Extracting prog: 5m57.577699726s Minimizing prog: 15m37.012424092s Simplifying prog options: 0s Extracting C: 1m7.936399771s Simplifying C: 9m38.779269555s extracting reproducer from 37 programs first checking the prog from the crash report single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x0, 0x0) program did not crash single: failed to extract reproducer bisect: bisecting 37 programs with base timeout 30s testing program (duration=39s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3] detailed listing: executing program 0: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r0, &(0x7f0000000280)={0x1f, 0x1}, 0x6) write$bt_hci(r0, &(0x7f0000000e40)={0x1, @read_remote_features={{0x41b, 0x2}, {0xc8}}}, 0x6) executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000340)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x10) sendmsg$NFT_BATCH(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000a00000a98000000060a0b040000000000000000020000006c000480680001800a000100696e6e65720000005800028008000240000000840800034000000007080004400000000f0800014000000000340005800c0001007061796c6f6164002400028008000340000000b908000240800000040800014000000014080004400000004b0900010073797a30000000000900020073797a32"], 0xc0}}, 0x0) executing program 0: r0 = openat$ttynull(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000080)=0x16) ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000240)) executing program 0: r0 = socket$key(0xf, 0x3, 0x2) sendmsg$NL80211_CMD_FRAME(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000fc0)={&(0x7f0000000600)=ANY=[@ANYBLOB='@\x00\x00\x00', @ANYRES16], 0x40}}, 0x0) sendmsg$key(r0, &(0x7f0000000040)={0x3, 0x0, &(0x7f0000000340)={&(0x7f00000005c0)=ANY=[@ANYBLOB="020100020a0000000000000000000000030006002b20000002004e24ac1414aa0000000000000000030005000000000002000a01000000000000000000000000020013"], 0x50}, 0x1, 0x7}, 0x20000000) executing program 0: r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='.\x00', 0x0, 0x0) ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f0000000280)=0x10) symlink(&(0x7f0000000440)='./cgroup.cpu/cgroup.procs\x00', &(0x7f0000000980)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00') executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$TIPC_NL_KEY_SET(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000380)={0x34, r1, 0x1, 0x100, 0x0, {0x3}, [@TIPC_NLA_BEARER={0x20, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x474}]}]}]}, 0x34}, 0x1, 0x0, 0x0, 0x81}, 0x240080e0) executing program 32: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$TIPC_NL_KEY_SET(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000380)={0x34, r1, 0x1, 0x100, 0x0, {0x3}, [@TIPC_NLA_BEARER={0x20, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz2\x00'}, @TIPC_NLA_BEARER_PROP={0xc, 0x2, 0x0, 0x1, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x474}]}]}]}, 0x34}, 0x1, 0x0, 0x0, 0x81}, 0x240080e0) executing program 4: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000240), r0) sendmsg$IEEE802154_LLSEC_DEL_DEVKEY(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000400)={0x34, r1, 0x821, 0x70bd2c, 0x2ddfdbff, {}, [@IEEE802154_ATTR_HW_ADDR={0xc, 0x5, {0xaaaaaaaaaaaa0202}}, @IEEE802154_ATTR_LLSEC_KEY_MODE={0x5, 0x2b, 0x2}, @IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan0\x00'}]}, 0x34}, 0x1, 0x0, 0x0, 0x41}, 0x40480c4) executing program 4: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nfc(&(0x7f00000002c0), r0) sendmsg$NFC_CMD_DEP_LINK_UP(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000380)=ANY=[@ANYBLOB=',\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="010029bd70000700000004000000080004000000000008000100", @ANYRES32=0x0, @ANYBLOB="05000a000a"], 0x2c}, 0x1, 0x0, 0x0, 0x40810}, 0x4000000) executing program 4: r0 = socket$inet6(0xa, 0x3, 0x6) setsockopt$inet6_buf(r0, 0x29, 0x39, &(0x7f0000000040)="ff02040000ffffffffffffffff1f2be82db1af0000000000", 0x18) getsockopt$inet6_opts(r0, 0x29, 0x39, 0x0, &(0x7f00000000c0)) executing program 4: r0 = syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f00000003c0)={0x0, &(0x7f0000000140)=[0x0], 0x0, 0x0, 0x0, 0x1}) ioctl$DRM_IOCTL_MODE_CREATE_LEASE(r0, 0xc01864c6, &(0x7f0000000040)={&(0x7f0000000640)=[r1], 0x1}) executing program 4: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x50) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000340)={0x1f, 0xd, &(0x7f0000000100)=@framed={{0x18, 0x0, 0x0, 0x0, 0xfffffffc, 0x0, 0x0, 0x0, 0x80}, [@call={0x85, 0x0, 0x0, 0x5}, @ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x20000002}, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x4, 0x0, 0x0, 0x2}, {0x85, 0x0, 0x0, 0xa6}}]}, &(0x7f00000000c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x11}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000500)={r1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x48) executing program 4: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x0, 0x0) executing program 3: r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x4, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000085000000ae00000095"], &(0x7f0000001b80)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x1d, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8000}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='workqueue_activate_work\x00', r0, 0x0, 0x40}, 0x18) syz_genetlink_get_family_id$ipvs(&(0x7f0000001700), 0xffffffffffffffff) executing program 3: r0 = landlock_create_ruleset(&(0x7f0000000180)={0x100}, 0x18, 0x0) landlock_restrict_self(r0, 0x0) mknodat(0xffffffffffffff9c, &(0x7f00000003c0)='./file2\x00', 0x81c0, 0x0) executing program 3: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="1801000000000000000000004b84ffec850000006d000000850000002a00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000440)={&(0x7f00000003c0)='kfree\x00', r0}, 0x10) request_key(&(0x7f0000000040)='asymmetric\x00', &(0x7f0000001ffb)={'syz', 0x3}, &(0x7f0000001fee)='R\x10rust\xe3cusg\x91\xdeeH\xe5+\xf0', 0xffffffffffffffff) executing program 3: bpf$BPF_BTF_LOAD(0x12, &(0x7f00000003c0)={&(0x7f0000000440)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x7c, 0x7c, 0x2, [@var, @func_proto={0x0, 0x6, 0x0, 0xd, 0x0, [{}, {}, {0x0, 0x4}, {}, {}, {}]}, @fwd, @volatile, @typedef={0x4, 0x0, 0x0, 0x8, 0x3}, @volatile={0x0, 0x0, 0x0, 0x9, 0x6}]}}, 0x0, 0x96}, 0x28) r0 = bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@struct]}}, &(0x7f0000000040)=""/247, 0x26, 0xf7, 0x1}, 0x20) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000500)={0x6, 0x7, &(0x7f0000000180)=@framed={{}, [@func={0x85, 0x0, 0x1, 0x0, 0x3}, @map_val, @exit]}, &(0x7f0000000280)='GPL\x00', 0x5, 0xe2, &(0x7f00000002c0)=""/226, 0x0, 0x0, '\x00', 0x0, 0x25, r0, 0x8, 0x0, 0x0, 0x10, &(0x7f00000004c0), 0x3}, 0x80) executing program 5: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newqdisc={0x44, 0x24, 0x4, 0x0, 0x25dfdbfb, {0x0, 0x0, 0x0, 0x0, {0xc}, {0x6, 0x2}, {0xf}}, [@qdisc_kind_options=@q_fq_pie={{0xb}, {0x14, 0x8002, [@TCA_FQ_PIE_QUANTUM={0x8, 0x7, 0x8}, @TCA_FQ_PIE_MEMORY_LIMIT={0x8, 0x8, 0x4}]}}]}, 0x44}, 0x1, 0x0, 0x0, 0x41}, 0x0) sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="500000001000010425bbe5ad600027842cf52300", @ANYRES32=0x0, @ANYBLOB="0000000000008000280012800a00010076786c616e00"], 0x50}}, 0x4008840) executing program 3: bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x1b, 0x15, &(0x7f0000000440)=@framed={{0x18, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x10001}, [@printk={@lu, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x3, 0x0, 0x0, 0x97}}, @cb_func={0x18, 0xb, 0x4, 0x0, 0xfffffffffffffffa}, @printk={@lx, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x3, 0x0, 0x0, 0x8001}}]}, 0x0, 0x4, 0x0, 0x0, 0x40e00, 0x8, '\x00', 0x0, @fallback=0x1f}, 0x94) r0 = socket$kcm(0x10, 0x400000002, 0x0) write$cgroup_subtree(r0, &(0x7f00000004c0)=ANY=[@ANYBLOB='$\x00\x00\x00f\x00'], 0xfe33) executing program 5: sendmsg$NL80211_CMD_FLUSH_PMKSA(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x200}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x80}, 0x4800) r0 = socket$inet6(0xa, 0x2, 0x0) sendmmsg$inet6(r0, &(0x7f0000007240)=[{{&(0x7f0000000100)={0xa, 0x4e22, 0x6, @mcast2, 0x7}, 0x1c, 0x0}}, {{0x0, 0x0, &(0x7f0000001380)=[{&(0x7f00000012c0)="1ce02c7a", 0xfe60}], 0x1}}, {{0x0, 0x0, &(0x7f0000000000), 0x1}}], 0x3, 0x1c000) executing program 3: r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x8, 0x44f, 0xb300, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x30, 0x20, [{{0x9, 0x4, 0x0, 0x1, 0x2, 0x3, 0x0, 0x1, 0x0, {0x9, 0x21, 0x3, 0x6, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x2}}}}}]}}]}}, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f00000000c0)={0x24, 0x0, 0x0, &(0x7f0000000080)={0x0, 0x22, 0x5, {[@global=@item_4={0x3, 0x1, 0x6, "c53d2842"}]}}, 0x0}, 0x0) executing program 5: r0 = eventfd2(0x0, 0x0) io_setup(0x6, &(0x7f0000000180)=0x0) io_submit(r1, 0x1, &(0x7f0000000340)=[&(0x7f0000000200)={0x0, 0x0, 0x20, 0x7, 0x3511, r0, 0x0, 0x0, 0x0, 0x0, 0x3, r0}]) executing program 1: r0 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r0) ptrace$cont(0x1f, r0, 0x5, 0x10000000000005) executing program 5: r0 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0) ioctl$COMEDI_DEVCONFIG(r0, 0x40946400, 0x0) ioctl$COMEDI_DEVCONFIG(r0, 0x40946400, &(0x7f0000000300)={'dt2815\x00', [0xb6, 0x3, 0x10002, 0xfff, 0x5, 0xcc7, 0x8, 0xdbb1, 0xa, 0x101, 0x2, 0x1, 0xbf, 0x18000, 0x6, 0x101, 0x80000, 0x1a449, 0xffffffff, 0x1000007f, 0x89, 0xcaa3, 0x2, 0x73, 0x4, 0x4, 0xfffffffa, 0x8, 0x4088, 0x80, 0x4]}) executing program 2: r0 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000080)='/dev/comedi3\x00', 0x400, 0x0) ioctl$COMEDI_DEVCONFIG(r0, 0x40946400, 0x0) ioctl$COMEDI_DEVCONFIG(r0, 0x40946400, &(0x7f00000000c0)={'pcmmio\x00', [0x4f27, 0x80000000, 0x4, 0x4, 0x5, 0x5, 0x4, 0x7, 0x54c6cff3, 0xfd, 0x2, 0x1, 0x1, 0x1, 0x6, 0x101, 0x0, 0x7f, 0x3, 0x40000003, 0x89, 0xcaa3, 0x0, 0x20001e5b, 0x3, 0xe66, 0x3, 0x8, 0x4086, 0x0, 0xfffffffc]}) executing program 1: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000080), r0) sendmsg$NLBL_UNLABEL_C_STATICADDDEF(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB='D\x00\x00\x00', @ANYRES16=r1, @ANYBLOB="410000000000000001000603000014000300060a0004090300f006e8ffffffffffff07000700263a0909140002"], 0x44}, 0x1, 0x1000000}, 0x0) executing program 1: r0 = socket(0x40000000015, 0x5, 0x0) connect$inet(r0, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x0, 0x0, @local, 0x90}, 0x1c) executing program 1: mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x12b) mount(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000300)='configfs\x00', 0x0, 0x0) chown(&(0x7f0000000280)='./file0\x00', 0xee01, 0xffffffffffffffff) executing program 2: unshare(0x22020600) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='blkio.throttle.io_service_bytes\x00', 0x26e1, 0x0) bpf$ITER_CREATE(0x21, 0x0, 0x0) executing program 5: mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x1000009, 0x32, 0xffffffffffffffff, 0x80091000) r0 = socket$rxrpc(0x21, 0x2, 0xa) setsockopt$sock_int(r0, 0x1, 0x20, &(0x7f0000000080)=0xfffffff9, 0x4) executing program 2: setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(0xffffffffffffffff, 0x84, 0x7b, &(0x7f0000000080)={0x0, 0x8000}, 0x8) r0 = socket$inet6_sctp(0xa, 0x801, 0x84) getsockopt$bt_hci(r0, 0x84, 0x7f, &(0x7f0000000080)=""/4057, &(0x7f0000001180)=0xfd9) executing program 1: r0 = syz_open_dev$vbi(&(0x7f0000000000), 0x0, 0x2) ioctl$VIDIOC_S_INPUT(r0, 0xc0045627, &(0x7f0000000100)=0x3) ioctl$VIDIOC_SUBDEV_S_DV_TIMINGS(r0, 0xc0845657, &(0x7f0000000040)={0x0, @bt={0xa00, 0x63d, 0x1, 0x2, 0x10, 0x19f2, 0x8, 0x19ef, 0x3, 0xe, 0x4, 0x2800, 0x2, 0x2ba2, 0x2802, 0x3d, {0x8, 0xfffffffb}, 0xd1, 0xa}}) executing program 5: socket$kcm(0x11, 0xa, 0x300) r0 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000740)={0x6, 0x3, &(0x7f0000000680)=ANY=[@ANYBLOB="18000000020000000000000000ee000095"], &(0x7f00000002c0)='syzkaller\x00', 0x1, 0x0, 0x0, 0x40f00}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r0, 0x5, 0xb68, 0x560b0007, &(0x7f0000000000)="259a53f260006d2688a84c6588a8", 0x0, 0xd01, 0x2a0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x48) executing program 2: r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000600)={0x20, 0x3, &(0x7f0000000200)=@framed, &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @netfilter=0x2d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x99ec}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000080)={r0, 0x0, 0x2d, 0x0, @val=@netfilter={0xa, 0x1, 0x353a, 0x1}}, 0x20) syz_emit_ethernet(0x46, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaaaaaaaa1780c206050086dd6018232500103b"], 0x0) executing program 2: prctl$PR_SET_VMA(0x53564d41, 0x0, &(0x7f0000ffc000/0x3000)=nil, 0xda9917f2, &(0x7f0000000480)='\x00\xff\xff\x00\x02@qGP\xc5\x94\xa6\x8fB\xc3\x93\xe5\xc1a\x05!\x9a\x8b\xeb\xceJP\x1e\xf2\x8a\xd4\xaa\x15@>\xdb\xab\x06\x1b\xe2w\xd8\x1e\xda\xc1\x9f\xe9\xc4c\xdd\xf6^\xcb\xec\xab\x82\xcf\x14\xde\xa5\xef\x162bP\x95/\xefMs\xe0%}\xe4\xf1=\x05\xf6l7\xc1\xe9c\xc3\x7f\tg\xf56\xeasl\xbd\x02\xc1\x8a\xa9\x83\xaf\xfa\x95W+N$\x06R\x92\xe5Z\x97\xfb\xb6e}fW\x8bm\x04\'{\xaf\xe2zd\x91+-\xb1\xd8\ftK|\xb8\xd2\xb6\x7f\xf4\x84\v\x1e\xe6R\xfc\xbcg\x81\xbb\xc4\xcd\xe9\xe5.\x9b\x7f\xeb\x04\xe6,N\x00\x9a\x9d\xf8\xd1\x8aR4;\x7f\x8a\x86\xb7\xd7o\x90\xfd\xa9dJ\xd5.\x18F2\x00\x00\x00\xf2y\x99\xfd\xca\xff*\xd3;\x84F\x8f !N\x1c\xfaI\xa5\x85:\xc1\x9ed\x13\xaf\xd0/\x00\x9b\x0e\xb6\xca\xa5X\xb9]<\n\x90Tk\xa4\xb3\xc4\xa4*\xc2\xf6\x1bw\n6^\xfa\xea\r\xf1\xc1\xd0\xd8\xc7B\x1cP\x02\xcfH\x89\x82G\xcf\x1921\x9e\v4Q\xc6\x9c\xc3\xfd\xf3Z1\xef7cK\xd5\xdc\xbf\x00\xe0{\xa0\xf7\xcd\x82\xf6\x99\xcb\x1a\x17\x02\xd1\x9d(\xa2 \x85\x8e 6zL\xeeqG\t~\xafQ(\xc3\xd8\x05\xcb\xbfB\xb0\xe1b\x0f\xa8f\xe6\xb1\xe8\x9aB\x90\x00\x00\x00') mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x2000)=nil, 0x2000, 0x7, 0x32, 0xffffffffffffffff, 0x0) prctl$PR_SET_VMA(0x53564d41, 0x0, &(0x7f0000ffc000/0x3000)=nil, 0x3000, 0x0) executing program 1: rseq(&(0x7f0000000400), 0x20, 0x0, 0x0) r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x6, 0x4, &(0x7f0000000100)=@framed={{0x18, 0x2, 0x0, 0x0, 0xb53, 0x0, 0x0, 0x0, 0x200}, [@call={0x85, 0x0, 0x0, 0xe}]}, &(0x7f0000000080)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r0, 0x0, 0x2100, 0x0, &(0x7f0000000100), 0x0, 0x11, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9}, 0x50) executing program 2: r0 = socket$kcm(0x29, 0x2, 0x0) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x2, 0x31, 0xffffffffffffffff, 0x0) ioctl$sock_proto_private(r0, 0x89e2, &(0x7f0000000040)) program did not crash replaying the whole log did not cause a kernel crash single: executing 1 programs separately with timeout 1m40s testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x0, 0x0) program crashed: BUG: sleeping function called from invalid context in dummy_dequeue single: successfully extracted reproducer found reproducer with 3 syscalls minimizing guilty program testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) program crashed: BUG: sleeping function called from invalid context in dummy_dequeue testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: syz_usb_ep_write$ath9k_ep1(0xffffffffffffffff, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x0, 0x0, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x0, 0x0) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x4, &(0x7f0000000080)={[{}]}) program did not crash extracting C reproducer testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 program crashed: BUG: sleeping function called from invalid context in dummy_dequeue simplifying C reproducer testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 program crashed: BUG: sleeping function called from invalid context in dummy_dequeue testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 program crashed: BUG: sleeping function called from invalid context in dummy_dequeue testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 program crashed: BUG: sleeping function called from invalid context in dummy_dequeue testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 program crashed: BUG: sleeping function called from invalid context in dummy_dequeue testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 program crashed: BUG: sleeping function called from invalid context in dummy_dequeue testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 program crashed: BUG: sleeping function called from invalid context in dummy_dequeue testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 program crashed: BUG: sleeping function called from invalid context in dummy_dequeue testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) program crashed: BUG: sleeping function called from invalid context in dummy_dequeue validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) program crashed: BUG: sleeping function called from invalid context in dummy_dequeue validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write$ath9k_ep1 detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x77, 0x29, 0x4, 0x20, 0x424, 0x9901, 0xc257, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x43, 0x0, 0x1, 0x31, 0x7d, 0x55, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x200}}]}}]}}]}}, 0x0) syz_usb_ep_write$ath9k_ep1(r0, 0x82, 0x44, &(0x7f0000000080)={[{0x3d, 0x4e00, "38b453b34a1525d5947a4340cb138ff16711012c053fb0d70fb7a566b6f9c8a20f5ef42cdfb272e152d8597d455d408c24bf78f632491b123a09426d15"}]}) program crashed: BUG: sleeping function called from invalid context in dummy_dequeue validation run: crashed=true reproducing took 38m19.463471271s repro crashed as (corrupted=false): BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 6118, name: syz.0.17 preempt_count: 0, expected: 0 RCU nest depth: 0, expected: 0 1 lock held by syz.0.17/6118: #0: ffff888144724058 (&dum_hcd->dum->lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:44 [inline] #0: ffff888144724058 (&dum_hcd->dum->lock){+.+.}-{3:3}, at: dummy_dequeue+0x164/0x480 drivers/usb/gadget/udc/dummy_hcd.c:769 irq event stamp: 5054 hardirqs last enabled at (5053): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (5053): [] _raw_spin_unlock_irq+0x23/0x50 kernel/locking/spinlock.c:202 hardirqs last disabled at (5054): [] dummy_dequeue+0x151/0x480 drivers/usb/gadget/udc/dummy_hcd.c:768 softirqs last enabled at (0): [] rcu_lock_acquire include/linux/rcupdate.h:331 [inline] softirqs last enabled at (0): [] rcu_read_lock include/linux/rcupdate.h:841 [inline] softirqs last enabled at (0): [] copy_process+0x979/0x3ae0 kernel/fork.c:2043 softirqs last disabled at (0): [<0000000000000000>] 0x0 CPU: 0 UID: 0 PID: 6118 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 __might_resched+0x44b/0x5d0 kernel/sched/core.c:8957 __rt_spin_lock kernel/locking/spinlock_rt.c:48 [inline] rt_spin_lock+0xc7/0x2c0 kernel/locking/spinlock_rt.c:57 spin_lock include/linux/spinlock_rt.h:44 [inline] dummy_dequeue+0x164/0x480 drivers/usb/gadget/udc/dummy_hcd.c:769 usb_ep_dequeue+0x66/0x250 drivers/usb/gadget/udc/core.c:330 raw_process_ep_io+0x5a3/0xaf0 drivers/usb/gadget/legacy/raw_gadget.c:1124 raw_ioctl_ep_write drivers/usb/gadget/legacy/raw_gadget.c:1152 [inline] raw_ioctl+0x22dc/0x3ba0 drivers/usb/gadget/legacy/raw_gadget.c:1324 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1608d4e7eb Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffdcd9fcf80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000044 RCX: 00007f1608d4e7eb RDX: 00007ffdcd9fd000 RSI: 0000000040085507 RDI: 0000000000000003 RBP: 0000000000000003 R08: 00007f16090a0320 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000200000000080 R13: 000000000000000a R14: 00007f1608f75fa0 R15: 0000000000000004 final repro crashed as (corrupted=false): BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 6118, name: syz.0.17 preempt_count: 0, expected: 0 RCU nest depth: 0, expected: 0 1 lock held by syz.0.17/6118: #0: ffff888144724058 (&dum_hcd->dum->lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:44 [inline] #0: ffff888144724058 (&dum_hcd->dum->lock){+.+.}-{3:3}, at: dummy_dequeue+0x164/0x480 drivers/usb/gadget/udc/dummy_hcd.c:769 irq event stamp: 5054 hardirqs last enabled at (5053): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (5053): [] _raw_spin_unlock_irq+0x23/0x50 kernel/locking/spinlock.c:202 hardirqs last disabled at (5054): [] dummy_dequeue+0x151/0x480 drivers/usb/gadget/udc/dummy_hcd.c:768 softirqs last enabled at (0): [] rcu_lock_acquire include/linux/rcupdate.h:331 [inline] softirqs last enabled at (0): [] rcu_read_lock include/linux/rcupdate.h:841 [inline] softirqs last enabled at (0): [] copy_process+0x979/0x3ae0 kernel/fork.c:2043 softirqs last disabled at (0): [<0000000000000000>] 0x0 CPU: 0 UID: 0 PID: 6118 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 __might_resched+0x44b/0x5d0 kernel/sched/core.c:8957 __rt_spin_lock kernel/locking/spinlock_rt.c:48 [inline] rt_spin_lock+0xc7/0x2c0 kernel/locking/spinlock_rt.c:57 spin_lock include/linux/spinlock_rt.h:44 [inline] dummy_dequeue+0x164/0x480 drivers/usb/gadget/udc/dummy_hcd.c:769 usb_ep_dequeue+0x66/0x250 drivers/usb/gadget/udc/core.c:330 raw_process_ep_io+0x5a3/0xaf0 drivers/usb/gadget/legacy/raw_gadget.c:1124 raw_ioctl_ep_write drivers/usb/gadget/legacy/raw_gadget.c:1152 [inline] raw_ioctl+0x22dc/0x3ba0 drivers/usb/gadget/legacy/raw_gadget.c:1324 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1608d4e7eb Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffdcd9fcf80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000044 RCX: 00007f1608d4e7eb RDX: 00007ffdcd9fd000 RSI: 0000000040085507 RDI: 0000000000000003 RBP: 0000000000000003 R08: 00007f16090a0320 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000200000000080 R13: 000000000000000a R14: 00007f1608f75fa0 R15: 0000000000000004