last executing test programs: 1.33557343s ago: executing program 1 (id=2): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x2) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000180)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe5000/0x18000)=nil, &(0x7f00000001c0)=[@text64={0x40, 0x0}], 0x1, 0x4e, 0x0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f00000000c0)=[@text16={0x10, &(0x7f0000000000)="0f080fae04a200400f01c426660f3a15e6160fc76bdbf08666350f2170260fed9c000066b9230b00000f32", 0x2b}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) 1.266464355s ago: executing program 3 (id=5): r0 = syz_open_dev$usbfs(&(0x7f0000000180), 0x205, 0x2581) r1 = fcntl$dupfd(r0, 0x0, r0) fsopen(&(0x7f0000000000)='cgroup2\x00', 0x0) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000000)=@urb_type_interrupt={0x1, {0x7, 0x1}, 0x5, 0xf4, 0x0, 0x0, 0xdd72, 0xb8, 0x0, 0x3, 0x760, 0x0}) 1.266325604s ago: executing program 2 (id=3): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x28100, 0x0) unshare(0x22020600) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, 0x0) 1.260589265s ago: executing program 3 (id=6): close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x5509, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x2400, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000040), 0x40000) ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r2, 0xc0145401, &(0x7f00000000c0)={0x0, 0x2, 0x1, 0x0, 0xbbcb}) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000040)={0x1, 0x3, 0x6000, 0x2000, &(0x7f0000fa3000/0x2000)=nil}) ioctl$KVM_CREATE_DEVICE(r1, 0xc018aec0, &(0x7f00000000c0)={0x1}) 1.215176407s ago: executing program 2 (id=7): r0 = socket$inet6(0xa, 0x80003, 0x6) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in6=@remote, @in6=@dev, 0x0, 0xfffd, 0x0, 0x1, 0xa, 0x0, 0x80}, {0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x7fffffff, 0x8000000000000000}, {0x1, 0x4, 0x1, 0xa78c}, 0xfffffffe, 0x0, 0x1}, {{@in6=@rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', 0x0, 0x33}, 0x0, @in=@rand_addr=0x64010101, 0x0, 0x3, 0x1, 0x7}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0x0) 1.150328041s ago: executing program 2 (id=8): r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000440)={0x0, 0xfffffffc, 0xffdffff8, 0xffffffff, 0x7, "ff0000bb719b98fb73e53a0000000600"}) syz_open_pts(r0, 0x0) 1.149728661s ago: executing program 2 (id=9): r0 = openat$kvm(0xffffff9c, &(0x7f00000000c0), 0x800, 0x0) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0xc008ae88, &(0x7f0000000000)={0x1, 0x0, [{0xf88e470f, 0xed}]}) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r2, &(0x7f0000000040)=[{&(0x7f0000000200)="580000001400192340834b80040d8c560a0677bc45ff810500000000000058000b480400945f64009400050028925a01000000000000008000f0fffeffe80900", 0x40}], 0x1) rt_sigtimedwait(&(0x7f0000000000)={[0xe]}, 0x0, 0x0, 0x8) pipe2(0x0, 0x80000) sendmsg$IPSET_CMD_ADD(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000004c0)=ANY=[], 0x144}, 0x1, 0x0, 0x0, 0x40015}, 0x44080) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x2, 0x9, 0xfffffffffffffffd, 0x2, 0x2, 0x0, 0x4002004c4, 0x1004, 0x8000000000000000, 0xc595, 0x0, 0x1, 0xffffffffffffffff, 0x2000000000000000, 0xb3, 0x8d], 0xeeee8000, 0x2010d3}) openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) setsockopt$SO_TIMESTAMPING(0xffffffffffffffff, 0x1, 0x41, &(0x7f00000001c0)=0x4500, 0x4) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) ioctl$KVM_RUN(r3, 0xae80, 0x0) 1.149351302s ago: executing program 0 (id=10): openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x101042, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0x207) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000000), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='./file0/file1\x00', 0x20400, 0x20) lseek(r0, 0x2, 0x0) 1.090531595s ago: executing program 0 (id=11): prlimit64(0x0, 0xe, &(0x7f0000000240)={0x8, 0x248}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = getpid() sched_setaffinity(0x0, 0x4c, &(0x7f00000002c0)=0x2) sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0xffffe000) socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f0000000840)=@abs={0x0, 0x0, 0x4e20}, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x3fffffffffffeda, 0x2, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r4, &(0x7f00000001c0)=[{{0x0, 0x0, &(0x7f0000000200)=[{&(0x7f00000007c0)='1', 0x1}], 0x1, &(0x7f0000000880)=[@rights={{0x14, 0x1, 0x1, [r4]}}], 0x18, 0x40054}}], 0x1, 0x4) readv(r3, &(0x7f0000000040)=[{&(0x7f00000000c0)=""/134, 0x86}], 0x1) 1.074716686s ago: executing program 3 (id=12): r0 = socket$packet(0x11, 0x3, 0x300) ioctl$SIOCGSTAMPNS(r0, 0x8907, 0x0) ioctl$ifreq_SIOCGIFINDEX_wireguard(r0, 0x8933, 0x0) read(r0, &(0x7f0000000000)=""/149, 0xaa) 1.052860307s ago: executing program 3 (id=13): r0 = socket(0x1, 0x5, 0x0) close(0x3) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000), 0x101000, 0x800, 0x3, 0x1}, 0x20) setsockopt$XDP_RX_RING(r0, 0x11b, 0x2, &(0x7f0000000040)=0x400, 0x4) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'veth1_to_batadv\x00', 0x0}) setsockopt$XDP_UMEM_COMPLETION_RING(r1, 0x11b, 0x6, &(0x7f0000000180)=0x20, 0x4) setsockopt$XDP_UMEM_FILL_RING(r1, 0x11b, 0x5, &(0x7f0000000140)=0x4000, 0x4) bind$xdp(r1, &(0x7f00000001c0)={0x2c, 0x8, r3}, 0x10) r4 = epoll_create1(0x80000) epoll_ctl$EPOLL_CTL_ADD(r4, 0x1, r0, &(0x7f0000000500)={0xe000200c}) 337.060259ms ago: executing program 1 (id=14): r0 = openat$rtc(0xffffffffffffff9c, &(0x7f0000000280), 0x8080, 0x0) readv(r0, &(0x7f0000000240)=[{&(0x7f0000000040)=""/6, 0x6}, {0x0}], 0x2) 336.7901ms ago: executing program 1 (id=15): r0 = syz_open_dev$usbfs(&(0x7f00000000c0), 0x204, 0x40002) mmap(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x1000002, 0x11012, r0, 0x10c000) syz_open_dev$usbfs(&(0x7f0000000000), 0x80000000, 0x200203) syz_clone(0x0, 0x0, 0x9, 0x0, 0x0, 0x0) 175.294359ms ago: executing program 1 (id=16): r0 = socket$inet6(0xa, 0x3, 0x5) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f00000000c0)={@rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x800, 0x0, 0x2, 0x9}, 0x20) setsockopt$inet6_int(r0, 0x29, 0x1000000000021, &(0x7f0000000000)=0xffffffc3, 0x4) sendmmsg(r0, &(0x7f0000001500)=[{{&(0x7f0000000180)=@l2tp6={0xa, 0x500, 0x80000, @remote, 0x0, 0x3}, 0x80, 0x0}, 0x5b4}, {{&(0x7f0000000040)=@l2tp6={0xa, 0x0, 0x7080000, @ipv4={'\x00', '\xff\xff', @loopback}, 0xfffffff8, 0x2}, 0x80, 0x0, 0x0, &(0x7f00000004c0)=ANY=[], 0x108}}], 0x2, 0xc040) 174.98639ms ago: executing program 1 (id=17): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x200, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000240)='clear_refs\x00') writev(r1, &(0x7f0000000000)=[{&(0x7f0000000040)='4', 0x1}, {&(0x7f0000000300)="d7a08b", 0x3}], 0x2) 174.831159ms ago: executing program 0 (id=18): r0 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x1) fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0) r1 = fsmount(r0, 0x0, 0x82) fchdir(r1) r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpu.stat\x00', 0x275a, 0x0) write$UHID_CREATE2(r2, &(0x7f0000000180)=ANY=[], 0x118) 154.830181ms ago: executing program 3 (id=19): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_LAPIC(r2, 0x4400ae8f, &(0x7f0000000400)={"2d03c6399f9e7e4cf53e441a7c5acf3219492c17cb93a09cc72ff3585c23cbf7e0474b00d6bf31d7f3302b35166c2e786f941693f5f5c8a56af380d47a339884f8df7b3a2aa7d62c5416b8c6a949ca8993239238d8a0d76cc50aafd356ce0ec538d0ff46cc860970d8378f2e7a18acd63beecd0d000000ff6447d8dfaea86ba97034038abec19fc8f45fbc5ceef049c9aa2667767031b4bd05550ab38b8daa6ca555272812a91d0ae6be9a88cc426f17b2c074cb51733c92ba8cbb589959c3fc48f004b922394788638090998431b08fdd1e09155540d6e3dc673bade10397d380e86948d657d5782ff78c0066a0329eb8c5d9f6cb48fccaaa49f42baf62b8b213bef4ba9326131855be06d3fd3cdb0f36cd444e66cbbd939def344a19c91e57aac0ca95dded0a8fa9ba826358ae8dd940c7b1cac6dc9800001d5009d31282c17b0278eaaa3eb5a4efa250d4e5ca5db1a443ba43918ca9dedaffc2d8f0ee78cb0b8fbdf7aec554802049ec3c72042a0095d14c7b32e32b262657edad4f8dbea8df8e492801efe2854f2fbd367964cb7956c2eac8be4c8e9c91a13152b8e0be80b3e241f08173f714a345f13cd5aa529b9e3b4cb08905fd7a757b29bfb022800d713ae18c59d73973d54fcf5d813304257ded0ac889dd1ce5f7ce95635381082d4e217d1eaadc1a1ce9eb506bc38430cbf199d2b9bfda8114a43411d4b7a69e4078eaef606b3f9eafafb9bfdee3a012944a9664f352884d30a7e1bd9dc9dbeddaf654a81d2d461e24dc097d3b6361dbdb1f2e177c484cfa53488e5c34faf122beaa8524c8e2001648fb1ba1f637a07df9be6cfd1f07ff148ac86fd75adf58bc9d3736298dcfd036c3cce24feecfa2f680b636b61ab4e19940938bc715219cd7abfaa18a8532476d39e20a351f5555059b4cf87888bf0c885db12e62c23484563d70e7704017f0b1bdc77f684b615aaa87431e5d9e1210982027a7e2c974e763bc7ad9c3019f5ecaecb6e16ee4161799d83bcaaf8bba70234dee2713713efa0fd1a2fd249f16de0eb399f376a546bd863827cfa9ebf490c7a0e2a3594784114dbe52797a51198a06ae11ed24168dd9dfe6c8dc6980faef704e3f8cd7c9f338e0e87827fe9fa1338be40428ca27e59f33c352264b341e93e650c295cf56322faaefa5ca780ba8f7afb3055c4d51ef8d1735eb119ea5fc7db7dd53ce2e9f274db9d3b7c53ffb5ce20e4a580dbd3d259cec598c6b814356ee28e08496772ddcd931a03b399a0ec841bbda0745558d4b50f54bc84baa5f98b409e83c5af4e05e0af9f53e9ccd5e531dbe2ca06b71f34ede63303d33c0602f8fbbbc4d84771711b5dbcad1305acfa23c102ef1e8dbc1939f0d89136786128f5d07aa7a000a6fd3f99de807f90029f08500"}) syz_kvm_setup_cpu$x86(r2, r2, &(0x7f0000fe7000/0x18000)=nil, 0x0, 0x0, 0x1, 0x0, 0x0) ioctl$KVM_SET_VCPU_EVENTS(r2, 0x4400ae8f, &(0x7f0000000140)=@x86={0x40, 0x1, 0xc, 0x0, 0x75, 0x0, 0x10, 0x0, 0x0, 0x80, 0x9, 0x0, 0x0, 0x0, 0xfffffff8, 0x0, 0xff, 0xff}) 102.443914ms ago: executing program 0 (id=20): openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x101042, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c8) mkdirat(0xffffffffffffff9c, &(0x7f0000000240)='./file2\x00', 0x207) mount$overlay(0x0, &(0x7f0000000100)='./file0\x00', &(0x7f0000000000), 0x0, &(0x7f00000000c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) r0 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='./file0/file1\x00', 0x20400, 0x20) lseek(r0, 0x2, 0x0) 102.204444ms ago: executing program 0 (id=21): r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) ioctl$KVM_IRQ_LINE(r1, 0x4008ae61, &(0x7f0000000180)={0x5820a579, 0x3}) 102.051234ms ago: executing program 1 (id=22): r0 = syz_usb_connect$hid(0x2, 0x36, &(0x7f0000000180)={{0x12, 0x1, 0x111, 0x0, 0x0, 0x0, 0x8, 0x6cb, 0x73f5, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x40, 0x9, [{{0x9, 0x4, 0x0, 0x4, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x2, 0x84, 0x1, {0x22, 0x7}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x5}}}}}]}}]}}, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) 83.132565ms ago: executing program 2 (id=23): fcntl$setlease(0xffffffffffffffff, 0x400, 0x0) setsockopt$inet_mreqsrc(0xffffffffffffffff, 0x0, 0x27, 0x0, 0x0) r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$inet_mreqsrc(r0, 0x0, 0x27, &(0x7f0000000040)={@multicast2, @local, @local}, 0xc) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x0, 0x0) r3 = dup3(r2, r1, 0x0) ioctl$sock_SIOCETHTOOL(0xffffffffffffffff, 0x8946, &(0x7f0000000140)={'veth1\x00', &(0x7f0000000200)=@ethtool_per_queue_op={0x4b, 0xf, [0x801, 0x1, 0x7fff, 0x1, 0x4, 0x8, 0xa4, 0x3, 0x3, 0xb69, 0xc1, 0x4, 0x1, 0x20000003, 0x40000008, 0x5, 0x80000000, 0x9, 0x3, 0xa, 0x1, 0xfffffffd, 0x401, 0x6, 0x9, 0x2, 0x4, 0x2005, 0x7, 0x200, 0x3, 0x8, 0xe, 0x5, 0x100, 0x3, 0x1c00, 0xb, 0x7, 0xbed4, 0x8, 0x8000100, 0x3, 0x0, 0x11003, 0x8, 0x80007, 0xfffffffd, 0x6f, 0x1, 0x7b, 0x3ff, 0xa, 0xfffffffb, 0xf, 0x9, 0xd7, 0x1fa4860a, 0x7, 0xac, 0x8, 0x102, 0x17fffd, 0x7, 0xfffffffd, 0x6, 0x2af, 0xf5, 0xffffffff, 0x2, 0x6, 0x9, 0x4, 0x7, 0x9, 0x1, 0x4, 0x0, 0x91, 0x752, 0x5, 0x4, 0x0, 0x10001, 0x2, 0xfffffffd, 0x6, 0x8, 0x8, 0x8, 0xffffffff, 0x5, 0x2, 0x80, 0xd, 0x5, 0x0, 0x81, 0xfffffff9, 0x5, 0x400, 0x6, 0x22, 0x8, 0x804, 0xdba, 0x800809, 0x40000000, 0x3ff, 0x404, 0x2, 0xfff7fffe, 0x5, 0x38f3, 0x80000000, 0xb59, 0x0, 0x3, 0x4, 0xc801, 0x401, 0x0, 0xd0e, 0x401, 0x1, 0x200, 0xc5d, 0x2]}}) poll(&(0x7f0000000000), 0x20000000000000b5, 0x9) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000003c0)={0x44, 0x0, &(0x7f0000000740)=[@transaction={0x40406300, {0x3, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0}) 72.887995ms ago: executing program 2 (id=24): r0 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0) ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0) r1 = eventfd(0xfffffff9) ioctl$VHOST_SET_LOG_FD(r0, 0x4004af07, &(0x7f0000000240)=r1) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000140)={0x0, 0x0, 0x0, &(0x7f0000000500)=""/67, 0x0}) ioctl$VHOST_SET_VRING_ADDR(r0, 0x4028af11, &(0x7f0000000280)={0x1, 0x1, 0x0, &(0x7f00000000c0)=""/87, 0x0, 0x100000}) ioctl$VHOST_SET_MEM_TABLE(r0, 0x4008af03, &(0x7f0000000680)) pselect6(0x40, &(0x7f0000000100)={0x6, 0x0, 0x0, 0x5, 0x800, 0x0, 0x0, 0x3ff}, 0x0, &(0x7f0000000240)={0x1f, 0xfffffffffffffffc, 0x2, 0x5, 0x80000, 0x6, 0x40, 0x4}, 0x0, 0x0) ioctl$VHOST_VSOCK_SET_RUNNING(r0, 0x4004af61, &(0x7f0000000000)=0x1) 244.46µs ago: executing program 3 (id=25): io_setup(0x82, &(0x7f0000000240)) madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e) mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil) openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x48241, 0x0) madvise(&(0x7f000008f000/0x4000)=nil, 0x4000, 0xa) madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x15) 0s ago: executing program 0 (id=26): mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x1c1) open_tree(0xffffffffffffff9c, 0x0, 0x800) mount$incfs(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)='./file0\x00', &(0x7f0000000140), 0x1010040, &(0x7f0000000280)=ANY=[@ANYBLOB='rlog_pages=1832']) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.1.8' (ED25519) to the list of known hosts. [ 20.324790][ T36] audit: type=1400 audit(1769649636.180:64): avc: denied { mounton } for pid=283 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 20.326297][ T283] cgroup: Unknown subsys name 'net' [ 20.347967][ T36] audit: type=1400 audit(1769649636.180:65): avc: denied { mount } for pid=283 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.375134][ T36] audit: type=1400 audit(1769649636.210:66): avc: denied { unmount } for pid=283 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 20.375343][ T283] cgroup: Unknown subsys name 'devices' [ 20.524434][ T283] cgroup: Unknown subsys name 'hugetlb' [ 20.530223][ T283] cgroup: Unknown subsys name 'rlimit' [ 20.682495][ T36] audit: type=1400 audit(1769649636.540:67): avc: denied { setattr } for pid=283 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=190 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 20.705906][ T36] audit: type=1400 audit(1769649636.540:68): avc: denied { mounton } for pid=283 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 20.730929][ T36] audit: type=1400 audit(1769649636.540:69): avc: denied { mount } for pid=283 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 20.739793][ T285] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 20.763047][ T36] audit: type=1400 audit(1769649636.620:70): avc: denied { relabelto } for pid=285 comm="mkswap" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.788532][ T36] audit: type=1400 audit(1769649636.620:71): avc: denied { write } for pid=285 comm="mkswap" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.820676][ T36] audit: type=1400 audit(1769649636.670:72): avc: denied { read } for pid=283 comm="syz-executor" name="swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.846546][ T36] audit: type=1400 audit(1769649636.670:73): avc: denied { open } for pid=283 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=2025 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 20.846960][ T283] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 22.082845][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.089950][ T290] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.097170][ T290] bridge_slave_0: entered allmulticast mode [ 22.103744][ T290] bridge_slave_0: entered promiscuous mode [ 22.114923][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.122155][ T290] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.129549][ T290] bridge_slave_1: entered allmulticast mode [ 22.136035][ T290] bridge_slave_1: entered promiscuous mode [ 22.157375][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.164483][ T293] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.171926][ T293] bridge_slave_0: entered allmulticast mode [ 22.178222][ T293] bridge_slave_0: entered promiscuous mode [ 22.187294][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.194409][ T293] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.201646][ T293] bridge_slave_1: entered allmulticast mode [ 22.207991][ T293] bridge_slave_1: entered promiscuous mode [ 22.220912][ T292] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.228047][ T292] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.235300][ T292] bridge_slave_0: entered allmulticast mode [ 22.241622][ T292] bridge_slave_0: entered promiscuous mode [ 22.251528][ T292] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.258663][ T292] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.265858][ T292] bridge_slave_1: entered allmulticast mode [ 22.272273][ T292] bridge_slave_1: entered promiscuous mode [ 22.299147][ T291] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.306344][ T291] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.313453][ T291] bridge_slave_0: entered allmulticast mode [ 22.319727][ T291] bridge_slave_0: entered promiscuous mode [ 22.334191][ T291] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.341246][ T291] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.348679][ T291] bridge_slave_1: entered allmulticast mode [ 22.354991][ T291] bridge_slave_1: entered promiscuous mode [ 22.484221][ T291] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.491379][ T291] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.498735][ T291] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.505832][ T291] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.521257][ T290] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.528358][ T290] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.535625][ T290] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.542674][ T290] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.551482][ T292] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.558640][ T292] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.565912][ T292] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.572952][ T292] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.580995][ T293] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.588213][ T293] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.595457][ T293] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.602484][ T293] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.642439][ T128] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.649736][ T128] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.657871][ T128] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.665286][ T128] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.672613][ T128] bridge0: port 1(bridge_slave_0) entered disabled state [ 22.679966][ T128] bridge0: port 2(bridge_slave_1) entered disabled state [ 22.710355][ T128] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.717871][ T128] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.725562][ T128] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.732672][ T128] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.748995][ T128] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.756061][ T128] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.767568][ T293] veth0_vlan: entered promiscuous mode [ 22.775139][ T128] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.782205][ T128] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.803900][ T128] bridge0: port 1(bridge_slave_0) entered blocking state [ 22.811050][ T128] bridge0: port 1(bridge_slave_0) entered forwarding state [ 22.820987][ T128] bridge0: port 2(bridge_slave_1) entered blocking state [ 22.828150][ T128] bridge0: port 2(bridge_slave_1) entered forwarding state [ 22.839710][ T293] veth1_macvtap: entered promiscuous mode [ 22.886339][ T293] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 22.901433][ T291] veth0_vlan: entered promiscuous mode [ 22.913339][ T290] veth0_vlan: entered promiscuous mode [ 22.922578][ T292] veth0_vlan: entered promiscuous mode [ 22.945485][ T333] kvm_intel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. [ 22.945940][ T290] veth1_macvtap: entered promiscuous mode [ 22.974007][ T291] veth1_macvtap: entered promiscuous mode [ 22.985992][ T292] veth1_macvtap: entered promiscuous mode [ 24.234526][ T379] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=1604996040 (25679936640 ns) > initial count (3919811504 ns). Using initial count to start timer. [ 24.282469][ T387] rust_binder: Transaction failed: BR_FAILED_REPLY { source: ENOENT } my_pid:12 [ 24.372131][ T395] ======================================================= [ 24.372131][ T395] WARNING: The mand mount option has been deprecated and [ 24.372131][ T395] and is ignored by this kernel. Remove the mand [ 24.372131][ T395] option from the mount to silence this warning. [ 24.372131][ T395] ======================================================= [ 24.417360][ T395] ------------[ cut here ]------------ [ 24.422905][ T395] WARNING: CPU: 1 PID: 395 at mm/page_alloc.c:5234 __alloc_pages_noprof+0x109/0x7e0 [ 24.432360][ T395] Modules linked in: [ 24.436292][ T395] CPU: 1 UID: 0 PID: 395 Comm: syz.0.26 Not tainted syzkaller #0 fb5d95c0c59ed9c9506888f7deb6b66e4fe9f746 [ 24.447818][ T395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 [ 24.457961][ T395] RIP: 0010:__alloc_pages_noprof+0x109/0x7e0 [ 24.464056][ T395] Code: 00 0f 1f 44 00 00 83 fb 0b 72 28 b8 00 20 00 00 23 44 24 40 75 1d 80 3d ea a0 0b 06 00 0f 85 c2 00 00 00 c6 05 dd a0 0b 06 01 <0f> 0b 31 c0 e9 b4 00 00 00 83 fb 0a 0f 87 a9 00 00 00 44 8b 64 24 [ 24.483764][ T395] RSP: 0018:ffffc9000b9bf860 EFLAGS: 00010246 [ 24.489848][ T395] RAX: 0000000000000000 RBX: 000000000000000b RCX: 0000000000000000 [ 24.497993][ T395] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc9000b9bf918 [ 24.501870][ T65] usb 2-1: new full-speed USB device number 2 using dummy_hcd [ 24.506037][ T395] RBP: ffffc9000b9bf988 R08: ffffc9000b9bf917 R09: 0000000000000000 [ 24.521610][ T395] R10: ffffc9000b9bf900 R11: fffff52001737f23 R12: ffffc9000b9bf8a0 [ 24.529838][ T395] R13: dffffc0000000000 R14: 1ffff92001737f10 R15: 0000000000000000 [ 24.537882][ T395] FS: 00007fd80028d6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 [ 24.546981][ T395] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 24.553721][ T395] CR2: 0000200000001000 CR3: 0000000110fd0000 CR4: 00000000003526b0 [ 24.561713][ T395] Call Trace: [ 24.565078][ T395] [ 24.568039][ T395] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 24.574259][ T395] ? __cfi___alloc_pages_noprof+0x10/0x10 [ 24.580099][ T395] ? incfs_realloc_mount_info+0xa7/0x4d0 [ 24.585786][ T395] ___kmalloc_large_node+0x81/0x210 [ 24.591103][ T395] ? incfs_realloc_mount_info+0xa7/0x4d0 [ 24.596820][ T395] __kmalloc_large_node_noprof+0x1e/0xd0 [ 24.602545][ T395] ? incfs_realloc_mount_info+0xa7/0x4d0 [ 24.608189][ T395] __kmalloc_noprof+0x326/0x500 [ 24.613123][ T395] ? __cfi_lockref_get+0x10/0x10 [ 24.618076][ T395] incfs_realloc_mount_info+0xa7/0x4d0 [ 24.623567][ T395] ? incfs_add_sysfs_node+0x118/0x230 [ 24.628955][ T395] incfs_alloc_mount_info+0x478/0x5f0 [ 24.634365][ T395] incfs_mount_fs+0x3ca/0x970 [ 24.639077][ T395] ? __cfi_incfs_mount_fs+0x10/0x10 [ 24.644411][ T395] ? vfs_parse_fs_string+0x10f/0x180 [ 24.649738][ T395] ? selinux_capable+0x38/0x50 [ 24.654762][ T395] legacy_get_tree+0x103/0x1b0 [ 24.659642][ T395] ? __cfi_incfs_mount_fs+0x10/0x10 [ 24.664922][ T395] vfs_get_tree+0x9e/0x290 [ 24.669369][ T395] do_new_mount+0x251/0xb30 [ 24.673918][ T395] ? security_capable+0x44/0x130 [ 24.678863][ T395] path_mount+0x682/0x1010 [ 24.683013][ T65] usb 2-1: config 0 interface 0 altsetting 4 endpoint 0x81 has an invalid bInterval 0, changing to 10 [ 24.683395][ T395] __se_sys_mount+0x2bf/0x480 [ 24.695302][ T65] usb 2-1: config 0 interface 0 altsetting 4 endpoint 0x81 has invalid maxpacket 512, setting to 64 [ 24.699505][ T395] ? __x64_sys_mount+0xf0/0xf0 [ 24.699540][ T395] ? __kasan_check_write+0x18/0x20 [ 24.711206][ T65] usb 2-1: config 0 interface 0 has no altsetting 0 [ 24.715384][ T395] ? fpregs_restore_userregs+0x11c/0x260 [ 24.720950][ T65] usb 2-1: New USB device found, idVendor=06cb, idProduct=73f5, bcdDevice= 0.00 [ 24.727146][ T395] __x64_sys_mount+0xc3/0xf0 [ 24.735589][ T65] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 24.741976][ T395] x64_sys_call+0x2021/0x2ee0 [ 24.742016][ T395] do_syscall_64+0x57/0xf0 [ 24.750398][ T65] usb 2-1: config 0 descriptor?? [ 24.754825][ T395] ? clear_bhb_loop+0x50/0xa0 [ 24.760121][ T385] raw-gadget.0 gadget.1: fail, usb_ep_enable returned -22 [ 24.764150][ T395] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 24.786824][ T395] RIP: 0033:0x7fd7ff39aeb9 [ 24.791379][ T395] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 24.811155][ T395] RSP: 002b:00007fd80028d028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 24.819908][ T395] RAX: ffffffffffffffda RBX: 00007fd7ff615fa0 RCX: 00007fd7ff39aeb9 [ 24.827951][ T395] RDX: 0000200000000140 RSI: 0000200000000100 RDI: 00002000000000c0 [ 24.836079][ T395] RBP: 00007fd7ff408c1f R08: 0000200000000280 R09: 0000000000000000 [ 24.844129][ T395] R10: 0000000001010040 R11: 0000000000000246 R12: 0000000000000000 [ 24.852166][ T395] R13: 00007fd7ff616038 R14: 00007fd7ff615fa0 R15: 00007ffe0f4e7708 [ 24.860173][ T395] [ 24.863246][ T395] ---[ end trace 0000000000000000 ]--- [ 24.869228][ T395] incfs: Error allocating mount info. -12 [ 24.875198][ T395] incfs: mount failed -12 [ 25.174788][ T65] usbhid 2-1:0.0: can't add hid device: -71 [ 25.180870][ T65] usbhid 2-1:0.0: probe with driver usbhid failed with error -71 [ 25.192568][ T65] usb 2-1: USB disconnect, device number 2