program:
openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r0 = syz_open_dev$dri(&(0x7f0000000040), 0x20, 0x0)
r1 = socket$inet6(0xa, 0x800000000000002, 0x0)
setsockopt$inet_opts(r1, 0x0, 0x2, &(0x7f00000002c0)="e3", 0x1)
getsockopt(r1, 0x0, 0x2, 0x0, &(0x7f0000000000))
r2 = socket(0x10, 0x803, 0x0)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r2, 0x89f1, &(0x7f00000006c0)={'ip6_vti0\x00', &(0x7f0000000640)={'syztnl2\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @mcast2, @dev={0xfe, 0x80, '\x00', 0x1f}, 0x6, 0x700, 0x8, 0x7f}})
ioctl$sock_ipv6_tunnel_SIOCGETTUNNEL(r2, 0x89f0, &(0x7f0000000180)={'syztnl2\x00', &(0x7f0000000100)={'syztnl2\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @dev, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'}})
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r0, 0xc00864bf, &(0x7f0000000140)={<r3=>0x0})
r4 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
setsockopt$IPT_SO_SET_REPLACE(r4, 0x0, 0x40, &(0x7f0000000f00)=@nat={'nat\x00', 0x670, 0x5, 0x4f0, 0x2c8, 0x1b8, 0xffffffff, 0x0, 0x2c8, 0x458, 0x458, 0xffffffff, 0x458, 0x458, 0x5, 0x0, {[{{@uncond, 0x0, 0x180, 0x1b8, 0x48, {}, [@common=@unspec=@conntrack3={{0xc8}, {{@ipv4=@rand_addr=0x64010102, [0xffffff00, 0xff, 0xffffffff, 0xff000000], @ipv4=@rand_addr=0x64010100, [0xffffffff, 0x0, 0xffffff00, 0xffffff00], @ipv6=@local, [0xff, 0xff, 0xffffffff, 0xffffffff], @ipv6=@initdev={0xfe, 0x88, '\x00', 0x1, 0x0}, [0xffffffff, 0xff, 0xffffffff, 0xff000000], 0xc9, 0x4, 0x0, 0x4e24, 0x4e24, 0x4e21, 0x4e22, 0x1800, 0x100}, 0x40, 0x800, 0x4e24, 0x4e24, 0x4e23, 0x4e22}}, @common=@unspec=@helper={{0x48}, {0x0, 'tftp-20000\x00'}}]}, @DNAT0={0x38, 'DNAT\x00', 0x0, {0x1, {0x19, @multicast2, @loopback, @icmp_id=0x66, @port=0x4e24}}}}, {{@ip={@broadcast, @remote, 0xff, 0xff, 'nicvf0\x00', 'ipvlan1\x00', {0xff}, {}, 0xc, 0x0, 0x30}, 0x0, 0xc8, 0x110, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'ip6gre0\x00', {0x8, 0x5, 0xfffffffc, 0x8, 0x8, 0x51f2, 0x6dc0}, {0xff}}}]}, @unspec=@SNAT1={0x48, 'SNAT\x00', 0x1, {0x11, @ipv6=@mcast1, @ipv4=@loopback, @icmp_id=0x64, @port=0x4e23}}}, {{@ip={@multicast2, @broadcast, 0x0, 0x0, 'virt_wifi0\x00', 'team_slave_0\x00'}, 0x0, 0xa0, 0xe8, 0x0, {}, [@common=@addrtype={{0x30}, {0x890, 0x218, 0x0, 0x1}}]}, @unspec=@SNAT1={0x48, 'SNAT\x00', 0x1, {0xe, @ipv6=@ipv4={'\x00', '\xff\xff', @empty}, @ipv6=@initdev={0xfe, 0x88, '\x00', 0x1, 0x0}, @icmp_id=0x65, @gre_key}}}, {{@ip={@broadcast, @rand_addr=0x1, 0x0, 0x0, 'nicvf0\x00', 'pim6reg\x00', {}, {0xff}, 0x1}, 0x0, 0x70, 0xa8}, @NETMAP={0x38, 'NETMAP\x00', 0x0, {0xc0000000, {0x21, @broadcast, @dev={0xac, 0x14, 0x14, 0x1c}, @gre_key=0x40, @port=0x4e23}}}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x550)
r5 = syz_open_dev$dri(&(0x7f0000000340), 0x2, 0xc8d03)
r6 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r6, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000440)={0x50, 0x2, 0x6, 0x5, 0x0, 0x0, {0x3}, [@IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_TYPENAME={0x15, 0x3, 'hash:ip,port,net\x00'}]}, 0x50}}, 0x0)
sendmsg$IPSET_CMD_ADD(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000000c0)=ANY=[@ANYBLOB="74000000090601020000000000000000030000000900020073797a310000000005000100070000004c0007801800018014000240fe8000000000000000000000000000aa1800148014000240fc00000000000000000000000000000006000400000000000500070084000000060005"], 0x74}, 0x1, 0x0, 0x0, 0x10040003}, 0x1)
mprotect(&(0x7f0000000000/0x2000)=nil, 0x2000, 0xc)
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r7, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r5, 0xc00864bf, &(0x7f0000000000)={<r8=>0x0})
ioctl$DRM_IOCTL_SYNCOBJ_TIMELINE_SIGNAL(r5, 0xc01864cd, &(0x7f0000000180)={&(0x7f0000000080)=[r8], 0x0, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_TIMELINE_WAIT(r5, 0xc03064ca, &(0x7f00000000c0)={&(0x7f00000001c0)=[r8, r8], &(0x7f0000000100)=[0x11], 0xfffffffffffefffe, 0x2, 0xb})
r9 = syz_open_dev$dri(&(0x7f0000000340), 0x2, 0xc8d03)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r9, 0xc00864bf, &(0x7f0000000000)={<r10=>0x0})
ioctl$DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD_SYNC_FILE(r0, 0xc01064c1, &(0x7f0000000240)={r3})
ioctl$DRM_IOCTL_SYNCOBJ_QUERY(r0, 0xc01864cb, &(0x7f00000001c0)={&(0x7f0000000080)=[r8, r3, r3, r3, r10, r3, r3, r3], &(0x7f00000000c0)=[0x2, 0x1, 0xffff, 0x5b18a467, 0xfffffffffffffffe, 0x9], 0x8, 0x1})
ioctl$DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD_FD(r0, 0xc01064c1, &(0x7f0000000100)={r3, 0x0, <r11=>0xffffffffffffffff})
r12 = open$dir(&(0x7f0000000080)='.\x00', 0x0, 0x0)
fcntl$setownex(r12, 0x8, &(0x7f0000000040))
close(r11)
socket$nl_generic(0x10, 0x3, 0x10)

[  101.513040][ T5305] Bluetooth: hci0: command tx timeout
[  101.656983][ T5326] ------------[ cut here ]------------
[  101.659505][ T5326] 1
[  101.659543][ T5326] WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x2d1/0x380, CPU#0: syz.0.0/5326
[  101.667027][ T5326] Modules linked in:
[  101.668853][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  101.672981][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  101.677164][ T5326] RIP: 0010:__alloc_frozen_pages_noprof+0x2d1/0x380
[  101.681338][ T5326] Code: 74 10 4c 89 e7 89 54 24 0c e8 1b 4b 0e 00 8b 54 24 0c 49 83 3c 24 00 0f 85 a8 fe ff ff e9 a9 fe ff ff c6 05 14 81 d8 0d 01 90 <0f> 0b 90 e9 17 ff ff ff a9 00 00 08 00 48 8b 4c 24 10 4c 8d 44 24
[  101.690390][ T5326] RSP: 0018:ffffc9000de3f8a0 EFLAGS: 00010246
[  101.693455][ T5326] RAX: ffffc9000de3f800 RBX: 0000000000000014 RCX: 0000000000000000
[  101.696894][ T5326] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000de3f908
[  101.700434][ T5326] RBP: ffffc9000de3f988 R08: ffffc9000de3f907 R09: 0000000000000000
[  101.704816][ T5326] R10: ffffc9000de3f8e0 R11: fffff52001bc7f21 R12: 0000000000000000
[  101.708791][ T5326] R13: 1ffff92001bc7f18 R14: 0000000000040cc0 R15: dffffc0000000000
[  101.712053][ T5326] FS:  00007ff37e0c46c0(0000) GS:ffff88808ca55000(0000) knlGS:0000000000000000
[  101.715901][ T5326] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  101.718719][ T5326] CR2: 00002000000000e4 CR3: 000000001f52c000 CR4: 0000000000352ef0
[  101.722398][ T5326] Call Trace:
[  101.724104][ T5326]  <TASK>
[  101.725566][ T5326]  ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[  101.728388][ T5326]  ? __pfx_policy_nodemask+0x10/0x10
[  101.730939][ T5326]  ? kasan_save_track+0x4f/0x80
[  101.732974][ T5326]  ? kasan_save_track+0x3e/0x80
[  101.735117][ T5326]  ? kasan_save_free_info+0x46/0x50
[  101.737782][ T5326]  ? kfree+0x1c1/0x630
[  101.740009][ T5326]  ? tomoyo_path_number_perm+0x501/0x630
[  101.743842][ T5326]  ? security_file_ioctl+0xc3/0x2a0
[  101.746453][ T5326]  alloc_pages_mpol+0x232/0x4a0
[  101.748559][ T5326]  ___kmalloc_large_node+0x4e/0x150
[  101.750817][ T5326]  __kmalloc_large_node_noprof+0x18/0x90
[  101.753310][ T5326]  __kmalloc_noprof+0x3e8/0x760
[  101.755697][ T5326]  ? drm_syncobj_array_find+0x3a/0x440
[  101.758593][ T5326]  drm_syncobj_array_find+0x3a/0x440
[  101.761254][ T5326]  ? __lock_acquire+0x6b5/0x2cf0
[  101.763324][ T5326]  drm_syncobj_timeline_wait_ioctl+0x19d/0x6b0
[  101.765752][ T5326]  ? __pfx_drm_syncobj_timeline_wait_ioctl+0x10/0x10
[  101.768433][ T5326]  drm_ioctl_kernel+0x2df/0x3b0
[  101.770627][ T5326]  ? __pfx_drm_syncobj_timeline_wait_ioctl+0x10/0x10
[  101.773631][ T5326]  ? __pfx_drm_ioctl_kernel+0x10/0x10
[  101.776120][ T5326]  drm_ioctl+0x6ba/0xb80
[  101.778313][ T5326]  ? __fget_files+0x2a/0x420
[  101.780366][ T5326]  ? __pfx_drm_syncobj_timeline_wait_ioctl+0x10/0x10
[  101.783298][ T5326]  ? __pfx_drm_ioctl+0x10/0x10
[  101.785415][ T5326]  ? __fget_files+0x2a/0x420
[  101.787669][ T5326]  ? bpf_lsm_file_ioctl+0x9/0x20
[  101.790021][ T5326]  ? __pfx_drm_ioctl+0x10/0x10
[  101.792703][ T5326]  __se_sys_ioctl+0xfc/0x170
[  101.795083][ T5326]  do_syscall_64+0x14d/0xf80
[  101.797210][ T5326]  ? trace_irq_disable+0x3b/0x150
[  101.799451][ T5326]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.802278][ T5326]  ? clear_bhb_loop+0x40/0x90
[  101.804164][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.806613][ T5326] RIP: 0033:0x7ff37d19c799
[  101.808680][ T5326] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  101.818402][ T5326] RSP: 002b:00007ff37e0c3fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  101.824012][ T5326] RAX: ffffffffffffffda RBX: 00007ff37d415fa0 RCX: 00007ff37d19c799
[  101.828435][ T5326] RDX: 00002000000000c0 RSI: 00000000c03064ca RDI: 0000000000000008
[  101.832421][ T5326] RBP: 00007ff37d232c99 R08: 0000000000000000 R09: 0000000000000000
[  101.835822][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  101.839577][ T5326] R13: 00007ff37d416038 R14: 00007ff37d415fa0 R15: 00007fff47baae38
[  101.844310][ T5326]  </TASK>
[  101.846146][ T5326] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  101.849644][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  101.853515][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  101.857698][ T5326] Call Trace:
[  101.859494][ T5326]  <TASK>
[  101.861307][ T5326]  vpanic+0x56c/0xa60
[  101.863832][ T5326]  ? __pfx__printk+0x10/0x10
[  101.866527][ T5326]  ? __pfx_vpanic+0x10/0x10
[  101.868769][ T5326]  ? is_bpf_text_address+0x292/0x2b0
[  101.871124][ T5326]  ? is_bpf_text_address+0x26/0x2b0
[  101.873559][ T5326]  panic+0xc5/0xd0
[  101.875167][ T5326]  ? __pfx_panic+0x10/0x10
[  101.877042][ T5326]  __warn+0x315/0x4f0
[  101.878936][ T5326]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  101.882032][ T5326]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  101.885192][ T5326]  __report_bug+0x29a/0x540
[  101.887371][ T5326]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  101.890176][ T5326]  ? __pfx___report_bug+0x10/0x10
[  101.892698][ T5326]  ? is_bpf_text_address+0x26/0x2b0
[  101.895287][ T5326]  ? is_bpf_text_address+0x292/0x2b0
[  101.897955][ T5326]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  101.900902][ T5326]  report_bug+0x16a/0x220
[  101.902901][ T5326]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  101.905514][ T5326]  ? __alloc_frozen_pages_noprof+0x2d3/0x380
[  101.908061][ T5326]  handle_bug+0x9c/0x200
[  101.910156][ T5326]  exc_invalid_op+0x1a/0x50
[  101.913173][ T5326]  asm_exc_invalid_op+0x1a/0x20
[  101.916460][ T5326] RIP: 0010:__alloc_frozen_pages_noprof+0x2d1/0x380
[  101.919788][ T5326] Code: 74 10 4c 89 e7 89 54 24 0c e8 1b 4b 0e 00 8b 54 24 0c 49 83 3c 24 00 0f 85 a8 fe ff ff e9 a9 fe ff ff c6 05 14 81 d8 0d 01 90 <0f> 0b 90 e9 17 ff ff ff a9 00 00 08 00 48 8b 4c 24 10 4c 8d 44 24
[  101.928590][ T5326] RSP: 0018:ffffc9000de3f8a0 EFLAGS: 00010246
[  101.931359][ T5326] RAX: ffffc9000de3f800 RBX: 0000000000000014 RCX: 0000000000000000
[  101.935120][ T5326] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000de3f908
[  101.939820][ T5326] RBP: ffffc9000de3f988 R08: ffffc9000de3f907 R09: 0000000000000000
[  101.944821][ T5326] R10: ffffc9000de3f8e0 R11: fffff52001bc7f21 R12: 0000000000000000
[  101.948999][ T5326] R13: 1ffff92001bc7f18 R14: 0000000000040cc0 R15: dffffc0000000000
[  101.952379][ T5326]  ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[  101.955218][ T5326]  ? __pfx_policy_nodemask+0x10/0x10
[  101.958532][ T5326]  ? kasan_save_track+0x4f/0x80
[  101.961324][ T5326]  ? kasan_save_track+0x3e/0x80
[  101.963778][ T5326]  ? kasan_save_free_info+0x46/0x50
[  101.966018][ T5326]  ? kfree+0x1c1/0x630
[  101.967987][ T5326]  ? tomoyo_path_number_perm+0x501/0x630
[  101.970703][ T5326]  ? security_file_ioctl+0xc3/0x2a0
[  101.973244][ T5326]  alloc_pages_mpol+0x232/0x4a0
[  101.975633][ T5326]  ___kmalloc_large_node+0x4e/0x150
[  101.978451][ T5326]  __kmalloc_large_node_noprof+0x18/0x90
[  101.981642][ T5326]  __kmalloc_noprof+0x3e8/0x760
[  101.984088][ T5326]  ? drm_syncobj_array_find+0x3a/0x440
[  101.986536][ T5326]  drm_syncobj_array_find+0x3a/0x440
[  101.989034][ T5326]  ? __lock_acquire+0x6b5/0x2cf0
[  101.991439][ T5326]  drm_syncobj_timeline_wait_ioctl+0x19d/0x6b0
[  101.994811][ T5326]  ? __pfx_drm_syncobj_timeline_wait_ioctl+0x10/0x10
[  101.997959][ T5326]  drm_ioctl_kernel+0x2df/0x3b0
[  102.000205][ T5326]  ? __pfx_drm_syncobj_timeline_wait_ioctl+0x10/0x10
[  102.003206][ T5326]  ? __pfx_drm_ioctl_kernel+0x10/0x10
[  102.005721][ T5326]  drm_ioctl+0x6ba/0xb80
[  102.007814][ T5326]  ? __fget_files+0x2a/0x420
[  102.010162][ T5326]  ? __pfx_drm_syncobj_timeline_wait_ioctl+0x10/0x10
[  102.013630][ T5326]  ? __pfx_drm_ioctl+0x10/0x10
[  102.016200][ T5326]  ? __fget_files+0x2a/0x420
[  102.018362][ T5326]  ? bpf_lsm_file_ioctl+0x9/0x20
[  102.020641][ T5326]  ? __pfx_drm_ioctl+0x10/0x10
[  102.022872][ T5326]  __se_sys_ioctl+0xfc/0x170
[  102.025070][ T5326]  do_syscall_64+0x14d/0xf80
[  102.027317][ T5326]  ? trace_irq_disable+0x3b/0x150
[  102.029930][ T5326]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.032571][ T5326]  ? clear_bhb_loop+0x40/0x90
[  102.034706][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.037525][ T5326] RIP: 0033:0x7ff37d19c799
[  102.039904][ T5326] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  102.049022][ T5326] RSP: 002b:00007ff37e0c3fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  102.053096][ T5326] RAX: ffffffffffffffda RBX: 00007ff37d415fa0 RCX: 00007ff37d19c799
[  102.057987][ T5326] RDX: 00002000000000c0 RSI: 00000000c03064ca RDI: 0000000000000008
[  102.061427][ T5326] RBP: 00007ff37d232c99 R08: 0000000000000000 R09: 0000000000000000
[  102.064615][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  102.068046][ T5326] R13: 00007ff37d416038 R14: 00007ff37d415fa0 R15: 00007fff47baae38
[  102.072077][ T5326]  </TASK>
[  102.074384][ T5326] Kernel Offset: disabled
[  102.076883][ T5326] Rebooting in 86400 seconds..