program:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000200)={0x58, 0x2, 0x6, 0x5, 0x0, 0x0, {}, [@IPSET_ATTR_TYPENAME={0x11, 0x3, 'hash:net,net\x00'}, @IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_DATA={0xc, 0x7, 0x0, 0x1, [@IPSET_ATTR_TIMEOUT={0x8, 0x6, 0x0}]}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}]}, 0x58}}, 0x0) (async)
r1 = syz_open_dev$dri(&(0x7f0000000340), 0x2, 0xc8d03)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r1, 0xc00864bf, &(0x7f0000000000)={<r2=>0x0})
ioctl$DRM_IOCTL_SYNCOBJ_TIMELINE_SIGNAL(r1, 0xc01864cd, &(0x7f0000000180)={&(0x7f0000000080)=[r2], 0x0, 0x1}) (async)
r3 = syz_open_dev$usbfs(&(0x7f0000000180), 0x205, 0x2581)
r4 = fcntl$dupfd(r3, 0x0, r3)
ioctl$FIONCLEX(r3, 0x5450) (async, rerun: 64)
ioctl$USBDEVFS_SUBMITURB(r4, 0x8038550a, &(0x7f0000000000)=@urb_type_control={0x2, {0x4}, 0x7, 0x40, 0x0, 0x0, 0x7fff, 0x10000003, 0x0, 0x5, 0x42a9, 0x0}) (async, rerun: 64)
ioctl$KVM_CAP_HYPERV_ENLIGHTENED_VMCS(r4, 0x4068aea3, &(0x7f0000000380)={0xa3, 0x0, &(0x7f0000000280)})
ioctl$DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD_SYNC_FILE(r1, 0xc01064c1, &(0x7f00000002c0)={r2, 0x1, <r5=>0xffffffffffffffff})
ioctl$DRM_IOCTL_SYNCOBJ_FD_TO_HANDLE_SYNC_FILE(r1, 0xc01064c2, &(0x7f0000000000)={0x0, 0x1, r5}) (async, rerun: 32)
r6 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000140)='/dev/comedi4\x00', 0x2, 0x0) (rerun: 32)
ioctl$COMEDI_INSN(r6, 0x8028640c, &(0x7f0000000000)={0xc000003, 0xf, &(0x7f0000001180)=[0x20, 0x810, 0x8, 0x899d, 0x7fffffff, 0x825, 0x7, 0xd, 0xfffffe01, 0x1, 0x4, 0x2, 0x6, 0x6, 0x0], 0x1, 0x4000005}) (async)
perf_event_open(&(0x7f0000001100)={0x5, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, @perf_bp={0x0, 0x4}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffc}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000100)={0x5, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x410, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffc0, 0x3, @perf_bp={&(0x7f0000000300), 0x4}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) (async, rerun: 64)
r7 = socket$nl_netfilter(0x10, 0x3, 0xc) (rerun: 64)
setresuid(0xee01, 0xee00, 0x0) (async)
keyctl$session_to_parent(0x12) (async, rerun: 64)
sendmsg$IPSET_CMD_CREATE(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f00000005c0)={0x50, 0x2, 0x6, 0x5, 0x0, 0x0, {}, [@IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_TYPENAME={0x15, 0x3, 'hash:ip,port,net\x00'}]}, 0x50}}, 0x0) (async, rerun: 64)
r8 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
fsetxattr$security_capability(r8, &(0x7f0000000400), &(0x7f0000000440)=@v1={0x1000000, [{0x2, 0x3}]}, 0xc, 0x1) (async)
r9 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_ADD(r9, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000300)={0x60, 0x9, 0x6, 0x3, 0x0, 0x0, {0x5, 0x0, 0x40}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0x38, 0x7, 0x0, 0x1, [@IPSET_ATTR_PORT={0x6, 0x4, 0x1, 0x0, 0x4e21}, @IPSET_ATTR_PROTO={0x5, 0x7, 0xff}, @IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @private=0xe0004000}}, @IPSET_ATTR_IP_TO={0xc, 0x2, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @multicast2}}, @IPSET_ATTR_IP2={0xc, 0x14, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @broadcast}}]}]}, 0x60}, 0x1, 0x0, 0x0, 0x10004893}, 0x80) (async)
r10 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_LIST(r10, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)={0x1c, 0x7, 0x6, 0x801, 0x0, 0x0, {0xa, 0x0, 0x4}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000005}, 0x80)
read(r10, &(0x7f0000000140)=""/250, 0xfa) (async)
syz_open_procfs$namespace(0x0, &(0x7f0000000300)='ns/ipc\x00')
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
socket$netlink(0x10, 0x3, 0x13)

[  100.586691][ T5302] Bluetooth: hci0: command tx timeout
[  100.713030][ T5325] ------------[ cut here ]------------
[  100.717015][ T5325] 1
[  100.717030][ T5325] WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x2d1/0x380, CPU#0: syz.0.0/5325
[  100.723999][ T5325] Modules linked in:
[  100.725802][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  100.730700][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  100.737397][ T5325] RIP: 0010:__alloc_frozen_pages_noprof+0x2d1/0x380
[  100.740621][ T5325] Code: 74 10 4c 89 e7 89 54 24 0c e8 1b 4b 0e 00 8b 54 24 0c 49 83 3c 24 00 0f 85 a8 fe ff ff e9 a9 fe ff ff c6 05 d5 80 d8 0d 01 90 <0f> 0b 90 e9 17 ff ff ff a9 00 00 08 00 48 8b 4c 24 10 4c 8d 44 24
[  100.750472][ T5325] RSP: 0018:ffffc9000f717920 EFLAGS: 00010246
[  100.753202][ T5325] RAX: ffffc9000f717900 RBX: 0000000000000014 RCX: 0000000000000000
[  100.756641][ T5325] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000f717988
[  100.760764][ T5325] RBP: ffffc9000f717a18 R08: ffffc9000f717987 R09: 0000000000000000
[  100.764818][ T5325] R10: ffffc9000f717960 R11: fffff52001ee2f31 R12: 0000000000000000
[  100.768437][ T5325] R13: 1ffff92001ee2f28 R14: 0000000000040cc0 R15: dffffc0000000000
[  100.772120][ T5325] FS:  00007fdeb54f66c0(0000) GS:ffff88808ca55000(0000) knlGS:0000000000000000
[  100.776320][ T5325] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  100.778978][ T5325] CR2: 00007fdeb54d4ff8 CR3: 000000001ed04000 CR4: 0000000000352ef0
[  100.782297][ T5325] Call Trace:
[  100.783747][ T5325]  <TASK>
[  100.785017][ T5325]  ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[  100.787902][ T5325]  ? __pfx_policy_nodemask+0x10/0x10
[  100.790707][ T5325]  alloc_pages_mpol+0x232/0x4a0
[  100.792932][ T5325]  ___kmalloc_large_node+0x4e/0x150
[  100.795521][ T5325]  __kmalloc_large_node_noprof+0x18/0x90
[  100.797964][ T5325]  __kmalloc_noprof+0x3e8/0x760
[  100.800466][ T5325]  ? drm_syncobj_array_find+0x3a/0x440
[  100.803003][ T5325]  drm_syncobj_array_find+0x3a/0x440
[  100.805315][ T5325]  drm_syncobj_timeline_signal_ioctl+0x165/0x8a0
[  100.808162][ T5325]  ? drm_dev_exit+0x3a/0x60
[  100.810373][ T5325]  drm_ioctl_kernel+0x2df/0x3b0
[  100.812559][ T5325]  ? __pfx_drm_syncobj_timeline_signal_ioctl+0x10/0x10
[  100.816130][ T5325]  ? __pfx_drm_ioctl_kernel+0x10/0x10
[  100.818441][ T5325]  drm_ioctl+0x6ba/0xb80
[  100.820589][ T5325]  ? __pfx_drm_syncobj_timeline_signal_ioctl+0x10/0x10
[  100.823877][ T5325]  ? __pfx_drm_ioctl+0x10/0x10
[  100.826849][ T5325]  ? __fget_files+0x2a/0x420
[  100.829761][ T5325]  ? bpf_lsm_file_ioctl+0x9/0x20
[  100.831950][ T5325]  ? __pfx_drm_ioctl+0x10/0x10
[  100.833987][ T5325]  __se_sys_ioctl+0xfc/0x170
[  100.835972][ T5325]  do_syscall_64+0x14d/0xf80
[  100.837881][ T5325]  ? trace_irq_disable+0x3b/0x150
[  100.840152][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  100.842976][ T5325]  ? clear_bhb_loop+0x40/0x90
[  100.845968][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  100.849300][ T5325] RIP: 0033:0x7fdeb459c799
[  100.851426][ T5325] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  100.860379][ T5325] RSP: 002b:00007fdeb54f5fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  100.864399][ T5325] RAX: ffffffffffffffda RBX: 00007fdeb4815fa0 RCX: 00007fdeb459c799
[  100.868161][ T5325] RDX: 0000200000000180 RSI: 00000000c01864cd RDI: 0000000000000004
[  100.871708][ T5325] RBP: 00007fdeb4632c99 R08: 0000000000000000 R09: 0000000000000000
[  100.875717][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  100.880886][ T5325] R13: 00007fdeb4816038 R14: 00007fdeb4815fa0 R15: 00007ffd59284c78
[  100.884265][ T5325]  </TASK>
[  100.885599][ T5325] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  100.888703][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  100.893125][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  100.898164][ T5325] Call Trace:
[  100.899536][ T5325]  <TASK>
[  100.900816][ T5325]  vpanic+0x56c/0xa60
[  100.902563][ T5325]  ? __pfx__printk+0x10/0x10
[  100.904666][ T5325]  ? __pfx_vpanic+0x10/0x10
[  100.907228][ T5325]  ? is_bpf_text_address+0x292/0x2b0
[  100.910151][ T5325]  ? is_bpf_text_address+0x26/0x2b0
[  100.912579][ T5325]  panic+0xc5/0xd0
[  100.914302][ T5325]  ? __pfx_panic+0x10/0x10
[  100.916386][ T5325]  __warn+0x315/0x4f0
[  100.918165][ T5325]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  100.920996][ T5325]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  100.924209][ T5325]  __report_bug+0x29a/0x540
[  100.926482][ T5325]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  100.929084][ T5325]  ? __pfx___report_bug+0x10/0x10
[  100.931234][ T5325]  ? is_bpf_text_address+0x292/0x2b0
[  100.933588][ T5325]  ? is_bpf_text_address+0x26/0x2b0
[  100.935885][ T5325]  ? kernel_text_address+0xa5/0xe0
[  100.938205][ T5325]  ? __kernel_text_address+0xd/0x30
[  100.940383][ T5325]  ? unwind_get_return_address+0x4d/0x90
[  100.943198][ T5325]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  100.946276][ T5325]  report_bug+0x16a/0x220
[  100.948281][ T5325]  ? __alloc_frozen_pages_noprof+0x2d1/0x380
[  100.950888][ T5325]  ? __alloc_frozen_pages_noprof+0x2d3/0x380
[  100.953431][ T5325]  handle_bug+0x9c/0x200
[  100.955405][ T5325]  exc_invalid_op+0x1a/0x50
[  100.957885][ T5325]  asm_exc_invalid_op+0x1a/0x20
[  100.960261][ T5325] RIP: 0010:__alloc_frozen_pages_noprof+0x2d1/0x380
[  100.963255][ T5325] Code: 74 10 4c 89 e7 89 54 24 0c e8 1b 4b 0e 00 8b 54 24 0c 49 83 3c 24 00 0f 85 a8 fe ff ff e9 a9 fe ff ff c6 05 d5 80 d8 0d 01 90 <0f> 0b 90 e9 17 ff ff ff a9 00 00 08 00 48 8b 4c 24 10 4c 8d 44 24
[  100.972130][ T5325] RSP: 0018:ffffc9000f717920 EFLAGS: 00010246
[  100.974965][ T5325] RAX: ffffc9000f717900 RBX: 0000000000000014 RCX: 0000000000000000
[  100.978487][ T5325] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000f717988
[  100.982407][ T5325] RBP: ffffc9000f717a18 R08: ffffc9000f717987 R09: 0000000000000000
[  100.986719][ T5325] R10: ffffc9000f717960 R11: fffff52001ee2f31 R12: 0000000000000000
[  100.990140][ T5325] R13: 1ffff92001ee2f28 R14: 0000000000040cc0 R15: dffffc0000000000
[  100.993477][ T5325]  ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[  100.997948][ T5325]  ? __pfx_policy_nodemask+0x10/0x10
[  101.000404][ T5325]  alloc_pages_mpol+0x232/0x4a0
[  101.002649][ T5325]  ___kmalloc_large_node+0x4e/0x150
[  101.004956][ T5325]  __kmalloc_large_node_noprof+0x18/0x90
[  101.007788][ T5325]  __kmalloc_noprof+0x3e8/0x760
[  101.010072][ T5325]  ? drm_syncobj_array_find+0x3a/0x440
[  101.012523][ T5325]  drm_syncobj_array_find+0x3a/0x440
[  101.014848][ T5325]  drm_syncobj_timeline_signal_ioctl+0x165/0x8a0
[  101.018333][ T5325]  ? drm_dev_exit+0x3a/0x60
[  101.020860][ T5325]  drm_ioctl_kernel+0x2df/0x3b0
[  101.023110][ T5325]  ? __pfx_drm_syncobj_timeline_signal_ioctl+0x10/0x10
[  101.026185][ T5325]  ? __pfx_drm_ioctl_kernel+0x10/0x10
[  101.028656][ T5325]  drm_ioctl+0x6ba/0xb80
[  101.030553][ T5325]  ? __pfx_drm_syncobj_timeline_signal_ioctl+0x10/0x10
[  101.033622][ T5325]  ? __pfx_drm_ioctl+0x10/0x10
[  101.035743][ T5325]  ? __fget_files+0x2a/0x420
[  101.037696][ T5325]  ? bpf_lsm_file_ioctl+0x9/0x20
[  101.039898][ T5325]  ? __pfx_drm_ioctl+0x10/0x10
[  101.042008][ T5325]  __se_sys_ioctl+0xfc/0x170
[  101.044082][ T5325]  do_syscall_64+0x14d/0xf80
[  101.046230][ T5325]  ? trace_irq_disable+0x3b/0x150
[  101.048548][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.051317][ T5325]  ? clear_bhb_loop+0x40/0x90
[  101.053398][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.056003][ T5325] RIP: 0033:0x7fdeb459c799
[  101.058263][ T5325] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  101.066964][ T5325] RSP: 002b:00007fdeb54f5fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  101.070498][ T5325] RAX: ffffffffffffffda RBX: 00007fdeb4815fa0 RCX: 00007fdeb459c799
[  101.074584][ T5325] RDX: 0000200000000180 RSI: 00000000c01864cd RDI: 0000000000000004
[  101.078389][ T5325] RBP: 00007fdeb4632c99 R08: 0000000000000000 R09: 0000000000000000
[  101.082060][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  101.086481][ T5325] R13: 00007fdeb4816038 R14: 00007fdeb4815fa0 R15: 00007ffd59284c78
[  101.090470][ T5325]  </TASK>
[  101.092288][ T5325] Kernel Offset: disabled
[  101.094137][ T5325] Rebooting in 86400 seconds..