0, @struct}, {}, {0x0, @struct, <r6=>0x0}})
ioctl$BTRFS_IOC_SNAP_DESTROY_V2(0xffffffffffffffff, 0x5000943f, &(0x7f00000008c0)={{}, 0x0, 0x2, @inherit={0x68, 0x0}, @devid=r6})
ioctl$BTRFS_IOC_SCRUB(0xffffffffffffffff, 0xc400941b, &(0x7f0000019080)={r6, 0x80, 0x3ff, 0x1})
ioctl$BTRFS_IOC_SCRUB(r0, 0xc400941b, &(0x7f0000000880)={r6, 0x6, 0x8})
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r7 = syz_open_dev$sndmidi(&(0x7f0000000240), 0x2, 0x40102)
writev(r7, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2f)
r8 = syz_io_uring_setup(0x49c, &(0x7f0000000400)={0x0, 0x7078, 0x0, 0x0, 0x284}, &(0x7f0000000100)=<r9=>0x0, &(0x7f00000001c0)=<r10=>0x0)
syz_memcpy_off$IO_URING_METADATA_GENERIC(r9, 0x4, &(0x7f0000000080)=0xfffffffc, 0x0, 0x4)
syz_io_uring_submit(r9, r10, &(0x7f00000002c0)=@IORING_OP_FADVISE={0x18, 0x1, 0x0, @fd, 0x7, 0x0, 0x3c, 0x2, 0x1})
syz_open_dev$vbi(&(0x7f0000000000), 0x2, 0x2)
io_uring_enter(r8, 0x3516, 0x0, 0x4, 0x0, 0x0)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$nl_netfilter(0x10, 0x3, 0xc)
setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, 0x0, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x7)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080), 0x48c00, 0x0)
r0 = gettid()
timer_create(0x2, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x1, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x9}}, 0x0)
timer_delete(0x0)
r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
userfaultfd(0x802)
epoll_create1(0x0)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000100), 0x1c3902, 0x0)
syz_io_uring_setup(0x32b7, &(0x7f0000000180)={0x0, 0x7f1, 0x1, 0x4, 0x41}, 0x0, 0x0)
sendfile(r2, r2, 0x0, 0x2000fb)
io_setup(0x4, &(0x7f00000014c0))
executing program 1:
r0 = socket(0x1000000000000010, 0x80802, 0x0)
bind$netlink(r0, &(0x7f0000000340)={0x10, 0x0, 0x25dfdbfc, 0x10004400}, 0xc)
bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x1, 0x0, &(0x7f0000001100)=ANY=[], 0x0, 0xfffffffd, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x29, 0xffffffffffffffff, 0x8, &(0x7f0000000180), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x94)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000000240)=0x3)
getsockopt$bt_hci(r0, 0x0, 0x3, &(0x7f00001e3000)=""/30, &(0x7f0000d23000)=0x1e)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000080)=0x83)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SNDCTL_DSP_SPEED(r2, 0xc0045002, &(0x7f00000000c0))
sendmsg$TIPC_NL_LINK_SET(0xffffffffffffffff, 0x0, 0xc000)
read$dsp(r2, 0x0, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x32, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f0000000480)={0x0, @in6={{0xa, 0x4e23, 0xfffffffc, @dev={0xfe, 0x80, '\x00', 0x3c}, 0x8}}, 0x4, 0x2, 0xe, 0x7588, 0x168, 0xfffffffc, 0x7}, &(0x7f0000000140)=0x9c)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000280)={'vxcan0\x00'})
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'pim6reg0\x00', 0x7101})
r3 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r3, 0x107, 0x8, &(0x7f0000000100)=0x40049, 0x4)
write(0xffffffffffffffff, &(0x7f0000000040)="2700000014000707030e0000120f0a0011000100f5fe009d2fb112ff000000008a151f75080039", 0x27)
executing program 2:
openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0)
r0 = socket(0x28, 0x5, 0x0)
bind$vsock_stream(r0, &(0x7f0000000040), 0x10)
r1 = socket$rxrpc(0x21, 0x2, 0x2)
setsockopt$RXRPC_MIN_SECURITY_LEVEL(r1, 0x110, 0x4, &(0x7f0000000040), 0x4)
r2 = socket(0x28, 0x5, 0x0)
connect$vsock_stream(r2, &(0x7f0000000080), 0x10)
setsockopt$sock_linger(r2, 0x1, 0x3c, &(0x7f0000000180)={0x1, 0x5}, 0x8)
sendmmsg(r2, 0x0, 0x0, 0x24008094)
recvmsg(0xffffffffffffffff, 0x0, 0x10000)
r3 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="1b0000000000000000000000000004"], 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0x6, &(0x7f0000000cc0)=ANY=[@ANYBLOB="050000000000000061110c00000000008510000002000000850000000500000095000000000000009500a5050000000077d8f3b423cdac8d80000000000000002be16ad10a48b243ccc42606d25dfd73a015e0ca7fc2506a0f7535f7866907dc0200000000000000ae669e17fd6587d452d6453559c3421eed73d56615fe6c54c3b3ffe1b4ce25d7c983c044c03bf3a48dfe47ec9dd6c091c30b93bfae76d9ebacd3ed3e26e7a23129d6606fd28a69989d552af6bda9df2c3af36effff9af2551ce896165127cb3f011a7d06602e2fc40848228567ffb400000000003ed38ae89d24e1cebfba2f87925bfacba83109751fe6c05405d027edd68149ee99eef6a6992308a4fc0b7c70bc677d6dd4aed4af7500d7900a820b6347184e9a217b5614cd50cbe43a1ed2526814bc0000e9e086ce48e90defb6670c3df2624f56da648d28ad0a97aec7291c25447c106a99893e10db21901eb397b2f5fd71400fa7a050fbbef9e326ea27e513e96068fd1e8a43e89f9c85c822a961546ed5363c17ff1432d08806bc376e3e49ee52b59d13182e1f24ed200ada10eb1affb87ba55b2d72078e9f40b4ae7d01000000d11cd22c35d32940000088dde499000000fdffffff00000000000f000000ef0000000000000000000000000c52f4ebd2c893bb97a068bd10734a83584898eccb26f7b789cfc4cd995fa3e11a5c74c85404e2df3ad37b729ac83b0dcb4f48f3c3356b9997fc455a17690b6f7f9ccbe4b1701941b18aba6b16455a66c3b84b138efc20a546d3d5227e23b03f2a834391ade2ff3e93ee296c4082ee73e7c353312c9d75711ce1623e9c54bdff59d2a69dcb7d84c235b23a4480c2461b405cfd1a38992f295ad3adc94cd07c850d1ce6d0b2fea02c24e9280333152fb794e4ddea02017a6c139b50101caecaf2abc0847a1ff2f7fc3c2b99a96fc4275ad107274e2934a87a4ddcdb112754ca5bdec0ead14b6c0f19a43a2f05c7f0be31491eb8c9ff68236c8600040000000000000000000066e034c81c3cab64e4fc8dc55ce0ada18dcbf31c6e82893add3bee3e10fc873d1d922b0877cbcd95b839d3059d5140a1f742f6e75741e39e5cb6a193e06a1043375b0f61b5d4e17c81baa31b924d84f224baf1221c15fa12313ffbfa7c2730309f66705b71e6205e7cbf3643561eabb9a63fcd604d5cc27e1317ad94cf438d71873e540be16b6ca205081173bd03c4754fc4674812daab482fd390a1c903b5d28a1eb247b5837d7603b92495d5c569f6433c3fca5206cb0000003fdbbd3892c52c2e7612e05de32322e980a3d69931e2c9312dd517c96f2ee90362476ed853c4c9b7d4ebf13cbaa795860e92a3d7d004f2c491db38eb769f094d5d48b262cc35c40682138cf13a49aa9f27abec00002f01ba1251aaf2385416ca719300"], &(0x7f0000000080)='GPL\x00', 0x5, 0x29e, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x6}, 0x70)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r4}, 0x10)
r5 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x11, 0xf, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf0900000000000055090100000000009500000800000000bf91000000000000b702000043e7b5538500000085000000b70000000000000095"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x43, '\x00', 0x0, @fallback=0xa, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000140)='kmem_cache_free\x00', r5, 0x0, 0x8}, 0x18)
pselect6(0x40, &(0x7f00000001c0)={0x0, 0x0, 0x3, 0x7fffffffff, 0x1}, 0x0, &(0x7f0000000280)={0x3ff, 0x0, 0x0, 0x3, 0x0, 0x0, 0x4, 0xfffffffffffffffc}, 0x0, 0x0)
executing program 0:
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
ioctl$EXT4_IOC_GETSTATE(r0, 0x40046629, 0x0)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f0000000080)={0xaa, 0x79})
ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000040)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000002, 0x8031, 0xffffffffffffffff, 0xfffff000)
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, 0x0)
r1 = socket(0x10, 0x2, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r1, 0x10e, 0xc, &(0x7f0000000080)={0x3, 0x2, 0x0, 0x3}, 0x10)
sendmsg$nl_route(r1, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r2 = socket(0x2, 0x2, 0x1)
syz_io_uring_setup(0x332e, &(0x7f0000000480)={0x0, 0xaeb7, 0x40, 0x3, 0x2d9}, 0x0, &(0x7f0000000400))
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
connect$inet6(r3, 0x0, 0x0)
connect$unix(r2, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f00000000c0)='contention_end\x00'}, 0x18)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000000)='mmap_lock_acquire_returned\x00'}, 0x18)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffffffffe, 0x4031, 0xffffffffffffffff, 0x0)
userfaultfd(0x80001)
executing program 1:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80202, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-openat$binderfs-openat$ptmx-openat$sequencer-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80202, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
single: successfully extracted reproducer
found reproducer with 29 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-openat$binderfs-openat$ptmx-openat$sequencer
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80202, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-openat$binderfs-openat$ptmx-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-openat$binderfs-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
read$dsp(0xffffffffffffffff, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-openat$adsp1-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-socket$netlink-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
socket$netlink(0x10, 0x3, 0x1)
ioctl$SNDCTL_DSP_SETFRAGMENT(0xffffffffffffffff, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(0xffffffffffffffff, 0xc0045006, &(0x7f0000000180)=0x6f)
r2 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r2, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(0xffffffffffffffff, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
userfaultfd(0x80001)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-syz_open_dev$audion-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
syz_open_dev$audion(&(0x7f0000000100), 0x9, 0x612000)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x1fd, 0x0, 0xdddd1000, 0x1000, &(0x7f0000394000/0x1000)=nil})
userfaultfd(0x80001)
r2 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r2, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r2, 0xc0045006, &(0x7f0000000180)=0x6f)
r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r3, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r2, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-ioctl$KVM_CREATE_VM-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x23)
userfaultfd(0x80001)
r1 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r1, 0xc0045006, &(0x7f0000000180)=0x6f)
r2 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r2, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r1, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-bpf$MAP_CREATE_CONST_STR-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)=ANY=[], 0x48)
userfaultfd(0x80001)
r1 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r1, 0xc0045006, &(0x7f0000000180)=0x6f)
r2 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r2, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r1, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-writev-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, 0x0, 0x0)
userfaultfd(0x80001)
r1 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r1, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r1, 0xc0045006, &(0x7f0000000180)=0x6f)
r2 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r2, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r1, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-msgrcv-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
msgrcv(0x0, 0x0, 0x0, 0x0, 0xa1e3a9fe3eb9c551)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-sched_setscheduler-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-prlimit64-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prctl$PR_SCHED_CORE-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-openat$binderfs-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-mmap-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x50, 0xffffffffffffffff, 0x80000)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-write$UHID_CREATE2-openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
write$UHID_CREATE2(0xffffffffffffffff, &(0x7f0000000180)=ANY=[], 0x118)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-io_uring_setup-openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
io_uring_setup(0x2255, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in corrupted
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key-openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
add_key(&(0x7f0000000000)='keyring\x00', 0x0, 0x0, 0x0, 0x0)
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, 0x0, 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, 0x0, 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(0x0, 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, 0x0, 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, 0x0)
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, 0x0)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, 0x0, 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, 0x0, 0x0)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, 0x0, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0), 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x0, 0x0, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, 0x0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program did not crash
validation run: crashed=false
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
validation run: crashed=true
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
validation run: crashed=true
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$binderfs-syz_init_net_socket$bt_l2cap-prlimit64-sched_setscheduler-openat$sequencer-syz_open_dev$sndmidi-userfaultfd-openat$adsp1-ioctl$SNDCTL_DSP_SETFRAGMENT-ioctl$SNDCTL_DSP_CHANNELS-openat$dsp1-read$dsp-write$dsp-pselect6
detailed listing:
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
userfaultfd(0x80001)
r0 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0301, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000001340))
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000180)=0x6f)
r1 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
read$dsp(r1, &(0x7f00000002c0)=""/4096, 0x1000)
write$dsp(r0, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in snd_pcm_action
validation run: crashed=true
reproducing took 4h48m17.808728882s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in rt_spin_lock+0x88/0x3e0 kernel/locking/spinlock_rt.c:56
Read of size 1 at addr ffff888034ea7200 by task syz.1.1236/9742

CPU: 1 UID: 0 PID: 9742 Comm: syz.1.1236 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:573
 kasan_check_byte include/linux/kasan.h:401 [inline]
 lock_acquire+0x84/0x340 kernel/locking/lockdep.c:5842
 rt_spin_lock+0x88/0x3e0 kernel/locking/spinlock_rt.c:56
 spin_lock include/linux/spinlock_rt.h:44 [inline]
 __wake_up_common_lock+0x2f/0x1e0 kernel/sched/wait.c:124
 snd_pcm_action_single sound/core/pcm_native.c:-1 [inline]
 snd_pcm_action+0x1f4/0x240 sound/core/pcm_native.c:1393
 loopback_check_format sound/drivers/aloop.c:363 [inline]
 loopback_trigger+0xb82/0x1b60 sound/drivers/aloop.c:411
 snd_pcm_do_start+0xb7/0x180 sound/core/pcm_native.c:1454
 snd_pcm_action_single sound/core/pcm_native.c:1310 [inline]
 snd_pcm_action+0xe7/0x240 sound/core/pcm_native.c:1393
 __snd_pcm_lib_xfer+0x1762/0x1d00 sound/core/pcm_lib.c:2405
 snd_pcm_oss_write3+0x1bc/0x350 sound/core/oss/pcm_oss.c:1241
 snd_pcm_plug_write_transfer+0x2cb/0x4c0 sound/core/oss/pcm_plugin.c:630
 snd_pcm_oss_write2 sound/core/oss/pcm_oss.c:1373 [inline]
 snd_pcm_oss_write1 sound/core/oss/pcm_oss.c:1439 [inline]
 snd_pcm_oss_write+0xa31/0xf20 sound/core/oss/pcm_oss.c:2794
 vfs_write+0x287/0xb40 fs/read_write.c:684
 ksys_write+0x14b/0x260 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1277acf749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1277115038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f1277d26090 RCX: 00007f1277acf749
RDX: 0000000000004000 RSI: 00002000000012c0 RDI: 0000000000000008
RBP: 00007f1277b53f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f1277d26128 R14: 00007f1277d26090 R15: 00007ffea9722d18
 </TASK>

Allocated by task 9740:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414
 kasan_kmalloc include/linux/kasan.h:262 [inline]
 __kmalloc_cache_noprof+0x1fb/0x6d0 mm/slub.c:5776
 kmalloc_noprof include/linux/slab.h:957 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 snd_pcm_attach_substream+0x5b7/0xb30 sound/core/pcm.c:938
 snd_pcm_open_substream+0xb6/0x2410 sound/core/pcm_native.c:2756
 snd_pcm_oss_open_file sound/core/oss/pcm_oss.c:2437 [inline]
 snd_pcm_oss_open+0xf2a/0x1bd0 sound/core/oss/pcm_oss.c:2518
 chrdev_open+0x4cf/0x5e0 fs/char_dev.c:414
 do_dentry_open+0x7d0/0x1270 fs/open.c:962
 vfs_open+0x3b/0x350 fs/open.c:1094
 do_open fs/namei.c:4628 [inline]
 path_openat+0x342a/0x3df0 fs/namei.c:4787
 do_filp_open+0x1fa/0x410 fs/namei.c:4814
 do_sys_openat2+0x121/0x200 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1447
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 9740:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6670 [inline]
 kfree+0x1bd/0x900 mm/slub.c:6878
 snd_pcm_detach_substream+0x1e1/0x290 sound/core/pcm.c:1003
 snd_pcm_oss_release_file sound/core/oss/pcm_oss.c:2396 [inline]
 snd_pcm_oss_release+0x184/0x250 sound/core/oss/pcm_oss.c:2575
 __fput+0x45b/0xa80 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:233
 get_signal+0x11c4/0x1310 kernel/signal.c:2807
 arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
 exit_to_user_mode_loop+0x87/0x4e0 kernel/entry/common.c:75
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
 do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888034ea7000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 512 bytes inside of
 freed 2048-byte region [ffff888034ea7000, ffff888034ea7800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34ea0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813ff27000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813ff27000 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0000d3a801 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5917, tgid 5917 (syz-executor), ts 127811454833, free_ts 125843464373
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846
 prep_new_page mm/page_alloc.c:1854 [inline]
 get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab+0x86/0x3b0 mm/slub.c:3248
 new_slab mm/slub.c:3302 [inline]
 ___slab_alloc+0xb10/0x13e0 mm/slub.c:4656
 __slab_alloc+0xc6/0x1f0 mm/slub.c:4779
 __slab_alloc_node mm/slub.c:4855 [inline]
 slab_alloc_node mm/slub.c:5251 [inline]
 __do_kmalloc_node mm/slub.c:5656 [inline]
 __kmalloc_node_track_caller_noprof+0x2bf/0x810 mm/slub.c:5764
 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:608
 pskb_expand_head+0x19d/0x1160 net/core/skbuff.c:2282
 netlink_trim+0x1b3/0x2c0 net/netlink/af_netlink.c:1299
 netlink_broadcast_filtered+0xd6/0x1000 net/netlink/af_netlink.c:1512
 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline]
 nlmsg_multicast include/net/netlink.h:1184 [inline]
 nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2593
 rtnl_notify net/core/rtnetlink.c:958 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:4436 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4452 [inline]
 rtnetlink_event+0x224/0x270 net/core/rtnetlink.c:7018
 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 netif_change_name+0x5db/0x970 net/core/dev.c:1490
page last free pid 5966 tgid 5966 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xfe1/0x1170 mm/page_alloc.c:2943
 discard_slab mm/slub.c:3346 [inline]
 __put_partials+0x149/0x170 mm/slub.c:3886
 __slab_free+0x2af/0x330 mm/slub.c:5952
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:349
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
 getname_flags+0xb8/0x540 fs/namei.c:146
 user_path_at+0x24/0x60 fs/namei.c:3566
 user_statfs+0x94/0x170 fs/statfs.c:103
 __do_sys_statfs fs/statfs.c:193 [inline]
 __se_sys_statfs fs/statfs.c:190 [inline]
 __x64_sys_statfs+0xe0/0x1b0 fs/statfs.c:190
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888034ea7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888034ea7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888034ea7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888034ea7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888034ea7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in rt_spin_lock+0x88/0x3e0 kernel/locking/spinlock_rt.c:56
Read of size 1 at addr ffff888034ea7200 by task syz.1.1236/9742

CPU: 1 UID: 0 PID: 9742 Comm: syz.1.1236 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:573
 kasan_check_byte include/linux/kasan.h:401 [inline]
 lock_acquire+0x84/0x340 kernel/locking/lockdep.c:5842
 rt_spin_lock+0x88/0x3e0 kernel/locking/spinlock_rt.c:56
 spin_lock include/linux/spinlock_rt.h:44 [inline]
 __wake_up_common_lock+0x2f/0x1e0 kernel/sched/wait.c:124
 snd_pcm_action_single sound/core/pcm_native.c:-1 [inline]
 snd_pcm_action+0x1f4/0x240 sound/core/pcm_native.c:1393
 loopback_check_format sound/drivers/aloop.c:363 [inline]
 loopback_trigger+0xb82/0x1b60 sound/drivers/aloop.c:411
 snd_pcm_do_start+0xb7/0x180 sound/core/pcm_native.c:1454
 snd_pcm_action_single sound/core/pcm_native.c:1310 [inline]
 snd_pcm_action+0xe7/0x240 sound/core/pcm_native.c:1393
 __snd_pcm_lib_xfer+0x1762/0x1d00 sound/core/pcm_lib.c:2405
 snd_pcm_oss_write3+0x1bc/0x350 sound/core/oss/pcm_oss.c:1241
 snd_pcm_plug_write_transfer+0x2cb/0x4c0 sound/core/oss/pcm_plugin.c:630
 snd_pcm_oss_write2 sound/core/oss/pcm_oss.c:1373 [inline]
 snd_pcm_oss_write1 sound/core/oss/pcm_oss.c:1439 [inline]
 snd_pcm_oss_write+0xa31/0xf20 sound/core/oss/pcm_oss.c:2794
 vfs_write+0x287/0xb40 fs/read_write.c:684
 ksys_write+0x14b/0x260 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1277acf749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1277115038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f1277d26090 RCX: 00007f1277acf749
RDX: 0000000000004000 RSI: 00002000000012c0 RDI: 0000000000000008
RBP: 00007f1277b53f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f1277d26128 R14: 00007f1277d26090 R15: 00007ffea9722d18
 </TASK>

Allocated by task 9740:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414
 kasan_kmalloc include/linux/kasan.h:262 [inline]
 __kmalloc_cache_noprof+0x1fb/0x6d0 mm/slub.c:5776
 kmalloc_noprof include/linux/slab.h:957 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 snd_pcm_attach_substream+0x5b7/0xb30 sound/core/pcm.c:938
 snd_pcm_open_substream+0xb6/0x2410 sound/core/pcm_native.c:2756
 snd_pcm_oss_open_file sound/core/oss/pcm_oss.c:2437 [inline]
 snd_pcm_oss_open+0xf2a/0x1bd0 sound/core/oss/pcm_oss.c:2518
 chrdev_open+0x4cf/0x5e0 fs/char_dev.c:414
 do_dentry_open+0x7d0/0x1270 fs/open.c:962
 vfs_open+0x3b/0x350 fs/open.c:1094
 do_open fs/namei.c:4628 [inline]
 path_openat+0x342a/0x3df0 fs/namei.c:4787
 do_filp_open+0x1fa/0x410 fs/namei.c:4814
 do_sys_openat2+0x121/0x200 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1447
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 9740:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6670 [inline]
 kfree+0x1bd/0x900 mm/slub.c:6878
 snd_pcm_detach_substream+0x1e1/0x290 sound/core/pcm.c:1003
 snd_pcm_oss_release_file sound/core/oss/pcm_oss.c:2396 [inline]
 snd_pcm_oss_release+0x184/0x250 sound/core/oss/pcm_oss.c:2575
 __fput+0x45b/0xa80 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:233
 get_signal+0x11c4/0x1310 kernel/signal.c:2807
 arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
 exit_to_user_mode_loop+0x87/0x4e0 kernel/entry/common.c:75
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
 do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888034ea7000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 512 bytes inside of
 freed 2048-byte region [ffff888034ea7000, ffff888034ea7800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34ea0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813ff27000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813ff27000 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0000d3a801 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5917, tgid 5917 (syz-executor), ts 127811454833, free_ts 125843464373
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846
 prep_new_page mm/page_alloc.c:1854 [inline]
 get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab+0x86/0x3b0 mm/slub.c:3248
 new_slab mm/slub.c:3302 [inline]
 ___slab_alloc+0xb10/0x13e0 mm/slub.c:4656
 __slab_alloc+0xc6/0x1f0 mm/slub.c:4779
 __slab_alloc_node mm/slub.c:4855 [inline]
 slab_alloc_node mm/slub.c:5251 [inline]
 __do_kmalloc_node mm/slub.c:5656 [inline]
 __kmalloc_node_track_caller_noprof+0x2bf/0x810 mm/slub.c:5764
 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:608
 pskb_expand_head+0x19d/0x1160 net/core/skbuff.c:2282
 netlink_trim+0x1b3/0x2c0 net/netlink/af_netlink.c:1299
 netlink_broadcast_filtered+0xd6/0x1000 net/netlink/af_netlink.c:1512
 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline]
 nlmsg_multicast include/net/netlink.h:1184 [inline]
 nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2593
 rtnl_notify net/core/rtnetlink.c:958 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:4436 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4452 [inline]
 rtnetlink_event+0x224/0x270 net/core/rtnetlink.c:7018
 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 netif_change_name+0x5db/0x970 net/core/dev.c:1490
page last free pid 5966 tgid 5966 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xfe1/0x1170 mm/page_alloc.c:2943
 discard_slab mm/slub.c:3346 [inline]
 __put_partials+0x149/0x170 mm/slub.c:3886
 __slab_free+0x2af/0x330 mm/slub.c:5952
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:349
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
 getname_flags+0xb8/0x540 fs/namei.c:146
 user_path_at+0x24/0x60 fs/namei.c:3566
 user_statfs+0x94/0x170 fs/statfs.c:103
 __do_sys_statfs fs/statfs.c:193 [inline]
 __se_sys_statfs fs/statfs.c:190 [inline]
 __x64_sys_statfs+0xe0/0x1b0 fs/statfs.c:190
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888034ea7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888034ea7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888034ea7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888034ea7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888034ea7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================