Extracting prog: 30.566207788s
Minimizing prog: 6m0.974749455s
Simplifying prog options: 0s
Extracting C: 58.901246565s
Simplifying C: 6m45.00182543s
extracting reproducer from 30 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-syz_mount_image$exfat-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r1, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
syz_mount_image$exfat(&(0x7f00000000c0), &(0x7f0000000000)='./bus\x00', 0x4001, &(0x7f0000001880)=ANY=[@ANYRES16=0x0, @ANYBLOB="9225d243116e6792e85958ebfd4aaf892be9a73c24ece0370566f7d1bfddc526977d0008129b7c7d539027ee914e09fbc46ebc2cde3ab1c3fab3ca211f0723d6eab699b5612eed8feaa299058757ab96138f318696c3c2c09612476438959d9b7c8ac1719ab2fa9072ac5ad702878934573ba71b2eb9e97c3937bc812f8648331309de44f5bf6cf37e09d44db9d48ec1a748df2e56f4d4c9f52dd0b53ec313006c80e2f37310b4f6e483846d5a891a", @ANYRESHEX, @ANYRESHEX, @ANYRES16], 0x0, 0x151c, &(0x7f0000000300)="$eJzs3HuYjlXbMPB1rrUuxjTpbpLNsM51XtxpsEySZJOQTZIkSZJdQtIkSUJiyC5pSEK2k2QzhGQzjUljv99knzR5pEmSkJBkfYeevlfP1/M+fc/39j7e75nzdxzrmHXe13Wu+1xzzjH3dV1/3N/0HFWvRf3azYhI/JfAX3+kCCFihBDDhBDXCCECIUSl+Erxl44XUJDyX3sT9ud6MP1KV8CuJO5/3sb9z9u4/3kb9z9v4/7nbdz/vI37n7dx/xnLy7bPKXYtj7w7+Pl/Xsaf//9GcstP/mJj+et7/RMp3P+8jfuft3H/8zbuf97G/c/buP///mr9g2Pc/7yN+89YXvYfz4IveO//BzyP5vGvHVf6748xxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGWN5wzl+mhRC/Tklf6cIYY4wxxhhjjDH2p/H5//icU/+KQhhjjDHGGGOMMfbfCIQUSmgR5N/36yux4ioRJ64WBcU1IiKuFfHiOlFIXC8KiyKiqCgmEkRxUUIYgcIKEqEoKUqJqLhBlBY3ikRRRpQV5YQT5UWSuElUEDeLiuIWUUncKiqL20QVUVVUE9XF7aKGuEPUFLVEbXGnqCPqinqivrhLNBB3i4biHtFI3Csai/tEE3G/aCoeEM3Eg6K5eEi0EA+LluIR0Uq0Fm1EW9Hu/yn/BdFXvCj6if4iRQwQA8VLYpAYLIaIoWKYeFkMF6+IEeJVkSpGilHiNTFavC7GiDfEWDFOjBdvigliopgkJospYqpIE2+JaeJtMV28I2aImWKWmC3SxRwxV7wr5on5YoF4TywU74tFYrFYIpaKDPGByBTLRJb4UCwXH4lssUKsFKvEarFGrBXrxHqxQWwUm8RmsUVsFdvEdvGx2CF2il1it9gj9op94hOxX3wqDojPRI74/J/MP/t/5PcCAQIkSNCgIR/kgxiIgViIhTiIg4JQECIQgXiIh0JQCApDYSgKRSEBEqAElAAEBAKCklASohCF0lAaEiERykJZcOAgCZKgAtwMFaEiVIJKUBkqQxWoClWhOlSHGlADakJNqA21oQ7UgXpQD+6Cu+BuaAgNoRE0gsbQGJpAE2gKTaEZNIPm0BxaQAtoCS2hFbSCNtAG2kE7aA/toQN0gE7QCTpDZ+gCXSAZkqErdIVu0A26Q3foAT2gJ/SEXtAbesML8AK8CC9Cf6gjB8BAGAiDYBAMgaEwFF6G4fAKvAKvQiqMhFHwGrwGr8MYOANjYRyMh/FQQ06ESTAZSE6FNEiDaTANpsN0mAEzYSbMhnSYA3NhLsyD+TAf3oOF8D68D4thMSyFDMiATFgGWZAFy+EsZMMKWAmrYDWsgdWwDtbDOtgIm2AjbIEtsA22wcfwMeyEnbAbdsNe2AufwCfwKXwKqZADOXAQDsIhOASH4TDkQi4cgSNwFI7CMTgGx+E4nICTcApOwmk4DWfgLJyDc3AezsMFeC7hq+Z7y2xIFfISLbXMJ/PJGBkjY2WsjJNxsqAsKCMyIuNlvCwkC8nCsrAsKovKBJkgS8gSEiVKkqEsKUvKqIzK0rK0TJSJsqwsK510MkkmyQqygqwoK8pK8lZZWd4mq8iqsqOrLqvLGrKTqylrydqytqwj68p6sr6sLxvIBrKhbCgbyUaysWwsm8j7ZVM5AIbAg/JSZ1rIkdBSjoJWsrVsI9vK1+FR2V6OgQ6yo+wkH5fjYCx0ke1dsnxKdpWToJt8Rk6GZ2UPORV6yudlL9lb9pEvyL6yg+sn+8sZMEAOlLNhkBwsh8ihch7UlZc6Vk++KlPlSDlKviaXwutyjHxDjpXj5Hj5ppwgJ8pJcrKcIqfKNPmWnCbfltPlO3KGnClnydkyXc6Rc+W7cp6cLxfI9+RC+b5cJBfLJXKpzJAfyEy5TGbJD+Vy+ZHMlivkSrlKrpZr5Fq5Tq6XG+RGuUlullvkVrlNbpcfyx1yp9wld8s9cq/cJz+R++Wn8oD8TObIz+VB+Rd5SH4hD8svZa78Sh6RX8uj8ht5TH4rj8vv5Al5Up6S38vT8gd5Rp6V5+SP8rz8SV6QP8uL0kuhQEmllFaByqfyqxhVQMWqq1SculoVVNeoiLpWxavrVCF1vSqsiqiiqphKUMVVCWUUKqtIhaqkKqWi6gZVWt2oElUZVVaVU06VV0nqJlVB3awqqltUJXWrqqxuU1VUVVVNVVe3qxrqDlVT1VK11Z2qjqqr6qn66i7VQN2tGqp7VCN1r2qs7lNN1P2qqXpANVMPqubqIdVCPaxaqkdUK9VatVFtVTv1qGqvHlMdVEfVST2uOqsnVBf1pEpWT6mu6mnVTT2juqtnVQ/1nOqpnle9VG/VR/2sLiqv+qn+KkUNUAPVS2qQGqyGqKFqmHpZDVevqBHqVZWqRqpR6jU1Wr2uxqg31Fg1To1Xb6oJaqKapCarKWqqSlNvqWnqbTVdvaNmqJlqlpqt0tUcNeTXlRb8X+S//XfyR/zy7tvUdvWx2qF2ql1qt9qj9qp9ap/ar/arA+qAylE56qA6qA6pQ+qwOqxyVa46oo6oo+qoOqaOqePquDqhTqof1ffqtPpBnVFn1Vn1ozqvzqsLv/4OhAYttdJaBzqfzq9jdAEdq6/ScfpqXVBfoyP6Wh2vr9OF9PW6sC6ii+piOkEX1yW00ajtBe+9LqlL6ai+QZfWN+pEXUaX1eW00+V1kr7pj/I16fAf5v9Rfe10O91et9cddAfdSXfSnXVn3UV30ck6WXfVXXU33U131911D91D99Q9dS/dS/fRfXRf3Vf30/10ik7RA/VLepAerIfooXqYflkP18P1CD1Cp+pUPUqP0qP1aD1Gj9Fj9Vg9Xo/XE/QEPUlP0lP0FJ2m0/Q0PU1P19P1DD1Dz9KzdLpO13P1XD1Pz9ML9AK9UC/Ui/QivUQv0Rk6Q2fqTJ2ls/RyvVxn6xV6hV6lV+k1eo1ep9fpDXqD3qQ36S16i87W2/V2vUPv0Lv0Lr1H79H79D69X+/XB/QBnaNz9EF9UB/Sh/RhfVjn6lx9RB/RR/VRfUwf08f1cX1Cn9Cn9Cl9Wp/WZ/QZfU6f0+f1eX1BX9AX9UUtAhHIQAY60EG+IF8QE8QEsUFsEBfEBQWDgkEkiATxQXxQKLg+KBwUCYoGxYKEoHhQIjABBjagIAxKBqWCaHBDUDq4MUgMygRlg3KBC8oHScFNQYXg5qBicEtQKbg1qBzcFlQJqgbVgurB7UGN4I6gZlArqB3cGdQJ6gb1gvrBXUGD4O6gYXBP0Ci4N2gc3Bc0Ce4PmgYPBM2CB4PmwUNBi+DhoGXwSNAqaB20CdoG7f7U9b0/U+Qx18/0NylmgBloXjKDzGAzxAw1w8zLZrh5xYwwr5pUM9KMMq+Z0eZ1M8a8YcaacWa8edNMMBPNJDPZTDFTTZp5y0wzb5vp5h0zw8w0s8xsk27mmLnmXTPPzDcLzHtmoXnfLDKLzRKz1GSYD0ymWWayzIdmufnIZJsVZqVZZVabNWatWWfWmw1mo9lkNpstZqvZZrabj80Os9PsMrvNHrPX7DOfmP3mU3PAfGZyzOfmoPmLOWS+MIfNlybXfGWOmK/NUfONOWa+NcfNd+aEOWlOme/NafODOWPOmnPmR3Pe/GQumJ/NReMvXdxf+nhHjRrzYT6MwRiMxViMwzgsiAUxghGMx3gshIWwMBbGolgUEzABS2AJvISQsCSWxChGsTSWxkRMxLJYFh06TMIkrIAVsCJWxEpYCStjZayCVbAaVsPb8Xa8A+/AWlgL78Q7sS7WxfpYHxtgA2yIDbERNsLG2BibYBNsik2xGTbD5tgcW2ALbIktsRW2wjbYBtthO2yP7bEDdsBO2Ak7Y2fsgl0wGZOxK3bFbtgNu2N37IE9sCf2xF7YC/tgH+yLfbEf9sMUTMGBOBAH4SAcgkNwGA7D4TgcR+AITMVUHIWjcDSOxjE4BsfiOByPb+IEnIiTcDJOwamYhmk4DafhdJyOM3AGzsJZmI7pOBfn4jychwtwAS7EhbgIF+ESXIIZmIGZmIlZmIXLcTlmYzauxJW4GlfjWlyL63E9bsSNuBk341bcittxO+7AHbgLd+Ee3IP7cB/ux/14AA9gDubgQTyIh/AQHsbDmIu5eASP4FE8isfwGB7H43gCT+ApPIWn8TSewTN4Ds/hefwJL+DPeBE9xlgpYu1VNs5ebQvaa2yMLWB/Gxe1xWyCLW5LWGML2yJ/E6O1NtGWsWVtOetseZtkb/pdXMVWtdVsdXu7rWHvsDV/Fzewd9uG9h7byN5r69u7/iZubO+zTezDtql9xDazrW1z29a2sA/blvYR28q2tm1sW9vZPmG72Cdtsn3KdrVP/y7OtMvservBbrSb7H77qT1nf7RH7Tf2vP3J9rP97TD7sh1uX7Ej7Ks21Y78XTzevmkn2Il2kp1sp9ipv4tn2dk23c6xc+27dp6d/7s4w35gF9osu8gutkvs0l/iSzVl2Q/tcvuRzbYr7Eq7yq62a+xau+4/al1lt9itdpvdZz+xO+xOu8vutnvs3l/iS/s4YD+zOfZze8R+bQ/ZL+xhe8zm2q9+iS/t75j91h6339kT9qQ9Zb+3p+0P9ow9+8v+L+39e/uzvWi9FQQkSZGmgPJRfoqhAhRLV1EcXU0F6RqK0LUUT9dRIbqeClMRKkrFKIGKUwkyhGSJKKSSVIqidAOVphspkcpQWSpHjspTEt1EFehmqki3UCW6lSrTbVSFqlI1qk63Uw26g2pSLapNd1Idqkv1qD7dRQ3obmpI91Ajupca033UhO6npvQANaMHqTk9RC3oYWpJj1Arak1tqC21o0epPT1GHagjdaLHqTM9QV3oSUqmp6grPU3d6BnqTs9SD3qOetLz1It6Ux96gfrSi9SP+lMKDaCB9BINosE0hIbSMHqZhtMrNIJepVQaSaPoNRpNr9MYeoPG0jgaT2/SBJpIk2gyTaGplEZv0TR6m6bTOzSDZtIsmk3pNIfm0rs0j+bTAnqPFtL7tIgW0xJaShn0AWXSMsqiD2k5fUTZtIJW0ipaTWtoLa2j9bSBNtIm2kxbaCtto+30Me2gnbSLdtMe2kv76BPaT5/SAfqMcuhzOkh/oUP0BR2mLymXvqIj9DUdpW/oGH1Lx+k7OkEn6RR9T6fpBzpDZ+kc/Ujn6Se6QD/TRfIkQghlqEIdBmG+MH8YExYIY8Orwrjw6rBgeE0YCa8N48PrwkLh9WHhsEhYNCwWJoTFwxKhCTG0IYVhWDIsFUbDG8LS4Y1hYlgmLBuWC11YPkwKbworhDeHFcNbwkrhrWHl8LawSlg1fPje6uHtYY3wjrBmWCusHd4Z1gnrhvXC+uFdYYPw7rBheE/YKLw3rBjeFzYJ7w+bhg+EzcIHw+bhQ2GL8OGwZfhI2CpsHbYJ24btwkfD9uFjYYewY9gpfDzsHD4RdgmfDJPDp8Ku4dN/eDwlHBAODF8KXwq9v0ctiS6NZkQ/iGZGl0Wzoh9Gl0c/imZHV0RXRldFV0fXRNdG10XXRzdEN0Y3RTdHt0S3RrdFva+fXzhw0imnXeDyufwuxhVwse4qF+eudgXdNS7irnXx7jpXyF3vCrsirqgr5hJccVfCGYfOOnKhK+lKuai7wZV2N7pEV8aVdeWcc+Vdkmvr2rl2rr17zHVwHV0n97h73D3hnnBPuifdU66re9p1c8+47u5Z18M9555zz7terrfr415wfd2Lrp/r71JcihvoBrpBbpAb4oa4YW6YG+6GuxFuhEt1qW6UG+VGu9FujBvjxrqxbrwb7ya4CW6Sm+SmuCkuzaW5aW6am+6muxluhpvlZrl0l+7murlunpvnFrgFbmHiQrfILXJL3BKX4TJcpst0WS7LLXfLXbbLdivdSrfarXZr3Vq33q13G91Gt9ltdlvdVrfdbXc73A63y+1ye9wet8/tc/vdfnfAHXA5LscddAfdIXfIHXZfulz3lTvivnZH3TfumPvWHXffuRPupDvlvnen3Q/ujMvvzrkf3Xn3k7vgfnYXnXdpkbci0yJvR6ZH3onMiMyMzIrMjqRH5kTmRt6NzIvMjyyIvBdZGHk/siiyOLIksjSSEfkgkhlZFsmKfBhZHvkokh1ZEVkZWRVZHVkT8b74jtCX9KV81N/gS/sbfaIv48v6ct758j7J3+Qr+Jt9RX+Lr+Rv9ZX9bb6Kr+qr+Ud8K9/at/FtfTv/qG/vH/MdfEffyT/uO/snfBf/pE/2T/mu/mnfzT/ju/tnfQ//nO/pn/e9fG/fx7/g+/oXfT/f36f4AX6gf8kP8oP9ED/UD/Mv++H+FT/Cv+pT/Ug/yr/mR/vX/Rj/hh/rx/nx/k0/wU/0k/xkP8VP9Wn+LT/Nv+2n+3f8DD/Tz/Kzfbqf4+f6d/08P98v8O/5hf59v8gv9kv8Up/hP/CZfpnP8h/65f4jn+1X+JV+lV/t1/i1fp1f7zf4jX6T3+y3+K1+m9/uP/Y7/E6/y+/2e/xev89/4vf7T/0B/5nP8Z/7g/4v/pD/wh/2X/pc/5U/4r/2R/03/pj/1h/33/kT/qQ/5b/3p/0P/ow/68/5H/15/5O/4H/2F733V/hBOmOMMcbY/xf+6KJpwN95Tf46LhkohLh6Z7Hc3x7XQojNhf86HywTOkeEEE/17/ng/x516qSkpPx6brYSQanFQojI5fx84nK8QnQST4hk0VFU+Lv1DZa9z9M/WB9OeB+9VYjY3+TEiMvx5fVv/k/Wf/Tx8ZmVw3Pxf7v+hV+vNy/VH10sRGKpyzkFxOX48voV/5P1i7T/R/VnK1HgizQhOvwmJ05cji+vnyQeE0+L5L85kzHGGGOMMcYY+6vBslr3P7j//OX+POE3XwiYX1yO/+j+nDHGGGOMMcYYY1fes737PPlocnLH7jzhCU/+OyYF/meU8c9OrvR/JsYYY4wxxtif7fJF/5WuhDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYy7v+FV8ndqX3yBhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjF1p/ysAAP//Rz1IWg==")
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, &(0x7f0000000300)="0f4f53")
program crashed: KASAN: use-after-free Write in pppol2tp_release
single: successfully extracted reproducer
found reproducer with 5 syscalls
minimizing guilty program
testing program (duration=33.231557722s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-syz_mount_image$exfat
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r1, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
syz_mount_image$exfat(&(0x7f00000000c0), &(0x7f0000000000)='./bus\x00', 0x4001, &(0x7f0000001880)=ANY=[@ANYRES16=0x0, @ANYBLOB="9225d243116e6792e85958ebfd4aaf892be9a73c24ece0370566f7d1bfddc526977d0008129b7c7d539027ee914e09fbc46ebc2cde3ab1c3fab3ca211f0723d6eab699b5612eed8feaa299058757ab96138f318696c3c2c09612476438959d9b7c8ac1719ab2fa9072ac5ad702878934573ba71b2eb9e97c3937bc812f8648331309de44f5bf6cf37e09d44db9d48ec1a748df2e56f4d4c9f52dd0b53ec313006c80e2f37310b4f6e483846d5a891a", @ANYRESHEX, @ANYRESHEX, @ANYRES16], 0x0, 0x151c, &(0x7f0000000300)="$eJzs3HuYjlXbMPB1rrUuxjTpbpLNsM51XtxpsEySZJOQTZIkSZJdQtIkSUJiyC5pSEK2k2QzhGQzjUljv99knzR5pEmSkJBkfYeevlfP1/M+fc/39j7e75nzdxzrmHXe13Wu+1xzzjH3dV1/3N/0HFWvRf3azYhI/JfAX3+kCCFihBDDhBDXCCECIUSl+Erxl44XUJDyX3sT9ud6MP1KV8CuJO5/3sb9z9u4/3kb9z9v4/7nbdz/vI37n7dx/xnLy7bPKXYtj7w7+Pl/Xsaf//9GcstP/mJj+et7/RMp3P+8jfuft3H/8zbuf97G/c/buP///mr9g2Pc/7yN+89YXvYfz4IveO//BzyP5vGvHVf6748xxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGWN5wzl+mhRC/Tklf6cIYY4wxxhhjjDH2p/H5//icU/+KQhhjjDHGGGOMMfbfCIQUSmgR5N/36yux4ioRJ64WBcU1IiKuFfHiOlFIXC8KiyKiqCgmEkRxUUIYgcIKEqEoKUqJqLhBlBY3ikRRRpQV5YQT5UWSuElUEDeLiuIWUUncKiqL20QVUVVUE9XF7aKGuEPUFLVEbXGnqCPqinqivrhLNBB3i4biHtFI3Csai/tEE3G/aCoeEM3Eg6K5eEi0EA+LluIR0Uq0Fm1EW9Hu/yn/BdFXvCj6if4iRQwQA8VLYpAYLIaIoWKYeFkMF6+IEeJVkSpGilHiNTFavC7GiDfEWDFOjBdvigliopgkJospYqpIE2+JaeJtMV28I2aImWKWmC3SxRwxV7wr5on5YoF4TywU74tFYrFYIpaKDPGByBTLRJb4UCwXH4lssUKsFKvEarFGrBXrxHqxQWwUm8RmsUVsFdvEdvGx2CF2il1it9gj9op94hOxX3wqDojPRI74/J/MP/t/5PcCAQIkSNCgIR/kgxiIgViIhTiIg4JQECIQgXiIh0JQCApDYSgKRSEBEqAElAAEBAKCklASohCF0lAaEiERykJZcOAgCZKgAtwMFaEiVIJKUBkqQxWoClWhOlSHGlADakJNqA21oQ7UgXpQD+6Cu+BuaAgNoRE0gsbQGJpAE2gKTaEZNIPm0BxaQAtoCS2hFbSCNtAG2kE7aA/toQN0gE7QCTpDZ+gCXSAZkqErdIVu0A26Q3foAT2gJ/SEXtAbesML8AK8CC9Cf6gjB8BAGAiDYBAMgaEwFF6G4fAKvAKvQiqMhFHwGrwGr8MYOANjYRyMh/FQQ06ESTAZSE6FNEiDaTANpsN0mAEzYSbMhnSYA3NhLsyD+TAf3oOF8D68D4thMSyFDMiATFgGWZAFy+EsZMMKWAmrYDWsgdWwDtbDOtgIm2AjbIEtsA22wcfwMeyEnbAbdsNe2AufwCfwKXwKqZADOXAQDsIhOASH4TDkQi4cgSNwFI7CMTgGx+E4nICTcApOwmk4DWfgLJyDc3AezsMFeC7hq+Z7y2xIFfISLbXMJ/PJGBkjY2WsjJNxsqAsKCMyIuNlvCwkC8nCsrAsKovKBJkgS8gSEiVKkqEsKUvKqIzK0rK0TJSJsqwsK510MkkmyQqygqwoK8pK8lZZWd4mq8iqsqOrLqvLGrKTqylrydqytqwj68p6sr6sLxvIBrKhbCgbyUaysWwsm8j7ZVM5AIbAg/JSZ1rIkdBSjoJWsrVsI9vK1+FR2V6OgQ6yo+wkH5fjYCx0ke1dsnxKdpWToJt8Rk6GZ2UPORV6yudlL9lb9pEvyL6yg+sn+8sZMEAOlLNhkBwsh8ihch7UlZc6Vk++KlPlSDlKviaXwutyjHxDjpXj5Hj5ppwgJ8pJcrKcIqfKNPmWnCbfltPlO3KGnClnydkyXc6Rc+W7cp6cLxfI9+RC+b5cJBfLJXKpzJAfyEy5TGbJD+Vy+ZHMlivkSrlKrpZr5Fq5Tq6XG+RGuUlullvkVrlNbpcfyx1yp9wld8s9cq/cJz+R++Wn8oD8TObIz+VB+Rd5SH4hD8svZa78Sh6RX8uj8ht5TH4rj8vv5Al5Up6S38vT8gd5Rp6V5+SP8rz8SV6QP8uL0kuhQEmllFaByqfyqxhVQMWqq1SculoVVNeoiLpWxavrVCF1vSqsiqiiqphKUMVVCWUUKqtIhaqkKqWi6gZVWt2oElUZVVaVU06VV0nqJlVB3awqqltUJXWrqqxuU1VUVVVNVVe3qxrqDlVT1VK11Z2qjqqr6qn66i7VQN2tGqp7VCN1r2qs7lNN1P2qqXpANVMPqubqIdVCPaxaqkdUK9VatVFtVTv1qGqvHlMdVEfVST2uOqsnVBf1pEpWT6mu6mnVTT2juqtnVQ/1nOqpnle9VG/VR/2sLiqv+qn+KkUNUAPVS2qQGqyGqKFqmHpZDVevqBHqVZWqRqpR6jU1Wr2uxqg31Fg1To1Xb6oJaqKapCarKWqqSlNvqWnqbTVdvaNmqJlqlpqt0tUcNeTXlRb8X+S//XfyR/zy7tvUdvWx2qF2ql1qt9qj9qp9ap/ar/arA+qAylE56qA6qA6pQ+qwOqxyVa46oo6oo+qoOqaOqePquDqhTqof1ffqtPpBnVFn1Vn1ozqvzqsLv/4OhAYttdJaBzqfzq9jdAEdq6/ScfpqXVBfoyP6Wh2vr9OF9PW6sC6ii+piOkEX1yW00ajtBe+9LqlL6ai+QZfWN+pEXUaX1eW00+V1kr7pj/I16fAf5v9Rfe10O91et9cddAfdSXfSnXVn3UV30ck6WXfVXXU33U131911D91D99Q9dS/dS/fRfXRf3Vf30/10ik7RA/VLepAerIfooXqYflkP18P1CD1Cp+pUPUqP0qP1aD1Gj9Fj9Vg9Xo/XE/QEPUlP0lP0FJ2m0/Q0PU1P19P1DD1Dz9KzdLpO13P1XD1Pz9ML9AK9UC/Ui/QivUQv0Rk6Q2fqTJ2ls/RyvVxn6xV6hV6lV+k1eo1ep9fpDXqD3qQ36S16i87W2/V2vUPv0Lv0Lr1H79H79D69X+/XB/QBnaNz9EF9UB/Sh/RhfVjn6lx9RB/RR/VRfUwf08f1cX1Cn9Cn9Cl9Wp/WZ/QZfU6f0+f1eX1BX9AX9UUtAhHIQAY60EG+IF8QE8QEsUFsEBfEBQWDgkEkiATxQXxQKLg+KBwUCYoGxYKEoHhQIjABBjagIAxKBqWCaHBDUDq4MUgMygRlg3KBC8oHScFNQYXg5qBicEtQKbg1qBzcFlQJqgbVgurB7UGN4I6gZlArqB3cGdQJ6gb1gvrBXUGD4O6gYXBP0Ci4N2gc3Bc0Ce4PmgYPBM2CB4PmwUNBi+DhoGXwSNAqaB20CdoG7f7U9b0/U+Qx18/0NylmgBloXjKDzGAzxAw1w8zLZrh5xYwwr5pUM9KMMq+Z0eZ1M8a8YcaacWa8edNMMBPNJDPZTDFTTZp5y0wzb5vp5h0zw8w0s8xsk27mmLnmXTPPzDcLzHtmoXnfLDKLzRKz1GSYD0ymWWayzIdmufnIZJsVZqVZZVabNWatWWfWmw1mo9lkNpstZqvZZrabj80Os9PsMrvNHrPX7DOfmP3mU3PAfGZyzOfmoPmLOWS+MIfNlybXfGWOmK/NUfONOWa+NcfNd+aEOWlOme/NafODOWPOmnPmR3Pe/GQumJ/NReMvXdxf+nhHjRrzYT6MwRiMxViMwzgsiAUxghGMx3gshIWwMBbGolgUEzABS2AJvISQsCSWxChGsTSWxkRMxLJYFh06TMIkrIAVsCJWxEpYCStjZayCVbAaVsPb8Xa8A+/AWlgL78Q7sS7WxfpYHxtgA2yIDbERNsLG2BibYBNsik2xGTbD5tgcW2ALbIktsRW2wjbYBtthO2yP7bEDdsBO2Ak7Y2fsgl0wGZOxK3bFbtgNu2N37IE9sCf2xF7YC/tgH+yLfbEf9sMUTMGBOBAH4SAcgkNwGA7D4TgcR+AITMVUHIWjcDSOxjE4BsfiOByPb+IEnIiTcDJOwamYhmk4DafhdJyOM3AGzsJZmI7pOBfn4jychwtwAS7EhbgIF+ESXIIZmIGZmIlZmIXLcTlmYzauxJW4GlfjWlyL63E9bsSNuBk341bcittxO+7AHbgLd+Ee3IP7cB/ux/14AA9gDubgQTyIh/AQHsbDmIu5eASP4FE8isfwGB7H43gCT+ApPIWn8TSewTN4Ds/hefwJL+DPeBE9xlgpYu1VNs5ebQvaa2yMLWB/Gxe1xWyCLW5LWGML2yJ/E6O1NtGWsWVtOetseZtkb/pdXMVWtdVsdXu7rWHvsDV/Fzewd9uG9h7byN5r69u7/iZubO+zTezDtql9xDazrW1z29a2sA/blvYR28q2tm1sW9vZPmG72Cdtsn3KdrVP/y7OtMvservBbrSb7H77qT1nf7RH7Tf2vP3J9rP97TD7sh1uX7Ej7Ks21Y78XTzevmkn2Il2kp1sp9ipv4tn2dk23c6xc+27dp6d/7s4w35gF9osu8gutkvs0l/iSzVl2Q/tcvuRzbYr7Eq7yq62a+xau+4/al1lt9itdpvdZz+xO+xOu8vutnvs3l/iS/s4YD+zOfZze8R+bQ/ZL+xhe8zm2q9+iS/t75j91h6339kT9qQ9Zb+3p+0P9ow9+8v+L+39e/uzvWi9FQQkSZGmgPJRfoqhAhRLV1EcXU0F6RqK0LUUT9dRIbqeClMRKkrFKIGKUwkyhGSJKKSSVIqidAOVphspkcpQWSpHjspTEt1EFehmqki3UCW6lSrTbVSFqlI1qk63Uw26g2pSLapNd1Idqkv1qD7dRQ3obmpI91Ajupca033UhO6npvQANaMHqTk9RC3oYWpJj1Arak1tqC21o0epPT1GHagjdaLHqTM9QV3oSUqmp6grPU3d6BnqTs9SD3qOetLz1It6Ux96gfrSi9SP+lMKDaCB9BINosE0hIbSMHqZhtMrNIJepVQaSaPoNRpNr9MYeoPG0jgaT2/SBJpIk2gyTaGplEZv0TR6m6bTOzSDZtIsmk3pNIfm0rs0j+bTAnqPFtL7tIgW0xJaShn0AWXSMsqiD2k5fUTZtIJW0ipaTWtoLa2j9bSBNtIm2kxbaCtto+30Me2gnbSLdtMe2kv76BPaT5/SAfqMcuhzOkh/oUP0BR2mLymXvqIj9DUdpW/oGH1Lx+k7OkEn6RR9T6fpBzpDZ+kc/Ujn6Se6QD/TRfIkQghlqEIdBmG+MH8YExYIY8Orwrjw6rBgeE0YCa8N48PrwkLh9WHhsEhYNCwWJoTFwxKhCTG0IYVhWDIsFUbDG8LS4Y1hYlgmLBuWC11YPkwKbworhDeHFcNbwkrhrWHl8LawSlg1fPje6uHtYY3wjrBmWCusHd4Z1gnrhvXC+uFdYYPw7rBheE/YKLw3rBjeFzYJ7w+bhg+EzcIHw+bhQ2GL8OGwZfhI2CpsHbYJ24btwkfD9uFjYYewY9gpfDzsHD4RdgmfDJPDp8Ku4dN/eDwlHBAODF8KXwq9v0ctiS6NZkQ/iGZGl0Wzoh9Gl0c/imZHV0RXRldFV0fXRNdG10XXRzdEN0Y3RTdHt0S3RrdFva+fXzhw0imnXeDyufwuxhVwse4qF+eudgXdNS7irnXx7jpXyF3vCrsirqgr5hJccVfCGYfOOnKhK+lKuai7wZV2N7pEV8aVdeWcc+Vdkmvr2rl2rr17zHVwHV0n97h73D3hnnBPuifdU66re9p1c8+47u5Z18M9555zz7terrfr415wfd2Lrp/r71JcihvoBrpBbpAb4oa4YW6YG+6GuxFuhEt1qW6UG+VGu9FujBvjxrqxbrwb7ya4CW6Sm+SmuCkuzaW5aW6am+6muxluhpvlZrl0l+7murlunpvnFrgFbmHiQrfILXJL3BKX4TJcpst0WS7LLXfLXbbLdivdSrfarXZr3Vq33q13G91Gt9ltdlvdVrfdbXc73A63y+1ye9wet8/tc/vdfnfAHXA5LscddAfdIXfIHXZfulz3lTvivnZH3TfumPvWHXffuRPupDvlvnen3Q/ujMvvzrkf3Xn3k7vgfnYXnXdpkbci0yJvR6ZH3onMiMyMzIrMjqRH5kTmRt6NzIvMjyyIvBdZGHk/siiyOLIksjSSEfkgkhlZFsmKfBhZHvkokh1ZEVkZWRVZHVkT8b74jtCX9KV81N/gS/sbfaIv48v6ct758j7J3+Qr+Jt9RX+Lr+Rv9ZX9bb6Kr+qr+Ud8K9/at/FtfTv/qG/vH/MdfEffyT/uO/snfBf/pE/2T/mu/mnfzT/ju/tnfQ//nO/pn/e9fG/fx7/g+/oXfT/f36f4AX6gf8kP8oP9ED/UD/Mv++H+FT/Cv+pT/Ug/yr/mR/vX/Rj/hh/rx/nx/k0/wU/0k/xkP8VP9Wn+LT/Nv+2n+3f8DD/Tz/Kzfbqf4+f6d/08P98v8O/5hf59v8gv9kv8Up/hP/CZfpnP8h/65f4jn+1X+JV+lV/t1/i1fp1f7zf4jX6T3+y3+K1+m9/uP/Y7/E6/y+/2e/xev89/4vf7T/0B/5nP8Z/7g/4v/pD/wh/2X/pc/5U/4r/2R/03/pj/1h/33/kT/qQ/5b/3p/0P/ow/68/5H/15/5O/4H/2F733V/hBOmOMMcbY/xf+6KJpwN95Tf46LhkohLh6Z7Hc3x7XQojNhf86HywTOkeEEE/17/ng/x516qSkpPx6brYSQanFQojI5fx84nK8QnQST4hk0VFU+Lv1DZa9z9M/WB9OeB+9VYjY3+TEiMvx5fVv/k/Wf/Tx8ZmVw3Pxf7v+hV+vNy/VH10sRGKpyzkFxOX48voV/5P1i7T/R/VnK1HgizQhOvwmJ05cji+vnyQeE0+L5L85kzHGGGOMMcYY+6vBslr3P7j//OX+POE3XwiYX1yO/+j+nDHGGGOMMcYYY1fes737PPlocnLH7jzhCU/+OyYF/meU8c9OrvR/JsYYY4wxxtif7fJF/5WuhDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYy7v+FV8ndqX3yBhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjF1p/ysAAP//Rz1IWg==")
program did not crash
testing program (duration=33.231557722s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r1, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, &(0x7f0000000300)="0f4f53")
program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue
testing program (duration=33.231557722s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, &(0x7f0000000300)="0f4f53")
program did not crash
testing program (duration=33.231557722s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, &(0x7f0000000300)="0f4f53")
program did not crash
testing program (duration=33.231557722s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r0, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
ioctl$PPPIOCGL2TPSTATS(0xffffffffffffffff, 0x80487436, &(0x7f0000000300)="0f4f53")
program did not crash
testing program (duration=33.231557722s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, 0x0, 0x0)
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, &(0x7f0000000300)="0f4f53")
program did not crash
testing program (duration=33.231557722s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r1, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, 0x0)
program crashed: KASAN: use-after-free Write in pppol2tp_release
extracting C reproducer
testing compiled C program (duration=33.231557722s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
simplifying C reproducer
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
a never seen crash title: KASAN: use-after-free Read in pppol2tp_sock_to_session, ignore
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
a never seen crash title: KASAN: use-after-free Read in pppol2tp_sock_to_session, ignore
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r1, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, 0x0)
program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
testing program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r1, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, 0x0)
program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
testing program (duration=33.231557722s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCGL2TPSTATS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tp={0x18, 0x1, {0x0, r1, {0x2, 0x4e24, @broadcast}, 0x2, 0x0, 0x3}}, 0x26)
ioctl$PPPIOCGL2TPSTATS(r0, 0x80487436, 0x0)
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
validation run: crashed=true
reproducing took 16m34.039194818s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in pppol2tp_sock_to_session+0x1a0/0x1b0 net/l2tp/l2tp_ppp.c:156
Read of size 4 at addr ffff88812c584800 by task syz.2.17/375
CPU: 0 PID: 375 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x71/0x200 mm/kasan/report.c:316
print_report+0x4a/0x60 mm/kasan/report.c:420
kasan_report+0x122/0x150 mm/kasan/report.c:524
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
pppol2tp_sock_to_session+0x1a0/0x1b0 net/l2tp/l2tp_ppp.c:156
pppol2tp_release+0x16c/0x2d0 net/l2tp/l2tp_ppp.c:434
__sock_release net/socket.c:652 [inline]
sock_close+0xf1/0x290 net/socket.c:1389
__fput+0x1fc/0x8f0 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x1e1/0x250 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f3cd919ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc0a97528 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffc0a97610 RCX: 00007f3cd919ce59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000075f7 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b33120000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3cd9415fac R14: 00007f3cd9415fa8 R15: 00007f3cd9415fa0
Allocated by task 375:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:380 [inline]
__kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
kasan_kmalloc include/linux/kasan.h:212 [inline]
__do_kmalloc_node mm/slab_common.c:938 [inline]
__kmalloc+0xb1/0x1e0 mm/slab_common.c:951
kmalloc include/linux/slab.h:568 [inline]
kzalloc include/linux/slab.h:699 [inline]
l2tp_session_create+0x38/0xbe0 net/l2tp/l2tp_core.c:1609
pppol2tp_connect+0xbef/0x1620 net/l2tp/l2tp_ppp.c:771
__sys_connect_file net/socket.c:2000 [inline]
__sys_connect+0x3da/0x460 net/socket.c:2017
__do_sys_connect net/socket.c:2027 [inline]
__se_sys_connect net/socket.c:2024 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2024
x64_sys_call+0x88d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Freed by task 43:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
____kasan_slab_free+0x132/0x180 mm/kasan/common.c:242
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:250
kasan_slab_free include/linux/kasan.h:178 [inline]
slab_free_hook mm/slub.c:1750 [inline]
slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
slab_free mm/slub.c:3712 [inline]
__kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728
kfree+0x6f/0xf0 mm/slab_common.c:990
l2tp_session_free net/l2tp/l2tp_core.c:168 [inline]
l2tp_session_put+0xaf/0x1a0 net/l2tp/l2tp_core.c:193
l2tp_session_delete+0x3f0/0x4e0 net/l2tp/l2tp_core.c:1582
l2tp_tunnel_closeall net/l2tp/l2tp_core.c:1228 [inline]
l2tp_tunnel_del_work+0x1a1/0x410 net/l2tp/l2tp_core.c:1266
process_one_work+0x71f/0xc40 kernel/workqueue.c:2302
worker_thread+0xa29/0x11e0 kernel/workqueue.c:2449
kthread+0x281/0x320 kernel/kthread.c:386
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
The buggy address belongs to the object at ffff88812c584800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff88812c584800, ffff88812c584a00)
The buggy address belongs to the physical page:
page:ffffea0004b16100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c584
head:ffffea0004b16100 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 370, tgid 370 (syz-executor), ts 30214517177, free_ts 29372673653
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2672
prep_new_page+0x1c/0x110 mm/page_alloc.c:2679
get_page_from_freelist+0x2d12/0x2d80 mm/page_alloc.c:4585
__alloc_pages+0x1fa/0x610 mm/page_alloc.c:5929
alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
allocate_slab mm/slub.c:1967 [inline]
new_slab+0x98/0x3d0 mm/slub.c:2020
___slab_alloc+0x6bd/0xb20 mm/slub.c:3177
__slab_alloc+0x5e/0xa0 mm/slub.c:3263
slab_alloc_node mm/slub.c:3348 [inline]
__kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423
__do_kmalloc_node mm/slab_common.c:937 [inline]
__kmalloc_node+0xa1/0x1e0 mm/slab_common.c:945
kmalloc_node include/linux/slab.h:589 [inline]
kzalloc_node include/linux/slab.h:710 [inline]
qdisc_alloc+0x79/0x780 net/sched/sch_generic.c:951
qdisc_create_dflt+0x6b/0x3b0 net/sched/sch_generic.c:1009
attach_one_default_qdisc net/sched/sch_generic.c:1172 [inline]
netdev_for_each_tx_queue include/linux/netdevice.h:2504 [inline]
attach_default_qdiscs net/sched/sch_generic.c:1190 [inline]
dev_activate+0x2cf/0x1040 net/sched/sch_generic.c:1249
__dev_open+0x40e/0x520 net/core/dev.c:1518
__dev_change_flags+0x21e/0x6b0 net/core/dev.c:8692
dev_change_flags+0x88/0x1a0 net/core/dev.c:8763
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1580 [inline]
free_pcp_prepare mm/page_alloc.c:1654 [inline]
free_unref_page_prepare+0x7f8/0x800 mm/page_alloc.c:3620
free_unref_page+0x95/0x540 mm/page_alloc.c:3718
free_the_page mm/page_alloc.c:863 [inline]
__free_pages+0x67/0x100 mm/page_alloc.c:6019
__vunmap+0x9c0/0xb80 mm/vmalloc.c:2739
__vfree mm/vmalloc.c:2788 [inline]
vfree+0x61/0x90 mm/vmalloc.c:2819
kcov_put kernel/kcov.c:437 [inline]
kcov_close+0x2b/0x50 kernel/kcov.c:533
__fput+0x1fc/0x8f0 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x1e1/0x250 kernel/task_work.c:203
exit_task_work include/linux/task_work.h:39 [inline]
do_exit+0xa35/0x2660 kernel/exit.c:886
do_group_exit+0x225/0x2e0 kernel/exit.c:1029
get_signal+0x13b5/0x1520 kernel/signal.c:2891
arch_do_signal_or_restart+0xd1/0x1140 arch/x86/kernel/signal.c:871
exit_to_user_mode_loop+0x7a/0xb0 kernel/entry/common.c:174
exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
Memory state around the buggy address:
ffff88812c584700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88812c584780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812c584800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88812c584880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88812c584900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
WARNING: CPU: 0 PID: 375 at net/l2tp/l2tp_ppp.c:156 pppol2tp_sock_to_session+0x167/0x1b0 net/l2tp/l2tp_ppp.c:156
Modules linked in:
CPU: 0 PID: 375 Comm: syz.2.17 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:pppol2tp_sock_to_session+0x167/0x1b0 net/l2tp/l2tp_ppp.c:156
Code: 5d c3 e8 ac 91 d4 fc be 02 00 00 00 eb 0a e8 a0 91 d4 fc be 01 00 00 00 4c 89 f7 e8 c3 50 cc fd e9 0f ff ff ff e8 89 91 d4 fc <0f> 0b 48 89 df e8 ff 00 00 00 eb bd e8 78 91 d4 fc 4c 89 f7 be 03
RSP: 0018:ffffc90000967c98 EFLAGS: 00010293
RAX: ffffffff849cebf7 RBX: ffff888114b1d000 RCX: ffff888114228000
RDX: 0000000000000000 RSI: 00000000297119c0 RDI: 000000000c04eb7d
RBP: ffffc90000967cb8 R08: ffffffff87b767e7 R09: 1ffffffff0f6ecfc
R10: dffffc0000000000 R11: fffffbfff0f6ecfd R12: dffffc0000000000
R13: 1ffff1102466507b R14: 00000000297119c0 R15: ffff88812c584800
FS: 00005555706a7500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000012da34000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
pppol2tp_release+0x16c/0x2d0 net/l2tp/l2tp_ppp.c:434
__sock_release net/socket.c:652 [inline]
sock_close+0xf1/0x290 net/socket.c:1389
__fput+0x1fc/0x8f0 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x1e1/0x250 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f3cd919ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc0a97528 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffc0a97610 RCX: 00007f3cd919ce59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000075f7 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b33120000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3cd9415fac R14: 00007f3cd9415fa8 R15: 00007f3cd9415fa0
---[ end trace 0000000000000000 ]---
final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in pppol2tp_sock_to_session+0x1a0/0x1b0 net/l2tp/l2tp_ppp.c:156
Read of size 4 at addr ffff88812c584800 by task syz.2.17/375
CPU: 0 PID: 375 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
print_address_description+0x71/0x200 mm/kasan/report.c:316
print_report+0x4a/0x60 mm/kasan/report.c:420
kasan_report+0x122/0x150 mm/kasan/report.c:524
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
pppol2tp_sock_to_session+0x1a0/0x1b0 net/l2tp/l2tp_ppp.c:156
pppol2tp_release+0x16c/0x2d0 net/l2tp/l2tp_ppp.c:434
__sock_release net/socket.c:652 [inline]
sock_close+0xf1/0x290 net/socket.c:1389
__fput+0x1fc/0x8f0 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x1e1/0x250 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f3cd919ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc0a97528 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffc0a97610 RCX: 00007f3cd919ce59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000075f7 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b33120000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3cd9415fac R14: 00007f3cd9415fa8 R15: 00007f3cd9415fa0
Allocated by task 375:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:380 [inline]
__kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
kasan_kmalloc include/linux/kasan.h:212 [inline]
__do_kmalloc_node mm/slab_common.c:938 [inline]
__kmalloc+0xb1/0x1e0 mm/slab_common.c:951
kmalloc include/linux/slab.h:568 [inline]
kzalloc include/linux/slab.h:699 [inline]
l2tp_session_create+0x38/0xbe0 net/l2tp/l2tp_core.c:1609
pppol2tp_connect+0xbef/0x1620 net/l2tp/l2tp_ppp.c:771
__sys_connect_file net/socket.c:2000 [inline]
__sys_connect+0x3da/0x460 net/socket.c:2017
__do_sys_connect net/socket.c:2027 [inline]
__se_sys_connect net/socket.c:2024 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2024
x64_sys_call+0x88d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Freed by task 43:
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
____kasan_slab_free+0x132/0x180 mm/kasan/common.c:242
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:250
kasan_slab_free include/linux/kasan.h:178 [inline]
slab_free_hook mm/slub.c:1750 [inline]
slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
slab_free mm/slub.c:3712 [inline]
__kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728
kfree+0x6f/0xf0 mm/slab_common.c:990
l2tp_session_free net/l2tp/l2tp_core.c:168 [inline]
l2tp_session_put+0xaf/0x1a0 net/l2tp/l2tp_core.c:193
l2tp_session_delete+0x3f0/0x4e0 net/l2tp/l2tp_core.c:1582
l2tp_tunnel_closeall net/l2tp/l2tp_core.c:1228 [inline]
l2tp_tunnel_del_work+0x1a1/0x410 net/l2tp/l2tp_core.c:1266
process_one_work+0x71f/0xc40 kernel/workqueue.c:2302
worker_thread+0xa29/0x11e0 kernel/workqueue.c:2449
kthread+0x281/0x320 kernel/kthread.c:386
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
The buggy address belongs to the object at ffff88812c584800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
512-byte region [ffff88812c584800, ffff88812c584a00)
The buggy address belongs to the physical page:
page:ffffea0004b16100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c584
head:ffffea0004b16100 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 370, tgid 370 (syz-executor), ts 30214517177, free_ts 29372673653
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2672
prep_new_page+0x1c/0x110 mm/page_alloc.c:2679
get_page_from_freelist+0x2d12/0x2d80 mm/page_alloc.c:4585
__alloc_pages+0x1fa/0x610 mm/page_alloc.c:5929
alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
allocate_slab mm/slub.c:1967 [inline]
new_slab+0x98/0x3d0 mm/slub.c:2020
___slab_alloc+0x6bd/0xb20 mm/slub.c:3177
__slab_alloc+0x5e/0xa0 mm/slub.c:3263
slab_alloc_node mm/slub.c:3348 [inline]
__kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423
__do_kmalloc_node mm/slab_common.c:937 [inline]
__kmalloc_node+0xa1/0x1e0 mm/slab_common.c:945
kmalloc_node include/linux/slab.h:589 [inline]
kzalloc_node include/linux/slab.h:710 [inline]
qdisc_alloc+0x79/0x780 net/sched/sch_generic.c:951
qdisc_create_dflt+0x6b/0x3b0 net/sched/sch_generic.c:1009
attach_one_default_qdisc net/sched/sch_generic.c:1172 [inline]
netdev_for_each_tx_queue include/linux/netdevice.h:2504 [inline]
attach_default_qdiscs net/sched/sch_generic.c:1190 [inline]
dev_activate+0x2cf/0x1040 net/sched/sch_generic.c:1249
__dev_open+0x40e/0x520 net/core/dev.c:1518
__dev_change_flags+0x21e/0x6b0 net/core/dev.c:8692
dev_change_flags+0x88/0x1a0 net/core/dev.c:8763
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1580 [inline]
free_pcp_prepare mm/page_alloc.c:1654 [inline]
free_unref_page_prepare+0x7f8/0x800 mm/page_alloc.c:3620
free_unref_page+0x95/0x540 mm/page_alloc.c:3718
free_the_page mm/page_alloc.c:863 [inline]
__free_pages+0x67/0x100 mm/page_alloc.c:6019
__vunmap+0x9c0/0xb80 mm/vmalloc.c:2739
__vfree mm/vmalloc.c:2788 [inline]
vfree+0x61/0x90 mm/vmalloc.c:2819
kcov_put kernel/kcov.c:437 [inline]
kcov_close+0x2b/0x50 kernel/kcov.c:533
__fput+0x1fc/0x8f0 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x1e1/0x250 kernel/task_work.c:203
exit_task_work include/linux/task_work.h:39 [inline]
do_exit+0xa35/0x2660 kernel/exit.c:886
do_group_exit+0x225/0x2e0 kernel/exit.c:1029
get_signal+0x13b5/0x1520 kernel/signal.c:2891
arch_do_signal_or_restart+0xd1/0x1140 arch/x86/kernel/signal.c:871
exit_to_user_mode_loop+0x7a/0xb0 kernel/entry/common.c:174
exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
Memory state around the buggy address:
ffff88812c584700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88812c584780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812c584800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88812c584880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88812c584900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
WARNING: CPU: 0 PID: 375 at net/l2tp/l2tp_ppp.c:156 pppol2tp_sock_to_session+0x167/0x1b0 net/l2tp/l2tp_ppp.c:156
Modules linked in:
CPU: 0 PID: 375 Comm: syz.2.17 Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:pppol2tp_sock_to_session+0x167/0x1b0 net/l2tp/l2tp_ppp.c:156
Code: 5d c3 e8 ac 91 d4 fc be 02 00 00 00 eb 0a e8 a0 91 d4 fc be 01 00 00 00 4c 89 f7 e8 c3 50 cc fd e9 0f ff ff ff e8 89 91 d4 fc <0f> 0b 48 89 df e8 ff 00 00 00 eb bd e8 78 91 d4 fc 4c 89 f7 be 03
RSP: 0018:ffffc90000967c98 EFLAGS: 00010293
RAX: ffffffff849cebf7 RBX: ffff888114b1d000 RCX: ffff888114228000
RDX: 0000000000000000 RSI: 00000000297119c0 RDI: 000000000c04eb7d
RBP: ffffc90000967cb8 R08: ffffffff87b767e7 R09: 1ffffffff0f6ecfc
R10: dffffc0000000000 R11: fffffbfff0f6ecfd R12: dffffc0000000000
R13: 1ffff1102466507b R14: 00000000297119c0 R15: ffff88812c584800
FS: 00005555706a7500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000012da34000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
pppol2tp_release+0x16c/0x2d0 net/l2tp/l2tp_ppp.c:434
__sock_release net/socket.c:652 [inline]
sock_close+0xf1/0x290 net/socket.c:1389
__fput+0x1fc/0x8f0 fs/file_table.c:320
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x1e1/0x250 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f3cd919ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc0a97528 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffc0a97610 RCX: 00007f3cd919ce59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000075f7 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b33120000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3cd9415fac R14: 00007f3cd9415fa8 R15: 00007f3cd9415fa0
---[ end trace 0000000000000000 ]---