Extracting prog: 33m10.737348743s
Minimizing prog: 4m4.706715223s
Simplifying prog options: 0s
Extracting C: 23.422837672s
Simplifying C: 2m59.397763707s


extracting reproducer from 30 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): setsockopt$XDP_UMEM_REG-setsockopt$XDP_RX_RING-syz_open_dev$vcsa-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-sched_setaffinity-recvmmsg-socket$nl_route-recvmmsg-sendmsg$nl_route-openat$ptmx-openat$kvm-socket$packet-recvmmsg-ioctl$TIOCSETD-socket$packet-sendto$packet-setsockopt$SO_TIMESTAMP-io_setup-syz_clone-io_submit-mkdir
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 30s
testing program (duration=37s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [4, 28, 29, 4, 4, 4, 14, 10, 4, 4, 30, 21, 24, 4, 4, 4, 4, 28, 4, 4, 14, 4, 10, 4, 25, 9, 29, 4, 4, 4]
detailed listing:
executing program 2:
syz_emit_ethernet(0xb4, &(0x7f00000001c0)=ANY=[@ANYBLOB="000000000000bbbbbbbbbbbb88a82a008100020008050204c2"], 0x0)
r0 = syz_usb_connect$hid(0x1, 0x36, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x0, 0x0, 0x0, 0x8, 0x46d, 0xc081, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, "", [{{0x9, 0x4, 0x0, 0x0, 0x9, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x8, 0x4, 0x1, {0x22, 0x28}}, {{{0x9, 0x5, 0x81, 0x3, 0x400, 0x0, 0x81}}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000040)={0x24, 0x0, 0x0, 0x0, &(0x7f00000001c0)={0x0, 0x22, 0x371, {0x9}}}, &(0x7f0000000080)={0xffffffffffffffeb, 0x0, 0x0, 0x0, 0x0, 0x0})
executing program 2:
setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0xffffffffffffff3c, &(0x7f0000000100)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_mount_image$msdos(&(0x7f0000000040), &(0x7f0000000240)='./file1/file0\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0x231, &(0x7f0000000e00)="$eJzs3D9re1UYB/Dz6y+2aaR/JkEXD7roctE6OQZpQQwosRF1EG5pqiExKbkRE3Ho7OTgqyiOboL4Brr4GtyKIJ06NdLc/kttsWDbtM3nA+E84UvguTnc8NwLufuf/vh1cytLttJemCnGUAhhJxyGsBxmwvOQe3ayzozq2XDRTnjz3W8Ofvj4s88/KFcqq9UY18rr76zEGBdf/e3b739+7ffei5/8svjrXNhb/mL/75U/917ae3n/aP2rRhYbWWx3ejGNG51OL91o1eNmI2smMX7UqqdZPTbaWb07lm+1Otvbg5i2NxdK2916lsW0PYjN+iD2OrHXHcT0y7TRjkmSxIVS4L/UdqvVtDzpLrhb3W45PT6X5/+V1HYn0hAAMFHm/2n2P+b/o2Hu1nvith3P/6WT83ec+R8AAAAAAAAAAAAAAB6Dw+FwaTgcLp2up6+5EEIxhHD6ftJ9cjfs/3Sz/9NtbP+fjTZ8aVjIM/v/9F34424xhL92+rV+LV/zfO39yupbcWT5/FMH/X7t+Vn+dp7H8fyFUDrJV67MZ8Mbr+f5cfbeh5VL+XzYHNV/3PVXAAAAAE9eEs9ceX2fJNfleXXh/sCl6/dCeCW/j1S4p0MBAAAArpENvmumrVa9+xiL4sNo44bFT9UH0YZCcZNi0r9MAADAbTsf+ifdCQAAAAAAAAAAAAAAAAAAAEyv+3ic2KSPEQAAAAAAAAAAAAAAAAAAAAAAHpp/AgAA///5MQT4")
mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
getrlimit(0x3, &(0x7f0000000000))
mount$tmpfs(0x0, &(0x7f00000001c0)='./file0\x00', 0x0, 0x20000, 0x0)
move_mount(r3, &(0x7f0000008080)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000340)='./file0\x00', 0x156)
socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x16, 0x0, 0x0, &(0x7f0000000340)='GPL\x00', 0x2000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000280)=@bpf_lsm={0x6, 0x3, &(0x7f00000003c0)=ANY=[], 0x0}, 0x94)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB="9402000021000100fcffffff00000000ac1414aae5fffff8b49ed9825133a900fc0100"/48, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000070000400706362632874776f666973682900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040010000dc06216ef2c68e9f6da05d886dbc3273ef99796b36698e2bd5179c3eea5474fc78c9720bfc4f90a708001f0001000000cc0111"], 0x294}}, 0x0)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000100)='./file1\x00', 0xc, &(0x7f0000000380)={[{@grpid}, {@nombcache}]}, 0x2, 0x552, &(0x7f00000015c0)="$eJzs3cFvI1cZAPBvvPE6u802KfQACOhSCgtarZN426jqhe0FhKpKFRUnDtuQuFEUex3FXtGEPWSP3CuxEifKf8CNA1JPHLhxA4lDL+WAtMAK1CA4GM14kriJnZhNaifx7yeNZ+a9yXzvxXnzZl5kvwDG1vWI2I6IyxHxTkRM5+lJvsSdzpIe98mTB0s7Tx4sJdFuv/33JMtP06LrZ1LP5OecjIgffC/ix8nhuM3NrbXFWq26ke/Pturrs83NrVurhTylsjC/MPfq7Vcqp1bXF+q/fvzd1Td++NvffOXjP2x/+6dpsaZ+di3L667HvuKJYyb5eaa60iYi4o0Tn/nsmMj/fjh/0tb2uYh4MWv/03EpezcBgIus3Z6O9nT3/gAuD3ogAHAWpc//U5EUyvlYwFQUCuVyZwzv+bhaqDWarZvTjfv3liMbw5qJYuHd1Vp1Lh8rnIliku7PZ9v7+5VP7b9fvR0Rz0XE+6UrWX55qVFbHuWNDwCMsWcO9P//KnX6/24n/y8YAHDmTD7VT5VOvRwAwPB09f8zoywHADA8T/f8DwCcZwf7/yPuB3w6EAAuCM//ADB+9P8AMH6O7f8fDqccAMBQvPXmm+nS3ul8//XuN3XfWq4218r1+0vlpcbGenml0VipVctL7fZx56s1GuvzL+/tNje37tYb9++17q7WF1eqd6u+SwAARu+5Fz78U9rpb792JVuiay4HfTVcbIVRFwAYmUujLgAwMj7PA+NrgGd8wwBwwSUR//mgV0Y+QJD0mMM388jkr3Be3fii8X8YVycZ/zd2AOfb043/f+fUywEMnz4cxle7nZjKHwDGjDF+oN+/93f1/YqQRwOc/M7/Xx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D6bSl7eSQjmbC3w7fS2UyxHXImImism7q7XqXEQ8GxF/LBVL6f78qAsNAJxQ4a9JPv/XjemXpg7mXk7+XcrWEfGTX7z98/cWW62N+TT9H3vprUdp+pXWRuXyKCoAAHTbnXfzo/2krP+u5OuuB/lPnjxY2l2GWcTHr0fE5JUs/k6+dHImYiJbT0YxIq7+M8n3O9L7lUunEH/7YUR8Ybf+k/FeV4SpbAykM/Ppwfhp7GunHr/7938wfuFT9S1keem6mP0uPh8HCgcc68PXO9fJvO2lTTxvf4W4nq17t//J7Ap1cun1L22uO4euf4W969+lQ/GTrM1f39s/uiSPX/7d9w8ltqc7eQ8jvjTRK36yFz/pff0tvjRgHT/68ldf7JfX/mXEjZ71352Rup5dZmdb9fXZ5ubWrdX64kp1pXqvUlmYX5h79fYrldlsjLrz+vteMf722s1n+8VP63+1T/zJo+sf3xiw/h/8950ffe2I+N/6eu/3//kj4qd94jcHjL949U7f6bvT+Mt96n/M+x83B4z/8V+2lgc8FAAYgubm1tpirVbdOGYjvdc87hgbg2+kz/ZnoBjZRmxHnNYJs0GJiOh5THpHfTaq/FltJCOL/qvTPuGor0zAZ22/0fc/5s/DLBAAAAAAAAAAAAAAAHBIc3NrrdT701rHbJQG/kTgqOsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxfW/AAAA//9ST8Ky")
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x0, 0x0, 0x0)
mount$overlay(0x0, &(0x7f00000003c0)='./file1/file0\x00', &(0x7f0000000b80), 0x100408, &(0x7f0000000200)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}]})
r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x2200, 0x0)
ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0)
executing program 1:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)
executing program 4:
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="020000000400000006000000050000000010"], 0x50)
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[], 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xd, &(0x7f0000000800)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000014e24007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000001000000850000000500000095"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x31, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_BIND_MAP(0xa, &(0x7f00000001c0)={r1, 0xffffffffffffffff, 0x60000000}, 0xc)
executing program 3:
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0xa, 0x4, 0xfff, 0x7}, 0x48)
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[], 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x11, 0xd, &(0x7f0000000280)=ANY=[@ANYBLOB="18000000080000000000000000000080850000000f00000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b70400000000725e850000000100000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x2d, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_BIND_MAP(0xa, &(0x7f0000000680)={r1}, 0xc)
executing program 4:
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x5, 0x4, 0x8, 0x5}, 0x48)
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[], 0x48)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xd, &(0x7f0000000040)=ANY=[@ANYBLOB="180100001700000000000000ff000000850000006d00000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000002007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008002010b704000000000000850000000100000095"], &(0x7f00000001c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_BIND_MAP(0xa, &(0x7f0000000340)={r1}, 0xc)
executing program 2:
syz_mount_image$fuse(0x0, &(0x7f0000002080)='./file0\x00', 0x212b845, 0x0, 0x2, 0x0, 0x0)
r0 = inotify_init1(0x80000)
r1 = inotify_add_watch(r0, &(0x7f0000000400)='./file0\x00', 0x60000726)
memfd_create(&(0x7f0000000180)='\b\x9dF\xd8\b\xb3~u\xa5\"\xdc\xfdq\xf6c\r;\xfcO\x8c=\x81\xb1\x8aWpA\xd4\x98\x85K\x89>N\x8ar\x17O\x0fKR\xe2{mn\xcc\xbf2\xc0\xa7\x14\xd0\xd4\xfe/m\xdf\xb6]\xc2\xaa\x86\xec(\xf7\xcd\xa6\xd9n^.\x13*\xd4\xb8\xe8\xc4\xefb\x14Vx\xc6\xfe\x9e\xee\xe7\xd7E\xe9\t\x83\xdeNX\xec\xe66\x1b\x97$\xee\x84\x14n,B\xd5?\xe5E:+Pm\x1d\xb4\xb8\xeb\xe8Op2\x82\xc7\x0e\x97\x03\xef\x1a\xa5\x00.\x89\b!m\f\xd9\x8b$}\x9f\fX\x81\xa8\xf6\x94\xbc\xed\x80|l]\xe9\xca\xd3\xc9\xa3\x9e\x9cJI\xf1\xa2\xa0\xc4:\x00\x00\x00\x00\x00\x00\b\x00\x00', 0x0)
r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x42082, 0x0)
r3 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r3)
ioctl$TUNSETTXFILTER(r2, 0x400454d1, &(0x7f0000000200)=ANY=[@ANYRES16=r1, @ANYRES32=r1])
socket$netlink(0x10, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast})
r4 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000240)={'syzkaller0\x00', <r5=>0x0})
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(r6, 0x0, 0x0, 0x50040, &(0x7f00000001c0)={0x11, 0x3, r5, 0x1, 0xd8}, 0x14)
executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r1 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000140), 0x180, 0x0)
ioctl$VFAT_IOCTL_READDIR_SHORT(r1, 0x541b, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setreuid(0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000016000/0x18000)=nil, &(0x7f0000000000)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
memfd_create(&(0x7f00000001c0)='\x02A\xbbL\xeb\xbd]\x9c\x9aU\x9c\xcbb\xcc\xfa0\xf5JoeN\x8c\x86\xfa\xb3\x0e&\xfe\xa8NF\x96\t\x01\xceJ\xc3\x8f+\xe8\xa7v\x80\xfaj\xfe\x11\x0e\xed6\x00\x00\x00\x00\x00\x00\f\xd7\xe7\xdb?\xf3\xd9\xa3\xd6a\x1a\xfch}7K\xca\x90KA\x02\xd6\x94\xf0S\xcc\xd0\x14\x8c\xb3!\xa8\xeajy@\xa0\xdc~\xea\xfd\xfb\x12\x88Xa\x16\xcb\xe4\x03\x1e\xac\xf2\xe9\xf1<', 0x3)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 3:
r0 = socket$inet_icmp_raw(0x2, 0x3, 0x1)
r1 = dup(r0)
sendmsg$inet(r1, &(0x7f0000000780)={&(0x7f0000000100)={0x2, 0xffff, @multicast1}, 0x10, &(0x7f00000014c0)=[{&(0x7f0000000000)="be39", 0xffeb}, {0x0}], 0x2, &(0x7f0000000c80)=[@ip_pktinfo={{0x1c, 0x0, 0x8, {0x0, @local, @private}}}], 0x20}, 0x0)
read$FUSE(r1, &(0x7f0000003e00)={0x2020}, 0x2020)
executing program 2:
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0xd3283d0368e269b3, 0x8031, 0xffffffffffffffff, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x0, 0xc, &(0x7f0000000440)=@framed={{0x18, 0x2}, [@printk={@ld}, @call={0x85, 0x0, 0x0, 0x7}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x10}, 0x94)
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000580)={0x1f, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x1a, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_BIND_MAP(0xa, &(0x7f00000004c0)={r0}, 0xc)
executing program 2:
r0 = socket$nl_route(0x10, 0x3, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x1)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r1 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x8040, 0x20)
ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(r2, 0x40081271, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r1, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
fsopen(&(0x7f0000000280)='ceph\x00', 0x0)
r5 = gettid()
r6 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$inet6_int(r2, 0x29, 0x18, &(0x7f0000000100)=0x7, 0x4)
sendmsg$nl_route(r6, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000800)=@can_newroute={0x14, 0x18, 0x1, 0x70bd29, 0x25dfdbfd, {0x1d, 0x1, 0x4}}, 0x14}}, 0x4c0c8)
tkill(r5, 0xb)
r7 = openat$vcsu(0xffffffffffffff9c, &(0x7f0000000000), 0x600, 0x0)
r8 = epoll_create(0x2)
epoll_ctl$EPOLL_CTL_ADD(r8, 0x1, r7, &(0x7f0000009b80)={0x40000012})
read$FUSE(r7, &(0x7f0000000500)={0x2020}, 0x2020)
epoll_pwait(r8, &(0x7f0000000040)=[{}], 0x1, 0x2, 0x0, 0x0)
r9 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$VT_RESIZEX(r9, 0x560a, &(0x7f00000006c0)={0x4, 0x0, 0x0, 0x0, 0x132, 0x3})
sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=@newlink={0x3c, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x2031}, [@IFLA_XDP={0x14, 0x2b, 0x0, 0x1, [@IFLA_XDP_FD={0x8}, @IFLA_XDP_FLAGS={0x8, 0x3, 0x2}]}, @IFLA_GROUP={0x8}]}, 0x3c}, 0x1, 0x0, 0x0, 0x20048054}, 0x0)
ioctl$KVM_IRQFD(r7, 0x4020ae76, &(0x7f0000000180)={r7, 0x8, 0x1})
executing program 0:
syz_mount_image$fuse(0x0, &(0x7f0000001040)='./file2\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000002080)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
syz_open_procfs$namespace(0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000000)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
r0 = getpid()
sched_setscheduler(r0, 0x1, &(0x7f0000000100)=0x5)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000001480)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f00000004c0)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800002, 0xe)
setreuid(0xee00, 0x0)
keyctl$join(0x1, 0x0)
bpf$MAP_CREATE_TAIL_CALL(0x0, 0x0, 0x48)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
r3 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000380)=ANY=[@ANYBLOB="280000002100050125bd70000000000002000000", @ANYRES32=0x0, @ANYRES32, @ANYBLOB="b7836f1c1b5be19805e133cc73fc5944bcec"], 0x28}}, 0x0)
executing program 3:
setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0xffffffffffffff3c, &(0x7f0000000100)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_mount_image$msdos(&(0x7f0000000040), &(0x7f0000000240)='./file1/file0\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0x231, &(0x7f0000000e00)="$eJzs3D9re1UYB/Dz6y+2aaR/JkEXD7roctE6OQZpQQwosRF1EG5pqiExKbkRE3Ho7OTgqyiOboL4Brr4GtyKIJ06NdLc/kttsWDbtM3nA+E84UvguTnc8NwLufuf/vh1cytLttJemCnGUAhhJxyGsBxmwvOQe3ayzozq2XDRTnjz3W8Ofvj4s88/KFcqq9UY18rr76zEGBdf/e3b739+7ffei5/8svjrXNhb/mL/75U/917ae3n/aP2rRhYbWWx3ejGNG51OL91o1eNmI2smMX7UqqdZPTbaWb07lm+1Otvbg5i2NxdK2916lsW0PYjN+iD2OrHXHcT0y7TRjkmSxIVS4L/UdqvVtDzpLrhb3W45PT6X5/+V1HYn0hAAMFHm/2n2P+b/o2Hu1nvith3P/6WT83ec+R8AAAAAAAAAAAAAAB6Dw+FwaTgcLp2up6+5EEIxhHD6ftJ9cjfs/3Sz/9NtbP+fjTZ8aVjIM/v/9F34424xhL92+rV+LV/zfO39yupbcWT5/FMH/X7t+Vn+dp7H8fyFUDrJV67MZ8Mbr+f5cfbeh5VL+XzYHNV/3PVXAAAAAE9eEs9ceX2fJNfleXXh/sCl6/dCeCW/j1S4p0MBAAAArpENvmumrVa9+xiL4sNo44bFT9UH0YZCcZNi0r9MAADAbTsf+ifdCQAAAAAAAAAAAAAAAAAAAEyv+3ic2KSPEQAAAAAAAAAAAAAAAAAAAAAAHpp/AgAA///5MQT4")
mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
getrlimit(0x3, &(0x7f0000000000))
mount$tmpfs(0x0, &(0x7f00000001c0)='./file0\x00', 0x0, 0x20000, 0x0)
move_mount(r3, &(0x7f0000008080)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000340)='./file0\x00', 0x156)
socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x16, 0x0, 0x0, &(0x7f0000000340)='GPL\x00', 0x2000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000280)=@bpf_lsm={0x6, 0x3, &(0x7f00000003c0)=ANY=[], 0x0}, 0x94)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB="9402000021000100fcffffff00000000ac1414aae5fffff8b49ed9825133a900fc0100"/48, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000070000400706362632874776f666973682900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040010000dc06216ef2c68e9f6da05d886dbc3273ef99796b36698e2bd5179c3eea5474fc78c9720bfc4f90a708001f0001000000cc0111"], 0x294}}, 0x0)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000100)='./file1\x00', 0xc, &(0x7f0000000380)={[{@grpid}, {@nombcache}]}, 0x2, 0x552, &(0x7f00000015c0)="$eJzs3cFvI1cZAPBvvPE6u802KfQACOhSCgtarZN426jqhe0FhKpKFRUnDtuQuFEUex3FXtGEPWSP3CuxEifKf8CNA1JPHLhxA4lDL+WAtMAK1CA4GM14kriJnZhNaifx7yeNZ+a9yXzvxXnzZl5kvwDG1vWI2I6IyxHxTkRM5+lJvsSdzpIe98mTB0s7Tx4sJdFuv/33JMtP06LrZ1LP5OecjIgffC/ix8nhuM3NrbXFWq26ke/Pturrs83NrVurhTylsjC/MPfq7Vcqp1bXF+q/fvzd1Td++NvffOXjP2x/+6dpsaZ+di3L667HvuKJYyb5eaa60iYi4o0Tn/nsmMj/fjh/0tb2uYh4MWv/03EpezcBgIus3Z6O9nT3/gAuD3ogAHAWpc//U5EUyvlYwFQUCuVyZwzv+bhaqDWarZvTjfv3liMbw5qJYuHd1Vp1Lh8rnIliku7PZ9v7+5VP7b9fvR0Rz0XE+6UrWX55qVFbHuWNDwCMsWcO9P//KnX6/24n/y8YAHDmTD7VT5VOvRwAwPB09f8zoywHADA8T/f8DwCcZwf7/yPuB3w6EAAuCM//ADB+9P8AMH6O7f8fDqccAMBQvPXmm+nS3ul8//XuN3XfWq4218r1+0vlpcbGenml0VipVctL7fZx56s1GuvzL+/tNje37tYb9++17q7WF1eqd6u+SwAARu+5Fz78U9rpb792JVuiay4HfTVcbIVRFwAYmUujLgAwMj7PA+NrgGd8wwBwwSUR//mgV0Y+QJD0mMM388jkr3Be3fii8X8YVycZ/zd2AOfb043/f+fUywEMnz4cxle7nZjKHwDGjDF+oN+/93f1/YqQRwOc/M7/Xx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D6bSl7eSQjmbC3w7fS2UyxHXImImism7q7XqXEQ8GxF/LBVL6f78qAsNAJxQ4a9JPv/XjemXpg7mXk7+XcrWEfGTX7z98/cWW62N+TT9H3vprUdp+pXWRuXyKCoAAHTbnXfzo/2krP+u5OuuB/lPnjxY2l2GWcTHr0fE5JUs/k6+dHImYiJbT0YxIq7+M8n3O9L7lUunEH/7YUR8Ybf+k/FeV4SpbAykM/Ppwfhp7GunHr/7938wfuFT9S1keem6mP0uPh8HCgcc68PXO9fJvO2lTTxvf4W4nq17t//J7Ap1cun1L22uO4euf4W969+lQ/GTrM1f39s/uiSPX/7d9w8ltqc7eQ8jvjTRK36yFz/pff0tvjRgHT/68ldf7JfX/mXEjZ71352Rup5dZmdb9fXZ5ubWrdX64kp1pXqvUlmYX5h79fYrldlsjLrz+vteMf722s1n+8VP63+1T/zJo+sf3xiw/h/8950ffe2I+N/6eu/3//kj4qd94jcHjL949U7f6bvT+Mt96n/M+x83B4z/8V+2lgc8FAAYgubm1tpirVbdOGYjvdc87hgbg2+kz/ZnoBjZRmxHnNYJs0GJiOh5THpHfTaq/FltJCOL/qvTPuGor0zAZ22/0fc/5s/DLBAAAAAAAAAAAAAAAHBIc3NrrdT701rHbJQG/kTgqOsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxfW/AAAA//9ST8Ky")
executing program 4:
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000085000000070000001801000020756c2500000000002020207b1af8ff00000000bfa100000000000007"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x10, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000023c0)={0x0, 0x4, &(0x7f0000000480)=@framed={{0x18, 0x2}, [@call={0x85, 0x0, 0x0, 0x7b}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0xfffffffffffffdb3}, 0x94)
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x1f, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x1a, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$PROG_BIND_MAP(0xa, &(0x7f00000004c0)={r0}, 0xc)
executing program 4:
r0 = syz_open_dev$evdev(&(0x7f00000001c0), 0x0, 0x8000)
syz_usb_disconnect(r0)
syz_usb_connect$rtl8150(0x5, 0x3f, &(0x7f0000000080)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xbda, 0x8150, 0x0, 0x1, 0x2, 0x3, 0x62, [{{0x9, 0x2, 0xfffffffffffffd93}}]}}, 0x0)
ioctl$EVIOCRMFF(r0, 0x4004550f, 0x0)
executing program 1:
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x3, 0x5, &(0x7f0000000340)=ANY=[@ANYBLOB="18000000000000000000000000040000850000002e000000850000000700000095"], &(0x7f0000000140)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000380)=@newlink={0x34, 0x10, 0xc362e63b3f31ba5f, 0x70bd2a, 0x0, {0x0, 0x0, 0x0, 0x0, 0x22483, 0x80f1}, [@IFLA_GROUP={0x8}, @IFLA_XDP={0xc, 0x2b, 0x0, 0x1, [@IFLA_XDP_FD={0x8, 0x1, r1}]}]}, 0x34}}, 0x800)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0xa, 0x5, 0x2, 0x7, 0x0, 0x1, 0x10000}, 0x50)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000001e40), &(0x7f0000001f40), 0x2248, r0}, 0x38)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xd, &(0x7f0000000440)=@framed={{0x18, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x4000}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}, @call={0x85, 0x0, 0x0, 0x5}]}, &(0x7f0000000400)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0xd, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_BIND_MAP(0xa, &(0x7f00000003c0)={r1, r0}, 0xc)
executing program 2:
setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0xffffffffffffff3c, &(0x7f0000000100)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_mount_image$msdos(&(0x7f0000000040), &(0x7f0000000240)='./file1/file0\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0x231, &(0x7f0000000e00)="$eJzs3D9re1UYB/Dz6y+2aaR/JkEXD7roctE6OQZpQQwosRF1EG5pqiExKbkRE3Ho7OTgqyiOboL4Brr4GtyKIJ06NdLc/kttsWDbtM3nA+E84UvguTnc8NwLufuf/vh1cytLttJemCnGUAhhJxyGsBxmwvOQe3ayzozq2XDRTnjz3W8Ofvj4s88/KFcqq9UY18rr76zEGBdf/e3b739+7ffei5/8svjrXNhb/mL/75U/917ae3n/aP2rRhYbWWx3ejGNG51OL91o1eNmI2smMX7UqqdZPTbaWb07lm+1Otvbg5i2NxdK2916lsW0PYjN+iD2OrHXHcT0y7TRjkmSxIVS4L/UdqvVtDzpLrhb3W45PT6X5/+V1HYn0hAAMFHm/2n2P+b/o2Hu1nvith3P/6WT83ec+R8AAAAAAAAAAAAAAB6Dw+FwaTgcLp2up6+5EEIxhHD6ftJ9cjfs/3Sz/9NtbP+fjTZ8aVjIM/v/9F34424xhL92+rV+LV/zfO39yupbcWT5/FMH/X7t+Vn+dp7H8fyFUDrJV67MZ8Mbr+f5cfbeh5VL+XzYHNV/3PVXAAAAAE9eEs9ceX2fJNfleXXh/sCl6/dCeCW/j1S4p0MBAAAArpENvmumrVa9+xiL4sNo44bFT9UH0YZCcZNi0r9MAADAbTsf+ifdCQAAAAAAAAAAAAAAAAAAAEyv+3ic2KSPEQAAAAAAAAAAAAAAAAAAAAAAHpp/AgAA///5MQT4")
mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
getrlimit(0x3, &(0x7f0000000000))
mount$tmpfs(0x0, &(0x7f00000001c0)='./file0\x00', 0x0, 0x20000, 0x0)
move_mount(r3, &(0x7f0000008080)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000340)='./file0\x00', 0x156)
socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x16, 0x0, 0x0, &(0x7f0000000340)='GPL\x00', 0x2000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000280)=@bpf_lsm={0x6, 0x3, &(0x7f00000003c0)=ANY=[], 0x0}, 0x94)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB="9402000021000100fcffffff00000000ac1414aae5fffff8b49ed9825133a900fc0100"/48, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000070000400706362632874776f666973682900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040010000dc06216ef2c68e9f6da05d886dbc3273ef99796b36698e2bd5179c3eea5474fc78c9720bfc4f90a708001f0001000000cc0111"], 0x294}}, 0x0)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000100)='./file1\x00', 0xc, &(0x7f0000000380)={[{@grpid}, {@nombcache}]}, 0x2, 0x552, &(0x7f00000015c0)="$eJzs3cFvI1cZAPBvvPE6u802KfQACOhSCgtarZN426jqhe0FhKpKFRUnDtuQuFEUex3FXtGEPWSP3CuxEifKf8CNA1JPHLhxA4lDL+WAtMAK1CA4GM14kriJnZhNaifx7yeNZ+a9yXzvxXnzZl5kvwDG1vWI2I6IyxHxTkRM5+lJvsSdzpIe98mTB0s7Tx4sJdFuv/33JMtP06LrZ1LP5OecjIgffC/ix8nhuM3NrbXFWq26ke/Pturrs83NrVurhTylsjC/MPfq7Vcqp1bXF+q/fvzd1Td++NvffOXjP2x/+6dpsaZ+di3L667HvuKJYyb5eaa60iYi4o0Tn/nsmMj/fjh/0tb2uYh4MWv/03EpezcBgIus3Z6O9nT3/gAuD3ogAHAWpc//U5EUyvlYwFQUCuVyZwzv+bhaqDWarZvTjfv3liMbw5qJYuHd1Vp1Lh8rnIliku7PZ9v7+5VP7b9fvR0Rz0XE+6UrWX55qVFbHuWNDwCMsWcO9P//KnX6/24n/y8YAHDmTD7VT5VOvRwAwPB09f8zoywHADA8T/f8DwCcZwf7/yPuB3w6EAAuCM//ADB+9P8AMH6O7f8fDqccAMBQvPXmm+nS3ul8//XuN3XfWq4218r1+0vlpcbGenml0VipVctL7fZx56s1GuvzL+/tNje37tYb9++17q7WF1eqd6u+SwAARu+5Fz78U9rpb792JVuiay4HfTVcbIVRFwAYmUujLgAwMj7PA+NrgGd8wwBwwSUR//mgV0Y+QJD0mMM388jkr3Be3fii8X8YVycZ/zd2AOfb043/f+fUywEMnz4cxle7nZjKHwDGjDF+oN+/93f1/YqQRwOc/M7/Xx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D6bSl7eSQjmbC3w7fS2UyxHXImImism7q7XqXEQ8GxF/LBVL6f78qAsNAJxQ4a9JPv/XjemXpg7mXk7+XcrWEfGTX7z98/cWW62N+TT9H3vprUdp+pXWRuXyKCoAAHTbnXfzo/2krP+u5OuuB/lPnjxY2l2GWcTHr0fE5JUs/k6+dHImYiJbT0YxIq7+M8n3O9L7lUunEH/7YUR8Ybf+k/FeV4SpbAykM/Ppwfhp7GunHr/7938wfuFT9S1keem6mP0uPh8HCgcc68PXO9fJvO2lTTxvf4W4nq17t//J7Ap1cun1L22uO4euf4W969+lQ/GTrM1f39s/uiSPX/7d9w8ltqc7eQ8jvjTRK36yFz/pff0tvjRgHT/68ldf7JfX/mXEjZ71352Rup5dZmdb9fXZ5ubWrdX64kp1pXqvUlmYX5h79fYrldlsjLrz+vteMf722s1n+8VP63+1T/zJo+sf3xiw/h/8950ffe2I+N/6eu/3//kj4qd94jcHjL949U7f6bvT+Mt96n/M+x83B4z/8V+2lgc8FAAYgubm1tpirVbdOGYjvdc87hgbg2+kz/ZnoBjZRmxHnNYJs0GJiOh5THpHfTaq/FltJCOL/qvTPuGor0zAZ22/0fc/5s/DLBAAAAAAAAAAAAAAAHBIc3NrrdT701rHbJQG/kTgqOsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxfW/AAAA//9ST8Ky")
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x0, 0x0, 0x0)
mount$overlay(0x0, &(0x7f00000003c0)='./file1/file0\x00', &(0x7f0000000b80), 0x100408, &(0x7f0000000200)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}]})
r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x2200, 0x0)
ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0)
executing program 0:
r0 = socket(0x10, 0x803, 0x0)
setsockopt$sock_int(r0, 0x1, 0x22, &(0x7f0000000000)=0x6, 0x4)
sendto(r0, &(0x7f00000000c0)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0)
recvmmsg(r0, &(0x7f0000000300)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f00000008c0)=""/206, 0xce}, 0x4}], 0x1, 0x162, 0x0)
executing program 0:
r0 = socket$can_bcm(0x1d, 0x2, 0x2)
connect$can_bcm(r0, &(0x7f00000001c0), 0x10)
io_setup(0x9, &(0x7f0000000240)=<r1=>0x0)
io_submit(r1, 0x1, &(0x7f0000000100)=[&(0x7f00000000c0)={0x400000, 0x0, 0x0, 0x1, 0x0, r0, 0x0}])
executing program 1:
syz_mount_image$fuse(0x0, &(0x7f0000002080)='./file0\x00', 0x212b845, 0x0, 0x2, 0x0, 0x0)
r0 = inotify_init1(0x80000)
r1 = inotify_add_watch(r0, &(0x7f0000000400)='./file0\x00', 0x60000726)
memfd_create(&(0x7f0000000180)='\b\x9dF\xd8\b\xb3~u\xa5\"\xdc\xfdq\xf6c\r;\xfcO\x8c=\x81\xb1\x8aWpA\xd4\x98\x85K\x89>N\x8ar\x17O\x0fKR\xe2{mn\xcc\xbf2\xc0\xa7\x14\xd0\xd4\xfe/m\xdf\xb6]\xc2\xaa\x86\xec(\xf7\xcd\xa6\xd9n^.\x13*\xd4\xb8\xe8\xc4\xefb\x14Vx\xc6\xfe\x9e\xee\xe7\xd7E\xe9\t\x83\xdeNX\xec\xe66\x1b\x97$\xee\x84\x14n,B\xd5?\xe5E:+Pm\x1d\xb4\xb8\xeb\xe8Op2\x82\xc7\x0e\x97\x03\xef\x1a\xa5\x00.\x89\b!m\f\xd9\x8b$}\x9f\fX\x81\xa8\xf6\x94\xbc\xed\x80|l]\xe9\xca\xd3\xc9\xa3\x9e\x9cJI\xf1\xa2\xa0\xc4:\x00\x00\x00\x00\x00\x00\b\x00\x00', 0x0)
r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x42082, 0x0)
r3 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r3)
ioctl$TUNSETTXFILTER(r2, 0x400454d1, &(0x7f0000000200)=ANY=[@ANYRES16=r1, @ANYRES32=r1])
socket$netlink(0x10, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast})
r4 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000240)={'syzkaller0\x00', <r5=>0x0})
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(r6, 0x0, 0x0, 0x50040, &(0x7f00000001c0)={0x11, 0x3, r5, 0x1, 0xd8}, 0x14)
executing program 3:
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r1=>0x0})
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=@newlink={0x50, 0x10, 0x403, 0x0, 0x25dfdbfe, {0x0, 0x0, 0x74, r1, 0x90282}, [@IFLA_LINKINFO={0x30, 0x12, 0x0, 0x1, @bridge={{0xb}, {0x20, 0x2, 0x0, 0x1, [@IFLA_BR_MCAST_QUERIER={0x5, 0x19, 0x2}, @IFLA_BR_MCAST_STARTUP_QUERY_INTVL={0xc, 0x23, 0xf}, @IFLA_BR_MCAST_MLD_VERSION={0x5, 0x2c, 0x8}]}}}]}, 0x50}, 0x1, 0x0, 0x0, 0x810}, 0x0)
executing program 0:
timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2}, &(0x7f0000000300)=<r0=>0x0)
fcntl$lock(0xffffffffffffffff, 0x24, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5})
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
recvfrom(r1, &(0x7f00000004c0)=""/182, 0xb6, 0x0, 0x0, 0x0)
mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1)
timer_settime(r0, 0x1, &(0x7f0000000040)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
syz_emit_ethernet(0x0, 0x0, 0x0)
write$P9_RVERSION(0xffffffffffffffff, 0x0, 0x15)
socket(0x10, 0xa, 0x40000)
mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x27ffff7, 0x4012011, 0xffffffffffffffff, 0x4000)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000100)={0x4, <r2=>0xffffffffffffffff})
ioctl$KVM_SET_DEVICE_ATTR(r2, 0x4018aee1, 0x0)
executing program 0:
setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0xffffffffffffff3c, &(0x7f0000000100)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_mount_image$msdos(&(0x7f0000000040), &(0x7f0000000240)='./file1/file0\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0x231, &(0x7f0000000e00)="$eJzs3D9re1UYB/Dz6y+2aaR/JkEXD7roctE6OQZpQQwosRF1EG5pqiExKbkRE3Ho7OTgqyiOboL4Brr4GtyKIJ06NdLc/kttsWDbtM3nA+E84UvguTnc8NwLufuf/vh1cytLttJemCnGUAhhJxyGsBxmwvOQe3ayzozq2XDRTnjz3W8Ofvj4s88/KFcqq9UY18rr76zEGBdf/e3b739+7ffei5/8svjrXNhb/mL/75U/917ae3n/aP2rRhYbWWx3ejGNG51OL91o1eNmI2smMX7UqqdZPTbaWb07lm+1Otvbg5i2NxdK2916lsW0PYjN+iD2OrHXHcT0y7TRjkmSxIVS4L/UdqvVtDzpLrhb3W45PT6X5/+V1HYn0hAAMFHm/2n2P+b/o2Hu1nvith3P/6WT83ec+R8AAAAAAAAAAAAAAB6Dw+FwaTgcLp2up6+5EEIxhHD6ftJ9cjfs/3Sz/9NtbP+fjTZ8aVjIM/v/9F34424xhL92+rV+LV/zfO39yupbcWT5/FMH/X7t+Vn+dp7H8fyFUDrJV67MZ8Mbr+f5cfbeh5VL+XzYHNV/3PVXAAAAAE9eEs9ceX2fJNfleXXh/sCl6/dCeCW/j1S4p0MBAAAArpENvmumrVa9+xiL4sNo44bFT9UH0YZCcZNi0r9MAADAbTsf+ifdCQAAAAAAAAAAAAAAAAAAAEyv+3ic2KSPEQAAAAAAAAAAAAAAAAAAAAAAHpp/AgAA///5MQT4")
mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
getrlimit(0x3, &(0x7f0000000000))
mount$tmpfs(0x0, &(0x7f00000001c0)='./file0\x00', 0x0, 0x20000, 0x0)
move_mount(r3, &(0x7f0000008080)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000340)='./file0\x00', 0x156)
socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x16, 0x0, 0x0, &(0x7f0000000340)='GPL\x00', 0x2000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000280)=@bpf_lsm={0x6, 0x3, &(0x7f00000003c0)=ANY=[], 0x0}, 0x94)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB="9402000021000100fcffffff00000000ac1414aae5fffff8b49ed9825133a900fc0100"/48, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000070000400706362632874776f666973682900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040010000dc06216ef2c68e9f6da05d886dbc3273ef99796b36698e2bd5179c3eea5474fc78c9720bfc4f90a708001f0001000000cc0111"], 0x294}}, 0x0)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000100)='./file1\x00', 0xc, &(0x7f0000000380)={[{@grpid}, {@nombcache}]}, 0x2, 0x552, &(0x7f00000015c0)="$eJzs3cFvI1cZAPBvvPE6u802KfQACOhSCgtarZN426jqhe0FhKpKFRUnDtuQuFEUex3FXtGEPWSP3CuxEifKf8CNA1JPHLhxA4lDL+WAtMAK1CA4GM14kriJnZhNaifx7yeNZ+a9yXzvxXnzZl5kvwDG1vWI2I6IyxHxTkRM5+lJvsSdzpIe98mTB0s7Tx4sJdFuv/33JMtP06LrZ1LP5OecjIgffC/ix8nhuM3NrbXFWq26ke/Pturrs83NrVurhTylsjC/MPfq7Vcqp1bXF+q/fvzd1Td++NvffOXjP2x/+6dpsaZ+di3L667HvuKJYyb5eaa60iYi4o0Tn/nsmMj/fjh/0tb2uYh4MWv/03EpezcBgIus3Z6O9nT3/gAuD3ogAHAWpc//U5EUyvlYwFQUCuVyZwzv+bhaqDWarZvTjfv3liMbw5qJYuHd1Vp1Lh8rnIliku7PZ9v7+5VP7b9fvR0Rz0XE+6UrWX55qVFbHuWNDwCMsWcO9P//KnX6/24n/y8YAHDmTD7VT5VOvRwAwPB09f8zoywHADA8T/f8DwCcZwf7/yPuB3w6EAAuCM//ADB+9P8AMH6O7f8fDqccAMBQvPXmm+nS3ul8//XuN3XfWq4218r1+0vlpcbGenml0VipVctL7fZx56s1GuvzL+/tNje37tYb9++17q7WF1eqd6u+SwAARu+5Fz78U9rpb792JVuiay4HfTVcbIVRFwAYmUujLgAwMj7PA+NrgGd8wwBwwSUR//mgV0Y+QJD0mMM388jkr3Be3fii8X8YVycZ/zd2AOfb043/f+fUywEMnz4cxle7nZjKHwDGjDF+oN+/93f1/YqQRwOc/M7/Xx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D6bSl7eSQjmbC3w7fS2UyxHXImImism7q7XqXEQ8GxF/LBVL6f78qAsNAJxQ4a9JPv/XjemXpg7mXk7+XcrWEfGTX7z98/cWW62N+TT9H3vprUdp+pXWRuXyKCoAAHTbnXfzo/2krP+u5OuuB/lPnjxY2l2GWcTHr0fE5JUs/k6+dHImYiJbT0YxIq7+M8n3O9L7lUunEH/7YUR8Ybf+k/FeV4SpbAykM/Ppwfhp7GunHr/7938wfuFT9S1keem6mP0uPh8HCgcc68PXO9fJvO2lTTxvf4W4nq17t//J7Ap1cun1L22uO4euf4W969+lQ/GTrM1f39s/uiSPX/7d9w8ltqc7eQ8jvjTRK36yFz/pff0tvjRgHT/68ldf7JfX/mXEjZ71352Rup5dZmdb9fXZ5ubWrdX64kp1pXqvUlmYX5h79fYrldlsjLrz+vteMf722s1n+8VP63+1T/zJo+sf3xiw/h/8950ffe2I+N/6eu/3//kj4qd94jcHjL949U7f6bvT+Mt96n/M+x83B4z/8V+2lgc8FAAYgubm1tpirVbdOGYjvdc87hgbg2+kz/ZnoBjZRmxHnNYJs0GJiOh5THpHfTaq/FltJCOL/qvTPuGor0zAZ22/0fc/5s/DLBAAAAAAAAAAAAAAAHBIc3NrrdT701rHbJQG/kTgqOsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxfW/AAAA//9ST8Ky")
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x0, 0x0, 0x0)
executing program 3:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000140), 0x180, 0x0)
ioctl$VFAT_IOCTL_READDIR_SHORT(r0, 0x541b, 0x0)
setreuid(0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000016000/0x18000)=nil, &(0x7f0000000000)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
memfd_create(&(0x7f00000001c0)='\x02A\xbbL\xeb\xbd]\x9c\x9aU\x9c\xcbb\xcc\xfa0\xf5JoeN\x8c\x86\xfa\xb3\x0e&\xfe\xa8NF\x96\t\x01\xceJ\xc3\x8f+\xe8\xa7v\x80\xfaj\xfe\x11\x0e\xed6\x00\x00\x00\x00\x00\x00\f\xd7\xe7\xdb?\xf3\xd9\xa3\xd6a\x1a\xfch}7K\xca\x90KA\x02\xd6\x94\xf0S\xcc\xd0\x14\x8c\xb3!\xa8\xeajy@\xa0\xdc~\xea\xfd\xfb\x12\x88Xa\x16\xcb\xe4\x03\x1e\xac\xf2\xe9\xf1<', 0x3)
ioctl$KVM_RUN(r1, 0xae80, 0x0)
executing program 3:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)
executing program 1:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
bind$inet6(r0, &(0x7f0000000080)={0xa, 0x4e21, 0x5, @loopback, 0x7}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e21, 0x659, @empty, 0xff}, 0x1c)
setsockopt$inet6_IPV6_ADDRFORM(r0, 0x29, 0x1, &(0x7f0000000180), 0x4)
executing program 4:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000480)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe2(&(0x7f0000000000)={0xffffffffffffffff, <r2=>0xffffffffffffffff}, 0x80000)
splice(r1, 0x0, r2, 0x0, 0x6, 0x0)
write(r0, &(0x7f0000000100)="fe0fc991cced27", 0x7)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
bisect: bisecting 30 programs
bisect: split chunks (needed=false): <29>
bisect: split chunk #0 of len 29 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=35s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [30, 21, 24, 4, 4, 4, 4, 28, 4, 4, 14, 4, 10, 4, 25, 9, 29, 4, 4, 4]
detailed listing:
executing program 2:
r0 = socket$nl_route(0x10, 0x3, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x1)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r1 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x8040, 0x20)
ioctl$FS_IOC_GET_ENCRYPTION_PWSALT(r2, 0x40081271, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r1, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
fsopen(&(0x7f0000000280)='ceph\x00', 0x0)
r5 = gettid()
r6 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$inet6_int(r2, 0x29, 0x18, &(0x7f0000000100)=0x7, 0x4)
sendmsg$nl_route(r6, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000800)=@can_newroute={0x14, 0x18, 0x1, 0x70bd29, 0x25dfdbfd, {0x1d, 0x1, 0x4}}, 0x14}}, 0x4c0c8)
tkill(r5, 0xb)
r7 = openat$vcsu(0xffffffffffffff9c, &(0x7f0000000000), 0x600, 0x0)
r8 = epoll_create(0x2)
epoll_ctl$EPOLL_CTL_ADD(r8, 0x1, r7, &(0x7f0000009b80)={0x40000012})
read$FUSE(r7, &(0x7f0000000500)={0x2020}, 0x2020)
epoll_pwait(r8, &(0x7f0000000040)=[{}], 0x1, 0x2, 0x0, 0x0)
r9 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$VT_RESIZEX(r9, 0x560a, &(0x7f00000006c0)={0x4, 0x0, 0x0, 0x0, 0x132, 0x3})
sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=@newlink={0x3c, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x2031}, [@IFLA_XDP={0x14, 0x2b, 0x0, 0x1, [@IFLA_XDP_FD={0x8}, @IFLA_XDP_FLAGS={0x8, 0x3, 0x2}]}, @IFLA_GROUP={0x8}]}, 0x3c}, 0x1, 0x0, 0x0, 0x20048054}, 0x0)
ioctl$KVM_IRQFD(r7, 0x4020ae76, &(0x7f0000000180)={r7, 0x8, 0x1})
executing program 0:
syz_mount_image$fuse(0x0, &(0x7f0000001040)='./file2\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000002080)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
syz_open_procfs$namespace(0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000000)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
r0 = getpid()
sched_setscheduler(r0, 0x1, &(0x7f0000000100)=0x5)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000001480)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f00000004c0)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800002, 0xe)
setreuid(0xee00, 0x0)
keyctl$join(0x1, 0x0)
bpf$MAP_CREATE_TAIL_CALL(0x0, 0x0, 0x48)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
r3 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000380)=ANY=[@ANYBLOB="280000002100050125bd70000000000002000000", @ANYRES32=0x0, @ANYRES32, @ANYBLOB="b7836f1c1b5be19805e133cc73fc5944bcec"], 0x28}}, 0x0)
executing program 3:
setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0xffffffffffffff3c, &(0x7f0000000100)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_mount_image$msdos(&(0x7f0000000040), &(0x7f0000000240)='./file1/file0\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0x231, &(0x7f0000000e00)="$eJzs3D9re1UYB/Dz6y+2aaR/JkEXD7roctE6OQZpQQwosRF1EG5pqiExKbkRE3Ho7OTgqyiOboL4Brr4GtyKIJ06NdLc/kttsWDbtM3nA+E84UvguTnc8NwLufuf/vh1cytLttJemCnGUAhhJxyGsBxmwvOQe3ayzozq2XDRTnjz3W8Ofvj4s88/KFcqq9UY18rr76zEGBdf/e3b739+7ffei5/8svjrXNhb/mL/75U/917ae3n/aP2rRhYbWWx3ejGNG51OL91o1eNmI2smMX7UqqdZPTbaWb07lm+1Otvbg5i2NxdK2916lsW0PYjN+iD2OrHXHcT0y7TRjkmSxIVS4L/UdqvVtDzpLrhb3W45PT6X5/+V1HYn0hAAMFHm/2n2P+b/o2Hu1nvith3P/6WT83ec+R8AAAAAAAAAAAAAAB6Dw+FwaTgcLp2up6+5EEIxhHD6ftJ9cjfs/3Sz/9NtbP+fjTZ8aVjIM/v/9F34424xhL92+rV+LV/zfO39yupbcWT5/FMH/X7t+Vn+dp7H8fyFUDrJV67MZ8Mbr+f5cfbeh5VL+XzYHNV/3PVXAAAAAE9eEs9ceX2fJNfleXXh/sCl6/dCeCW/j1S4p0MBAAAArpENvmumrVa9+xiL4sNo44bFT9UH0YZCcZNi0r9MAADAbTsf+ifdCQAAAAAAAAAAAAAAAAAAAEyv+3ic2KSPEQAAAAAAAAAAAAAAAAAAAAAAHpp/AgAA///5MQT4")
mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
getrlimit(0x3, &(0x7f0000000000))
mount$tmpfs(0x0, &(0x7f00000001c0)='./file0\x00', 0x0, 0x20000, 0x0)
move_mount(r3, &(0x7f0000008080)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000340)='./file0\x00', 0x156)
socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x16, 0x0, 0x0, &(0x7f0000000340)='GPL\x00', 0x2000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000280)=@bpf_lsm={0x6, 0x3, &(0x7f00000003c0)=ANY=[], 0x0}, 0x94)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB="9402000021000100fcffffff00000000ac1414aae5fffff8b49ed9825133a900fc0100"/48, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000070000400706362632874776f666973682900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040010000dc06216ef2c68e9f6da05d886dbc3273ef99796b36698e2bd5179c3eea5474fc78c9720bfc4f90a708001f0001000000cc0111"], 0x294}}, 0x0)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000100)='./file1\x00', 0xc, &(0x7f0000000380)={[{@grpid}, {@nombcache}]}, 0x2, 0x552, &(0x7f00000015c0)="$eJzs3cFvI1cZAPBvvPE6u802KfQACOhSCgtarZN426jqhe0FhKpKFRUnDtuQuFEUex3FXtGEPWSP3CuxEifKf8CNA1JPHLhxA4lDL+WAtMAK1CA4GM14kriJnZhNaifx7yeNZ+a9yXzvxXnzZl5kvwDG1vWI2I6IyxHxTkRM5+lJvsSdzpIe98mTB0s7Tx4sJdFuv/33JMtP06LrZ1LP5OecjIgffC/ix8nhuM3NrbXFWq26ke/Pturrs83NrVurhTylsjC/MPfq7Vcqp1bXF+q/fvzd1Td++NvffOXjP2x/+6dpsaZ+di3L667HvuKJYyb5eaa60iYi4o0Tn/nsmMj/fjh/0tb2uYh4MWv/03EpezcBgIus3Z6O9nT3/gAuD3ogAHAWpc//U5EUyvlYwFQUCuVyZwzv+bhaqDWarZvTjfv3liMbw5qJYuHd1Vp1Lh8rnIliku7PZ9v7+5VP7b9fvR0Rz0XE+6UrWX55qVFbHuWNDwCMsWcO9P//KnX6/24n/y8YAHDmTD7VT5VOvRwAwPB09f8zoywHADA8T/f8DwCcZwf7/yPuB3w6EAAuCM//ADB+9P8AMH6O7f8fDqccAMBQvPXmm+nS3ul8//XuN3XfWq4218r1+0vlpcbGenml0VipVctL7fZx56s1GuvzL+/tNje37tYb9++17q7WF1eqd6u+SwAARu+5Fz78U9rpb792JVuiay4HfTVcbIVRFwAYmUujLgAwMj7PA+NrgGd8wwBwwSUR//mgV0Y+QJD0mMM388jkr3Be3fii8X8YVycZ/zd2AOfb043/f+fUywEMnz4cxle7nZjKHwDGjDF+oN+/93f1/YqQRwOc/M7/Xx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D6bSl7eSQjmbC3w7fS2UyxHXImImism7q7XqXEQ8GxF/LBVL6f78qAsNAJxQ4a9JPv/XjemXpg7mXk7+XcrWEfGTX7z98/cWW62N+TT9H3vprUdp+pXWRuXyKCoAAHTbnXfzo/2krP+u5OuuB/lPnjxY2l2GWcTHr0fE5JUs/k6+dHImYiJbT0YxIq7+M8n3O9L7lUunEH/7YUR8Ybf+k/FeV4SpbAykM/Ppwfhp7GunHr/7938wfuFT9S1keem6mP0uPh8HCgcc68PXO9fJvO2lTTxvf4W4nq17t//J7Ap1cun1L22uO4euf4W969+lQ/GTrM1f39s/uiSPX/7d9w8ltqc7eQ8jvjTRK36yFz/pff0tvjRgHT/68ldf7JfX/mXEjZ71352Rup5dZmdb9fXZ5ubWrdX64kp1pXqvUlmYX5h79fYrldlsjLrz+vteMf722s1n+8VP63+1T/zJo+sf3xiw/h/8950ffe2I+N/6eu/3//kj4qd94jcHjL949U7f6bvT+Mt96n/M+x83B4z/8V+2lgc8FAAYgubm1tpirVbdOGYjvdc87hgbg2+kz/ZnoBjZRmxHnNYJs0GJiOh5THpHfTaq/FltJCOL/qvTPuGor0zAZ22/0fc/5s/DLBAAAAAAAAAAAAAAAHBIc3NrrdT701rHbJQG/kTgqOsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxfW/AAAA//9ST8Ky")
executing program 4:
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000085000000070000001801000020756c2500000000002020207b1af8ff00000000bfa100000000000007"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x10, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000023c0)={0x0, 0x4, &(0x7f0000000480)=@framed={{0x18, 0x2}, [@call={0x85, 0x0, 0x0, 0x7b}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0xfffffffffffffdb3}, 0x94)
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x1f, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000180)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x1a, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$PROG_BIND_MAP(0xa, &(0x7f00000004c0)={r0}, 0xc)
executing program 4:
r0 = syz_open_dev$evdev(&(0x7f00000001c0), 0x0, 0x8000)
syz_usb_disconnect(r0)
syz_usb_connect$rtl8150(0x5, 0x3f, &(0x7f0000000080)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xbda, 0x8150, 0x0, 0x1, 0x2, 0x3, 0x62, [{{0x9, 0x2, 0xfffffffffffffd93}}]}}, 0x0)
ioctl$EVIOCRMFF(r0, 0x4004550f, 0x0)
executing program 1:
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x3, 0x5, &(0x7f0000000340)=ANY=[@ANYBLOB="18000000000000000000000000040000850000002e000000850000000700000095"], &(0x7f0000000140)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000380)=@newlink={0x34, 0x10, 0xc362e63b3f31ba5f, 0x70bd2a, 0x0, {0x0, 0x0, 0x0, 0x0, 0x22483, 0x80f1}, [@IFLA_GROUP={0x8}, @IFLA_XDP={0xc, 0x2b, 0x0, 0x1, [@IFLA_XDP_FD={0x8, 0x1, r1}]}]}, 0x34}}, 0x800)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0xa, 0x5, 0x2, 0x7, 0x0, 0x1, 0x10000}, 0x50)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000001e40), &(0x7f0000001f40), 0x2248, r0}, 0x38)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xd, &(0x7f0000000440)=@framed={{0x18, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x4000}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}, @call={0x85, 0x0, 0x0, 0x5}]}, &(0x7f0000000400)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, @fallback=0xd, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_BIND_MAP(0xa, &(0x7f00000003c0)={r1, r0}, 0xc)
executing program 2:
setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0xffffffffffffff3c, &(0x7f0000000100)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_mount_image$msdos(&(0x7f0000000040), &(0x7f0000000240)='./file1/file0\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0x231, &(0x7f0000000e00)="$eJzs3D9re1UYB/Dz6y+2aaR/JkEXD7roctE6OQZpQQwosRF1EG5pqiExKbkRE3Ho7OTgqyiOboL4Brr4GtyKIJ06NdLc/kttsWDbtM3nA+E84UvguTnc8NwLufuf/vh1cytLttJemCnGUAhhJxyGsBxmwvOQe3ayzozq2XDRTnjz3W8Ofvj4s88/KFcqq9UY18rr76zEGBdf/e3b739+7ffei5/8svjrXNhb/mL/75U/917ae3n/aP2rRhYbWWx3ejGNG51OL91o1eNmI2smMX7UqqdZPTbaWb07lm+1Otvbg5i2NxdK2916lsW0PYjN+iD2OrHXHcT0y7TRjkmSxIVS4L/UdqvVtDzpLrhb3W45PT6X5/+V1HYn0hAAMFHm/2n2P+b/o2Hu1nvith3P/6WT83ec+R8AAAAAAAAAAAAAAB6Dw+FwaTgcLp2up6+5EEIxhHD6ftJ9cjfs/3Sz/9NtbP+fjTZ8aVjIM/v/9F34424xhL92+rV+LV/zfO39yupbcWT5/FMH/X7t+Vn+dp7H8fyFUDrJV67MZ8Mbr+f5cfbeh5VL+XzYHNV/3PVXAAAAAE9eEs9ceX2fJNfleXXh/sCl6/dCeCW/j1S4p0MBAAAArpENvmumrVa9+xiL4sNo44bFT9UH0YZCcZNi0r9MAADAbTsf+ifdCQAAAAAAAAAAAAAAAAAAAEyv+3ic2KSPEQAAAAAAAAAAAAAAAAAAAAAAHpp/AgAA///5MQT4")
mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
getrlimit(0x3, &(0x7f0000000000))
mount$tmpfs(0x0, &(0x7f00000001c0)='./file0\x00', 0x0, 0x20000, 0x0)
move_mount(r3, &(0x7f0000008080)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000340)='./file0\x00', 0x156)
socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x16, 0x0, 0x0, &(0x7f0000000340)='GPL\x00', 0x2000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000280)=@bpf_lsm={0x6, 0x3, &(0x7f00000003c0)=ANY=[], 0x0}, 0x94)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB="9402000021000100fcffffff00000000ac1414aae5fffff8b49ed9825133a900fc0100"/48, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000070000400706362632874776f666973682900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040010000dc06216ef2c68e9f6da05d886dbc3273ef99796b36698e2bd5179c3eea5474fc78c9720bfc4f90a708001f0001000000cc0111"], 0x294}}, 0x0)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000100)='./file1\x00', 0xc, &(0x7f0000000380)={[{@grpid}, {@nombcache}]}, 0x2, 0x552, &(0x7f00000015c0)="$eJzs3cFvI1cZAPBvvPE6u802KfQACOhSCgtarZN426jqhe0FhKpKFRUnDtuQuFEUex3FXtGEPWSP3CuxEifKf8CNA1JPHLhxA4lDL+WAtMAK1CA4GM14kriJnZhNaifx7yeNZ+a9yXzvxXnzZl5kvwDG1vWI2I6IyxHxTkRM5+lJvsSdzpIe98mTB0s7Tx4sJdFuv/33JMtP06LrZ1LP5OecjIgffC/ix8nhuM3NrbXFWq26ke/Pturrs83NrVurhTylsjC/MPfq7Vcqp1bXF+q/fvzd1Td++NvffOXjP2x/+6dpsaZ+di3L667HvuKJYyb5eaa60iYi4o0Tn/nsmMj/fjh/0tb2uYh4MWv/03EpezcBgIus3Z6O9nT3/gAuD3ogAHAWpc//U5EUyvlYwFQUCuVyZwzv+bhaqDWarZvTjfv3liMbw5qJYuHd1Vp1Lh8rnIliku7PZ9v7+5VP7b9fvR0Rz0XE+6UrWX55qVFbHuWNDwCMsWcO9P//KnX6/24n/y8YAHDmTD7VT5VOvRwAwPB09f8zoywHADA8T/f8DwCcZwf7/yPuB3w6EAAuCM//ADB+9P8AMH6O7f8fDqccAMBQvPXmm+nS3ul8//XuN3XfWq4218r1+0vlpcbGenml0VipVctL7fZx56s1GuvzL+/tNje37tYb9++17q7WF1eqd6u+SwAARu+5Fz78U9rpb792JVuiay4HfTVcbIVRFwAYmUujLgAwMj7PA+NrgGd8wwBwwSUR//mgV0Y+QJD0mMM388jkr3Be3fii8X8YVycZ/zd2AOfb043/f+fUywEMnz4cxle7nZjKHwDGjDF+oN+/93f1/YqQRwOc/M7/Xx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D6bSl7eSQjmbC3w7fS2UyxHXImImism7q7XqXEQ8GxF/LBVL6f78qAsNAJxQ4a9JPv/XjemXpg7mXk7+XcrWEfGTX7z98/cWW62N+TT9H3vprUdp+pXWRuXyKCoAAHTbnXfzo/2krP+u5OuuB/lPnjxY2l2GWcTHr0fE5JUs/k6+dHImYiJbT0YxIq7+M8n3O9L7lUunEH/7YUR8Ybf+k/FeV4SpbAykM/Ppwfhp7GunHr/7938wfuFT9S1keem6mP0uPh8HCgcc68PXO9fJvO2lTTxvf4W4nq17t//J7Ap1cun1L22uO4euf4W969+lQ/GTrM1f39s/uiSPX/7d9w8ltqc7eQ8jvjTRK36yFz/pff0tvjRgHT/68ldf7JfX/mXEjZ71352Rup5dZmdb9fXZ5ubWrdX64kp1pXqvUlmYX5h79fYrldlsjLrz+vteMf722s1n+8VP63+1T/zJo+sf3xiw/h/8950ffe2I+N/6eu/3//kj4qd94jcHjL949U7f6bvT+Mt96n/M+x83B4z/8V+2lgc8FAAYgubm1tpirVbdOGYjvdc87hgbg2+kz/ZnoBjZRmxHnNYJs0GJiOh5THpHfTaq/FltJCOL/qvTPuGor0zAZ22/0fc/5s/DLBAAAAAAAAAAAAAAAHBIc3NrrdT701rHbJQG/kTgqOsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxfW/AAAA//9ST8Ky")
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x0, 0x0, 0x0)
mount$overlay(0x0, &(0x7f00000003c0)='./file1/file0\x00', &(0x7f0000000b80), 0x100408, &(0x7f0000000200)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}]})
r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x2200, 0x0)
ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0)
executing program 0:
r0 = socket(0x10, 0x803, 0x0)
setsockopt$sock_int(r0, 0x1, 0x22, &(0x7f0000000000)=0x6, 0x4)
sendto(r0, &(0x7f00000000c0)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0)
recvmmsg(r0, &(0x7f0000000300)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f00000008c0)=""/206, 0xce}, 0x4}], 0x1, 0x162, 0x0)
executing program 0:
r0 = socket$can_bcm(0x1d, 0x2, 0x2)
connect$can_bcm(r0, &(0x7f00000001c0), 0x10)
io_setup(0x9, &(0x7f0000000240)=<r1=>0x0)
io_submit(r1, 0x1, &(0x7f0000000100)=[&(0x7f00000000c0)={0x400000, 0x0, 0x0, 0x1, 0x0, r0, 0x0}])
executing program 1:
syz_mount_image$fuse(0x0, &(0x7f0000002080)='./file0\x00', 0x212b845, 0x0, 0x2, 0x0, 0x0)
r0 = inotify_init1(0x80000)
r1 = inotify_add_watch(r0, &(0x7f0000000400)='./file0\x00', 0x60000726)
memfd_create(&(0x7f0000000180)='\b\x9dF\xd8\b\xb3~u\xa5\"\xdc\xfdq\xf6c\r;\xfcO\x8c=\x81\xb1\x8aWpA\xd4\x98\x85K\x89>N\x8ar\x17O\x0fKR\xe2{mn\xcc\xbf2\xc0\xa7\x14\xd0\xd4\xfe/m\xdf\xb6]\xc2\xaa\x86\xec(\xf7\xcd\xa6\xd9n^.\x13*\xd4\xb8\xe8\xc4\xefb\x14Vx\xc6\xfe\x9e\xee\xe7\xd7E\xe9\t\x83\xdeNX\xec\xe66\x1b\x97$\xee\x84\x14n,B\xd5?\xe5E:+Pm\x1d\xb4\xb8\xeb\xe8Op2\x82\xc7\x0e\x97\x03\xef\x1a\xa5\x00.\x89\b!m\f\xd9\x8b$}\x9f\fX\x81\xa8\xf6\x94\xbc\xed\x80|l]\xe9\xca\xd3\xc9\xa3\x9e\x9cJI\xf1\xa2\xa0\xc4:\x00\x00\x00\x00\x00\x00\b\x00\x00', 0x0)
r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x42082, 0x0)
r3 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r3)
ioctl$TUNSETTXFILTER(r2, 0x400454d1, &(0x7f0000000200)=ANY=[@ANYRES16=r1, @ANYRES32=r1])
socket$netlink(0x10, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast})
r4 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000240)={'syzkaller0\x00', <r5=>0x0})
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(r6, 0x0, 0x0, 0x50040, &(0x7f00000001c0)={0x11, 0x3, r5, 0x1, 0xd8}, 0x14)
executing program 3:
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r1=>0x0})
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=@newlink={0x50, 0x10, 0x403, 0x0, 0x25dfdbfe, {0x0, 0x0, 0x74, r1, 0x90282}, [@IFLA_LINKINFO={0x30, 0x12, 0x0, 0x1, @bridge={{0xb}, {0x20, 0x2, 0x0, 0x1, [@IFLA_BR_MCAST_QUERIER={0x5, 0x19, 0x2}, @IFLA_BR_MCAST_STARTUP_QUERY_INTVL={0xc, 0x23, 0xf}, @IFLA_BR_MCAST_MLD_VERSION={0x5, 0x2c, 0x8}]}}}]}, 0x50}, 0x1, 0x0, 0x0, 0x810}, 0x0)
executing program 0:
timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2}, &(0x7f0000000300)=<r0=>0x0)
fcntl$lock(0xffffffffffffffff, 0x24, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5})
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
recvfrom(r1, &(0x7f00000004c0)=""/182, 0xb6, 0x0, 0x0, 0x0)
mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1)
timer_settime(r0, 0x1, &(0x7f0000000040)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
syz_emit_ethernet(0x0, 0x0, 0x0)
write$P9_RVERSION(0xffffffffffffffff, 0x0, 0x15)
socket(0x10, 0xa, 0x40000)
mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x27ffff7, 0x4012011, 0xffffffffffffffff, 0x4000)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000100)={0x4, <r2=>0xffffffffffffffff})
ioctl$KVM_SET_DEVICE_ATTR(r2, 0x4018aee1, 0x0)
executing program 0:
setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0xffffffffffffff3c, &(0x7f0000000100)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_mount_image$msdos(&(0x7f0000000040), &(0x7f0000000240)='./file1/file0\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0x231, &(0x7f0000000e00)="$eJzs3D9re1UYB/Dz6y+2aaR/JkEXD7roctE6OQZpQQwosRF1EG5pqiExKbkRE3Ho7OTgqyiOboL4Brr4GtyKIJ06NdLc/kttsWDbtM3nA+E84UvguTnc8NwLufuf/vh1cytLttJemCnGUAhhJxyGsBxmwvOQe3ayzozq2XDRTnjz3W8Ofvj4s88/KFcqq9UY18rr76zEGBdf/e3b739+7ffei5/8svjrXNhb/mL/75U/917ae3n/aP2rRhYbWWx3ejGNG51OL91o1eNmI2smMX7UqqdZPTbaWb07lm+1Otvbg5i2NxdK2916lsW0PYjN+iD2OrHXHcT0y7TRjkmSxIVS4L/UdqvVtDzpLrhb3W45PT6X5/+V1HYn0hAAMFHm/2n2P+b/o2Hu1nvith3P/6WT83ec+R8AAAAAAAAAAAAAAB6Dw+FwaTgcLp2up6+5EEIxhHD6ftJ9cjfs/3Sz/9NtbP+fjTZ8aVjIM/v/9F34424xhL92+rV+LV/zfO39yupbcWT5/FMH/X7t+Vn+dp7H8fyFUDrJV67MZ8Mbr+f5cfbeh5VL+XzYHNV/3PVXAAAAAE9eEs9ceX2fJNfleXXh/sCl6/dCeCW/j1S4p0MBAAAArpENvmumrVa9+xiL4sNo44bFT9UH0YZCcZNi0r9MAADAbTsf+ifdCQAAAAAAAAAAAAAAAAAAAEyv+3ic2KSPEQAAAAAAAAAAAAAAAAAAAAAAHpp/AgAA///5MQT4")
mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
getrlimit(0x3, &(0x7f0000000000))
mount$tmpfs(0x0, &(0x7f00000001c0)='./file0\x00', 0x0, 0x20000, 0x0)
move_mount(r3, &(0x7f0000008080)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000340)='./file0\x00', 0x156)
socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x16, 0x0, 0x0, &(0x7f0000000340)='GPL\x00', 0x2000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000280)=@bpf_lsm={0x6, 0x3, &(0x7f00000003c0)=ANY=[], 0x0}, 0x94)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB="9402000021000100fcffffff00000000ac1414aae5fffff8b49ed9825133a900fc0100"/48, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000070000400706362632874776f666973682900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040010000dc06216ef2c68e9f6da05d886dbc3273ef99796b36698e2bd5179c3eea5474fc78c9720bfc4f90a708001f0001000000cc0111"], 0x294}}, 0x0)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000100)='./file1\x00', 0xc, &(0x7f0000000380)={[{@grpid}, {@nombcache}]}, 0x2, 0x552, &(0x7f00000015c0)="$eJzs3cFvI1cZAPBvvPE6u802KfQACOhSCgtarZN426jqhe0FhKpKFRUnDtuQuFEUex3FXtGEPWSP3CuxEifKf8CNA1JPHLhxA4lDL+WAtMAK1CA4GM14kriJnZhNaifx7yeNZ+a9yXzvxXnzZl5kvwDG1vWI2I6IyxHxTkRM5+lJvsSdzpIe98mTB0s7Tx4sJdFuv/33JMtP06LrZ1LP5OecjIgffC/ix8nhuM3NrbXFWq26ke/Pturrs83NrVurhTylsjC/MPfq7Vcqp1bXF+q/fvzd1Td++NvffOXjP2x/+6dpsaZ+di3L667HvuKJYyb5eaa60iYi4o0Tn/nsmMj/fjh/0tb2uYh4MWv/03EpezcBgIus3Z6O9nT3/gAuD3ogAHAWpc//U5EUyvlYwFQUCuVyZwzv+bhaqDWarZvTjfv3liMbw5qJYuHd1Vp1Lh8rnIliku7PZ9v7+5VP7b9fvR0Rz0XE+6UrWX55qVFbHuWNDwCMsWcO9P//KnX6/24n/y8YAHDmTD7VT5VOvRwAwPB09f8zoywHADA8T/f8DwCcZwf7/yPuB3w6EAAuCM//ADB+9P8AMH6O7f8fDqccAMBQvPXmm+nS3ul8//XuN3XfWq4218r1+0vlpcbGenml0VipVctL7fZx56s1GuvzL+/tNje37tYb9++17q7WF1eqd6u+SwAARu+5Fz78U9rpb792JVuiay4HfTVcbIVRFwAYmUujLgAwMj7PA+NrgGd8wwBwwSUR//mgV0Y+QJD0mMM388jkr3Be3fii8X8YVycZ/zd2AOfb043/f+fUywEMnz4cxle7nZjKHwDGjDF+oN+/93f1/YqQRwOc/M7/Xx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D6bSl7eSQjmbC3w7fS2UyxHXImImism7q7XqXEQ8GxF/LBVL6f78qAsNAJxQ4a9JPv/XjemXpg7mXk7+XcrWEfGTX7z98/cWW62N+TT9H3vprUdp+pXWRuXyKCoAAHTbnXfzo/2krP+u5OuuB/lPnjxY2l2GWcTHr0fE5JUs/k6+dHImYiJbT0YxIq7+M8n3O9L7lUunEH/7YUR8Ybf+k/FeV4SpbAykM/Ppwfhp7GunHr/7938wfuFT9S1keem6mP0uPh8HCgcc68PXO9fJvO2lTTxvf4W4nq17t//J7Ap1cun1L22uO4euf4W969+lQ/GTrM1f39s/uiSPX/7d9w8ltqc7eQ8jvjTRK36yFz/pff0tvjRgHT/68ldf7JfX/mXEjZ71352Rup5dZmdb9fXZ5ubWrdX64kp1pXqvUlmYX5h79fYrldlsjLrz+vteMf722s1n+8VP63+1T/zJo+sf3xiw/h/8950ffe2I+N/6eu/3//kj4qd94jcHjL949U7f6bvT+Mt96n/M+x83B4z/8V+2lgc8FAAYgubm1tpirVbdOGYjvdc87hgbg2+kz/ZnoBjZRmxHnNYJs0GJiOh5THpHfTaq/FltJCOL/qvTPuGor0zAZ22/0fc/5s/DLBAAAAAAAAAAAAAAAHBIc3NrrdT701rHbJQG/kTgqOsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxfW/AAAA//9ST8Ky")
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x0, 0x0, 0x0)
executing program 3:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000140), 0x180, 0x0)
ioctl$VFAT_IOCTL_READDIR_SHORT(r0, 0x541b, 0x0)
setreuid(0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000016000/0x18000)=nil, &(0x7f0000000000)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
memfd_create(&(0x7f00000001c0)='\x02A\xbbL\xeb\xbd]\x9c\x9aU\x9c\xcbb\xcc\xfa0\xf5JoeN\x8c\x86\xfa\xb3\x0e&\xfe\xa8NF\x96\t\x01\xceJ\xc3\x8f+\xe8\xa7v\x80\xfaj\xfe\x11\x0e\xed6\x00\x00\x00\x00\x00\x00\f\xd7\xe7\xdb?\xf3\xd9\xa3\xd6a\x1a\xfch}7K\xca\x90KA\x02\xd6\x94\xf0S\xcc\xd0\x14\x8c\xb3!\xa8\xeajy@\xa0\xdc~\xea\xfd\xfb\x12\x88Xa\x16\xcb\xe4\x03\x1e\xac\xf2\xe9\xf1<', 0x3)
ioctl$KVM_RUN(r1, 0xae80, 0x0)
executing program 3:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)
executing program 1:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
bind$inet6(r0, &(0x7f0000000080)={0xa, 0x4e21, 0x5, @loopback, 0x7}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e21, 0x659, @empty, 0xff}, 0x1c)
setsockopt$inet6_IPV6_ADDRFORM(r0, 0x29, 0x1, &(0x7f0000000180), 0x4)
executing program 4:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000480)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe2(&(0x7f0000000000)={0xffffffffffffffff, <r2=>0xffffffffffffffff}, 0x80000)
splice(r1, 0x0, r2, 0x0, 0x6, 0x0)
write(r0, &(0x7f0000000100)="fe0fc991cced27", 0x7)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/3
testing program (duration=32s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 4, 10, 4, 25, 9, 29, 4, 4, 4]
detailed listing:
executing program 1:
syz_mount_image$fuse(0x0, &(0x7f0000002080)='./file0\x00', 0x212b845, 0x0, 0x2, 0x0, 0x0)
r0 = inotify_init1(0x80000)
r1 = inotify_add_watch(r0, &(0x7f0000000400)='./file0\x00', 0x60000726)
memfd_create(&(0x7f0000000180)='\b\x9dF\xd8\b\xb3~u\xa5\"\xdc\xfdq\xf6c\r;\xfcO\x8c=\x81\xb1\x8aWpA\xd4\x98\x85K\x89>N\x8ar\x17O\x0fKR\xe2{mn\xcc\xbf2\xc0\xa7\x14\xd0\xd4\xfe/m\xdf\xb6]\xc2\xaa\x86\xec(\xf7\xcd\xa6\xd9n^.\x13*\xd4\xb8\xe8\xc4\xefb\x14Vx\xc6\xfe\x9e\xee\xe7\xd7E\xe9\t\x83\xdeNX\xec\xe66\x1b\x97$\xee\x84\x14n,B\xd5?\xe5E:+Pm\x1d\xb4\xb8\xeb\xe8Op2\x82\xc7\x0e\x97\x03\xef\x1a\xa5\x00.\x89\b!m\f\xd9\x8b$}\x9f\fX\x81\xa8\xf6\x94\xbc\xed\x80|l]\xe9\xca\xd3\xc9\xa3\x9e\x9cJI\xf1\xa2\xa0\xc4:\x00\x00\x00\x00\x00\x00\b\x00\x00', 0x0)
r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x42082, 0x0)
r3 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r3)
ioctl$TUNSETTXFILTER(r2, 0x400454d1, &(0x7f0000000200)=ANY=[@ANYRES16=r1, @ANYRES32=r1])
socket$netlink(0x10, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast})
r4 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000240)={'syzkaller0\x00', <r5=>0x0})
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(r6, 0x0, 0x0, 0x50040, &(0x7f00000001c0)={0x11, 0x3, r5, 0x1, 0xd8}, 0x14)
executing program 3:
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r1=>0x0})
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=@newlink={0x50, 0x10, 0x403, 0x0, 0x25dfdbfe, {0x0, 0x0, 0x74, r1, 0x90282}, [@IFLA_LINKINFO={0x30, 0x12, 0x0, 0x1, @bridge={{0xb}, {0x20, 0x2, 0x0, 0x1, [@IFLA_BR_MCAST_QUERIER={0x5, 0x19, 0x2}, @IFLA_BR_MCAST_STARTUP_QUERY_INTVL={0xc, 0x23, 0xf}, @IFLA_BR_MCAST_MLD_VERSION={0x5, 0x2c, 0x8}]}}}]}, 0x50}, 0x1, 0x0, 0x0, 0x810}, 0x0)
executing program 0:
timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2}, &(0x7f0000000300)=<r0=>0x0)
fcntl$lock(0xffffffffffffffff, 0x24, &(0x7f0000000040)={0x0, 0x0, 0x10001, 0x5})
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
recvfrom(r1, &(0x7f00000004c0)=""/182, 0xb6, 0x0, 0x0, 0x0)
mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1)
timer_settime(r0, 0x1, &(0x7f0000000040)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
syz_emit_ethernet(0x0, 0x0, 0x0)
write$P9_RVERSION(0xffffffffffffffff, 0x0, 0x15)
socket(0x10, 0xa, 0x40000)
mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x27ffff7, 0x4012011, 0xffffffffffffffff, 0x4000)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000100)={0x4, <r2=>0xffffffffffffffff})
ioctl$KVM_SET_DEVICE_ATTR(r2, 0x4018aee1, 0x0)
executing program 0:
setsockopt$IPT_SO_SET_ADD_COUNTERS(0xffffffffffffffff, 0x0, 0x41, 0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0xffffffffffffff3c, &(0x7f0000000100)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_mount_image$msdos(&(0x7f0000000040), &(0x7f0000000240)='./file1/file0\x00', 0x0, &(0x7f00000002c0)=ANY=[], 0x1, 0x231, &(0x7f0000000e00)="$eJzs3D9re1UYB/Dz6y+2aaR/JkEXD7roctE6OQZpQQwosRF1EG5pqiExKbkRE3Ho7OTgqyiOboL4Brr4GtyKIJ06NdLc/kttsWDbtM3nA+E84UvguTnc8NwLufuf/vh1cytLttJemCnGUAhhJxyGsBxmwvOQe3ayzozq2XDRTnjz3W8Ofvj4s88/KFcqq9UY18rr76zEGBdf/e3b739+7ffei5/8svjrXNhb/mL/75U/917ae3n/aP2rRhYbWWx3ejGNG51OL91o1eNmI2smMX7UqqdZPTbaWb07lm+1Otvbg5i2NxdK2916lsW0PYjN+iD2OrHXHcT0y7TRjkmSxIVS4L/UdqvVtDzpLrhb3W45PT6X5/+V1HYn0hAAMFHm/2n2P+b/o2Hu1nvith3P/6WT83ec+R8AAAAAAAAAAAAAAB6Dw+FwaTgcLp2up6+5EEIxhHD6ftJ9cjfs/3Sz/9NtbP+fjTZ8aVjIM/v/9F34424xhL92+rV+LV/zfO39yupbcWT5/FMH/X7t+Vn+dp7H8fyFUDrJV67MZ8Mbr+f5cfbeh5VL+XzYHNV/3PVXAAAAAE9eEs9ceX2fJNfleXXh/sCl6/dCeCW/j1S4p0MBAAAArpENvmumrVa9+xiL4sNo44bFT9UH0YZCcZNi0r9MAADAbTsf+ifdCQAAAAAAAAAAAAAAAAAAAEyv+3ic2KSPEQAAAAAAAAAAAAAAAAAAAAAAHpp/AgAA///5MQT4")
mount$bind(0x0, &(0x7f0000000140)='./file0\x00', 0x0, 0x100000, 0x0)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
getrlimit(0x3, &(0x7f0000000000))
mount$tmpfs(0x0, &(0x7f00000001c0)='./file0\x00', 0x0, 0x20000, 0x0)
move_mount(r3, &(0x7f0000008080)='./file0\x00', 0xffffffffffffff9c, &(0x7f0000000340)='./file0\x00', 0x156)
socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x16, 0x0, 0x0, &(0x7f0000000340)='GPL\x00', 0x2000, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1f, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000280)=@bpf_lsm={0x6, 0x3, &(0x7f00000003c0)=ANY=[], 0x0}, 0x94)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB="9402000021000100fcffffff00000000ac1414aae5fffff8b49ed9825133a900fc0100"/48, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000070000400706362632874776f666973682900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040010000dc06216ef2c68e9f6da05d886dbc3273ef99796b36698e2bd5179c3eea5474fc78c9720bfc4f90a708001f0001000000cc0111"], 0x294}}, 0x0)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000100)='./file1\x00', 0xc, &(0x7f0000000380)={[{@grpid}, {@nombcache}]}, 0x2, 0x552, &(0x7f00000015c0)="$eJzs3cFvI1cZAPBvvPE6u802KfQACOhSCgtarZN426jqhe0FhKpKFRUnDtuQuFEUex3FXtGEPWSP3CuxEifKf8CNA1JPHLhxA4lDL+WAtMAK1CA4GM14kriJnZhNaifx7yeNZ+a9yXzvxXnzZl5kvwDG1vWI2I6IyxHxTkRM5+lJvsSdzpIe98mTB0s7Tx4sJdFuv/33JMtP06LrZ1LP5OecjIgffC/ix8nhuM3NrbXFWq26ke/Pturrs83NrVurhTylsjC/MPfq7Vcqp1bXF+q/fvzd1Td++NvffOXjP2x/+6dpsaZ+di3L667HvuKJYyb5eaa60iYi4o0Tn/nsmMj/fjh/0tb2uYh4MWv/03EpezcBgIus3Z6O9nT3/gAuD3ogAHAWpc//U5EUyvlYwFQUCuVyZwzv+bhaqDWarZvTjfv3liMbw5qJYuHd1Vp1Lh8rnIliku7PZ9v7+5VP7b9fvR0Rz0XE+6UrWX55qVFbHuWNDwCMsWcO9P//KnX6/24n/y8YAHDmTD7VT5VOvRwAwPB09f8zoywHADA8T/f8DwCcZwf7/yPuB3w6EAAuCM//ADB+9P8AMH6O7f8fDqccAMBQvPXmm+nS3ul8//XuN3XfWq4218r1+0vlpcbGenml0VipVctL7fZx56s1GuvzL+/tNje37tYb9++17q7WF1eqd6u+SwAARu+5Fz78U9rpb792JVuiay4HfTVcbIVRFwAYmUujLgAwMj7PA+NrgGd8wwBwwSUR//mgV0Y+QJD0mMM388jkr3Be3fii8X8YVycZ/zd2AOfb043/f+fUywEMnz4cxle7nZjKHwDGjDF+oN+/93f1/YqQRwOc/M7/Xx4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D6bSl7eSQjmbC3w7fS2UyxHXImImism7q7XqXEQ8GxF/LBVL6f78qAsNAJxQ4a9JPv/XjemXpg7mXk7+XcrWEfGTX7z98/cWW62N+TT9H3vprUdp+pXWRuXyKCoAAHTbnXfzo/2krP+u5OuuB/lPnjxY2l2GWcTHr0fE5JUs/k6+dHImYiJbT0YxIq7+M8n3O9L7lUunEH/7YUR8Ybf+k/FeV4SpbAykM/Ppwfhp7GunHr/7938wfuFT9S1keem6mP0uPh8HCgcc68PXO9fJvO2lTTxvf4W4nq17t//J7Ap1cun1L22uO4euf4W969+lQ/GTrM1f39s/uiSPX/7d9w8ltqc7eQ8jvjTRK36yFz/pff0tvjRgHT/68ldf7JfX/mXEjZ71352Rup5dZmdb9fXZ5ubWrdX64kp1pXqvUlmYX5h79fYrldlsjLrz+vteMf722s1n+8VP63+1T/zJo+sf3xiw/h/8950ffe2I+N/6eu/3//kj4qd94jcHjL949U7f6bvT+Mt96n/M+x83B4z/8V+2lgc8FAAYgubm1tpirVbdOGYjvdc87hgbg2+kz/ZnoBjZRmxHnNYJs0GJiOh5THpHfTaq/FltJCOL/qvTPuGor0zAZ22/0fc/5s/DLBAAAAAAAAAAAAAAAHBIc3NrrdT701rHbJQG/kTgqOsIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxfW/AAAA//9ST8Ky")
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x0, 0x0, 0x0)
executing program 3:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000140), 0x180, 0x0)
ioctl$VFAT_IOCTL_READDIR_SHORT(r0, 0x541b, 0x0)
setreuid(0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000016000/0x18000)=nil, &(0x7f0000000000)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
memfd_create(&(0x7f00000001c0)='\x02A\xbbL\xeb\xbd]\x9c\x9aU\x9c\xcbb\xcc\xfa0\xf5JoeN\x8c\x86\xfa\xb3\x0e&\xfe\xa8NF\x96\t\x01\xceJ\xc3\x8f+\xe8\xa7v\x80\xfaj\xfe\x11\x0e\xed6\x00\x00\x00\x00\x00\x00\f\xd7\xe7\xdb?\xf3\xd9\xa3\xd6a\x1a\xfch}7K\xca\x90KA\x02\xd6\x94\xf0S\xcc\xd0\x14\x8c\xb3!\xa8\xeajy@\xa0\xdc~\xea\xfd\xfb\x12\x88Xa\x16\xcb\xe4\x03\x1e\xac\xf2\xe9\xf1<', 0x3)
ioctl$KVM_RUN(r1, 0xae80, 0x0)
executing program 3:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)
executing program 1:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
bind$inet6(r0, &(0x7f0000000080)={0xa, 0x4e21, 0x5, @loopback, 0x7}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e21, 0x659, @empty, 0xff}, 0x1c)
setsockopt$inet6_IPV6_ADDRFORM(r0, 0x29, 0x1, &(0x7f0000000180), 0x4)
executing program 4:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000480)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe2(&(0x7f0000000000)={0xffffffffffffffff, <r2=>0xffffffffffffffff}, 0x80000)
splice(r1, 0x0, r2, 0x0, 0x6, 0x0)
write(r0, &(0x7f0000000100)="fe0fc991cced27", 0x7)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
bisect: the chunk can be dropped
bisect: testing without sub-chunk 3/3
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): setsockopt$XDP_UMEM_REG-setsockopt$XDP_RX_RING-syz_open_dev$vcsa-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-sched_setaffinity-recvmmsg-socket$nl_route-recvmmsg-sendmsg$nl_route-openat$ptmx-openat$kvm-socket$packet-recvmmsg-ioctl$TIOCSETD-socket$packet-sendto$packet-setsockopt$SO_TIMESTAMP-io_setup-syz_clone-io_submit-mkdir
detailed listing:
executing program 3:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)

program did not crash
bisect: split chunks (needed=true): <9>
bisect: split chunk #0 of len 9 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=31s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [9, 29, 4, 4, 4]
detailed listing:
executing program 3:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000140), 0x180, 0x0)
ioctl$VFAT_IOCTL_READDIR_SHORT(r0, 0x541b, 0x0)
setreuid(0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f00000001c0)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000016000/0x18000)=nil, &(0x7f0000000000)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
memfd_create(&(0x7f00000001c0)='\x02A\xbbL\xeb\xbd]\x9c\x9aU\x9c\xcbb\xcc\xfa0\xf5JoeN\x8c\x86\xfa\xb3\x0e&\xfe\xa8NF\x96\t\x01\xceJ\xc3\x8f+\xe8\xa7v\x80\xfaj\xfe\x11\x0e\xed6\x00\x00\x00\x00\x00\x00\f\xd7\xe7\xdb?\xf3\xd9\xa3\xd6a\x1a\xfch}7K\xca\x90KA\x02\xd6\x94\xf0S\xcc\xd0\x14\x8c\xb3!\xa8\xeajy@\xa0\xdc~\xea\xfd\xfb\x12\x88Xa\x16\xcb\xe4\x03\x1e\xac\xf2\xe9\xf1<', 0x3)
ioctl$KVM_RUN(r1, 0xae80, 0x0)
executing program 3:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)
executing program 1:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
bind$inet6(r0, &(0x7f0000000080)={0xa, 0x4e21, 0x5, @loopback, 0x7}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e21, 0x659, @empty, 0xff}, 0x1c)
setsockopt$inet6_IPV6_ADDRFORM(r0, 0x29, 0x1, &(0x7f0000000180), 0x4)
executing program 4:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000480)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe2(&(0x7f0000000000)={0xffffffffffffffff, <r2=>0xffffffffffffffff}, 0x80000)
splice(r1, 0x0, r2, 0x0, 0x6, 0x0)
write(r0, &(0x7f0000000100)="fe0fc991cced27", 0x7)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <4>
bisect: split chunk #0 of len 4 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [29, 4, 4]
detailed listing:
executing program 3:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)
executing program 4:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000480)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe2(&(0x7f0000000000)={0xffffffffffffffff, <r2=>0xffffffffffffffff}, 0x80000)
splice(r1, 0x0, r2, 0x0, 0x6, 0x0)
write(r0, &(0x7f0000000100)="fe0fc991cced27", 0x7)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <2>
bisect: split chunk #0 of len 2 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [29, 4]
detailed listing:
executing program 3:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <1>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 2 programs left: 

executing program 3:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
mkdir(&(0x7f0000000400)='./file0\x00', 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)


bisect: trying to concatenate
bisect: concatenate 2 entries
minimizing program #0 before concatenation
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [28, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280)=<r7=>0x0)
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
io_submit(r7, 0x2, &(0x7f0000000240)=[&(0x7f0000000080)={0x0, 0x0, 0x0, 0x7, 0xfffe, r4, 0x0}, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0, r4, 0x0, 0x0, 0x6}])
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [27, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280))
syz_clone(0x100411, 0x0, 0x0, 0x0, 0x0, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [26, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
io_setup(0x7, &(0x7f0000000280))
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [25, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
r6 = socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
setsockopt$SO_TIMESTAMP(r6, 0x1, 0x3f, 0x0, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [24, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
socket$packet(0x11, 0x2, 0x300)
sendto$packet(0xffffffffffffffff, &(0x7f0000000080), 0x0, 0x20008801, &(0x7f0000000200)={0x11, 0x8100, 0x0, 0x1, 0x7}, 0x14)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [23, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
socket$packet(0x11, 0x2, 0x300)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [22, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r5 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r5, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000040)=0x2)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [21, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r4 = socket$packet(0x11, 0x3, 0x300)
recvmmsg(r4, &(0x7f0000000480)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [20, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
socket$packet(0x11, 0x3, 0x300)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [19, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [18, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000180), 0xa82, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [17, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [16, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
recvmmsg(r1, &(0x7f00000022c0)=[{{&(0x7f0000000300)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000001600), 0x0, &(0x7f0000001640)=""/96, 0x60}, 0xfffffffd}, {{&(0x7f00000016c0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @dev}}}, 0x80, &(0x7f0000001d80)=[{&(0x7f0000001740)=""/79, 0x4f}, {&(0x7f00000017c0)=""/138, 0x8a}, {&(0x7f0000001880)=""/246, 0xf6}, {&(0x7f00000019c0)=""/13, 0xd}, {&(0x7f0000001a00)=""/183, 0xb7}, {&(0x7f0000001ac0)=""/40, 0x28}, {&(0x7f0000001b00)=""/118, 0x76}, {&(0x7f0000001b80)=""/28, 0x1c}, {&(0x7f0000001bc0)=""/164, 0xa4}, {&(0x7f0000001c80)=""/218, 0xda}], 0xa}, 0x7}, {{&(0x7f0000001e40)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @link_local}, 0x80, &(0x7f00000021c0)=[{&(0x7f0000001ec0)=""/64, 0x40}, {&(0x7f0000001f00)=""/226, 0xe2}, {&(0x7f0000002000)=""/215, 0xd7}], 0x3, &(0x7f0000002200)=""/152, 0x98}, 0x40d}], 0x3, 0x2, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [15, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f0000000040), 0x80002c1, 0x2, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [13, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [12, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100)={<r1=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000002100))
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [9, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f066bbeeb, 0x8031, 0xffffffffffffffff, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [8, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [7, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
getpid()
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [4, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
syz_open_dev$vcsa(0x0, 0x7b95b611, 0x802)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
setsockopt$XDP_RX_RING(0xffffffffffffffff, 0x11b, 0x2, &(0x7f0000001980)=0x100, 0x4)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in rcu_segcblist_enqueue
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 4]
detailed listing:
executing program 0:
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/74, 0x328000, 0x1000}, 0x1c)
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 4]
detailed listing:
executing program 0:
executing program 1:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
minimized 29 calls -> 0 calls
minimizing program #1 before concatenation
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 3]
detailed listing:
executing program 3:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 3]
detailed listing:
executing program 3:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 3]
detailed listing:
executing program 3:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program did not crash
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [0, 3]
detailed listing:
executing program 3:
executing program 0:
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r0, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(0xffffffffffffffff, 0x40047459, 0x0)

program did not crash
minimized 4 calls -> 4 calls
testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
bisect: concatenation succeeded
found reproducer with 4 syscalls
minimizing guilty program
testing program (duration=42.957073494s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)

program did not crash
testing program (duration=42.957073494s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-ioctl$PPPIOCSFLAGS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program did not crash
testing program (duration=42.957073494s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program did not crash
testing program (duration=42.957073494s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
detailed listing:
executing program 0:
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r0, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(0xffffffffffffffff, 0x40047459, 0x0)

program did not crash
testing program (duration=42.957073494s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, 0x0, 0x0)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=42.957073494s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
program crashed: KASAN: use-after-free Write in pppol2tp_release
simplifying C reproducer
testing compiled C program (duration=42.957073494s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=42.957073494s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=42.957073494s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing compiled C program (duration=42.957073494s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing compiled C program (duration=42.957073494s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing compiled C program (duration=42.957073494s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=42.957073494s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
testing program (duration=42.957073494s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
validation run: crashed=true
testing program (duration=42.957073494s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$PPPIOCSFLAGS
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32)
ioctl$PPPIOCSFLAGS(r0, 0x40047459, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
reproducing took 42m3.878240163s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1779 [inline]
BUG: KASAN: use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:176 [inline]
BUG: KASAN: use-after-free in mutex_lock+0x86/0x1b0 kernel/locking/mutex.c:295
Write of size 8 at addr ffff88812d82d550 by task syz.2.17/374

CPU: 1 PID: 374 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <TASK>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 print_address_description+0x71/0x200 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:420
 kasan_report+0x122/0x150 mm/kasan/report.c:524
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
 atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1779 [inline]
 __mutex_trylock_fast kernel/locking/mutex.c:176 [inline]
 mutex_lock+0x86/0x1b0 kernel/locking/mutex.c:295
 pppol2tp_release+0x194/0x2d0 net/l2tp/l2tp_ppp.c:441
 __sock_release net/socket.c:652 [inline]
 sock_close+0xf1/0x290 net/socket.c:1389
 __fput+0x1fc/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fc48af9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffdc160b68 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffdc160c50 RCX: 00007fc48af9ce59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000067d3 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b33120000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc48b215fac R14: 00007fc48b215fa8 R15: 00007fc48b215fa0
 </TASK>

Allocated by task 374:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:380 [inline]
 __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 __do_kmalloc_node mm/slab_common.c:938 [inline]
 __kmalloc+0xb1/0x1e0 mm/slab_common.c:951
 kmalloc include/linux/slab.h:568 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 l2tp_session_create+0x38/0xbe0 net/l2tp/l2tp_core.c:1609
 pppol2tp_connect+0xbef/0x1620 net/l2tp/l2tp_ppp.c:771
 __sys_connect_file net/socket.c:2000 [inline]
 __sys_connect+0x3da/0x460 net/socket.c:2017
 __do_sys_connect net/socket.c:2027 [inline]
 __se_sys_connect net/socket.c:2024 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2024
 x64_sys_call+0x88d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 374:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:242
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:250
 kasan_slab_free include/linux/kasan.h:178 [inline]
 slab_free_hook mm/slub.c:1750 [inline]
 slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
 slab_free mm/slub.c:3712 [inline]
 __kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728
 kfree+0x6f/0xf0 mm/slab_common.c:990
 l2tp_session_free net/l2tp/l2tp_core.c:168 [inline]
 l2tp_session_put+0xaf/0x1a0 net/l2tp/l2tp_core.c:193
 l2tp_session_delete+0x3f0/0x4e0 net/l2tp/l2tp_core.c:1582
 pppol2tp_release+0x185/0x2d0 net/l2tp/l2tp_ppp.c:438
 __sock_release net/socket.c:652 [inline]
 sock_close+0xf1/0x290 net/socket.c:1389
 __fput+0x1fc/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff88812d82d400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 336 bytes inside of
 512-byte region [ffff88812d82d400, ffff88812d82d600)

The buggy address belongs to the physical page:
page:ffffea0004b60b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d82c
head:ffffea0004b60b00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 60, tgid 60 (kworker/1:2), ts 26581019118, free_ts 25883776141
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2672
 prep_new_page+0x1c/0x110 mm/page_alloc.c:2679
 get_page_from_freelist+0x2d12/0x2d80 mm/page_alloc.c:4585
 __alloc_pages+0x1fa/0x610 mm/page_alloc.c:5929
 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
 allocate_slab mm/slub.c:1967 [inline]
 new_slab+0x98/0x3d0 mm/slub.c:2020
 ___slab_alloc+0x6bd/0xb20 mm/slub.c:3177
 __slab_alloc+0x5e/0xa0 mm/slub.c:3263
 slab_alloc_node mm/slub.c:3348 [inline]
 __kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423
 __do_kmalloc_node mm/slab_common.c:937 [inline]
 __kmalloc_node_track_caller+0xa0/0x1e0 mm/slab_common.c:958
 kmalloc_reserve net/core/skbuff.c:449 [inline]
 __alloc_skb+0x236/0x4b0 net/core/skbuff.c:518
 alloc_skb include/linux/skbuff.h:1322 [inline]
 nlmsg_new include/net/netlink.h:987 [inline]
 inet6_ifa_notify net/ipv6/addrconf.c:5569 [inline]
 __ipv6_ifa_notify+0x200/0xe80 net/ipv6/addrconf.c:6227
 ipv6_ifa_notify net/ipv6/addrconf.c:6279 [inline]
 addrconf_dad_completed+0x190/0xe80 net/ipv6/addrconf.c:4283
 addrconf_dad_work+0xc41/0x14d0 net/ipv6/addrconf.c:-1
 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302
 worker_thread+0xa29/0x11e0 kernel/workqueue.c:2449
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1580 [inline]
 free_pcp_prepare mm/page_alloc.c:1654 [inline]
 free_unref_page_prepare+0x7f8/0x800 mm/page_alloc.c:3620
 free_unref_page+0x95/0x540 mm/page_alloc.c:3718
 free_the_page mm/page_alloc.c:863 [inline]
 __free_pages+0x67/0x100 mm/page_alloc.c:6019
 __vunmap+0x9c0/0xb80 mm/vmalloc.c:2739
 __vfree mm/vmalloc.c:2788 [inline]
 vfree+0x61/0x90 mm/vmalloc.c:2819
 kcov_put kernel/kcov.c:437 [inline]
 kcov_close+0x2b/0x50 kernel/kcov.c:533
 __fput+0x1fc/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 exit_task_work include/linux/task_work.h:39 [inline]
 do_exit+0xa35/0x2660 kernel/exit.c:886
 do_group_exit+0x225/0x2e0 kernel/exit.c:1029
 get_signal+0x13b5/0x1520 kernel/signal.c:2891
 arch_do_signal_or_restart+0xd1/0x1140 arch/x86/kernel/signal.c:871
 exit_to_user_mode_loop+0x7a/0xb0 kernel/entry/common.c:174
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303

Memory state around the buggy address:
 ffff88812d82d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812d82d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88812d82d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88812d82d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812d82d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1779 [inline]
BUG: KASAN: use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:176 [inline]
BUG: KASAN: use-after-free in mutex_lock+0x86/0x1b0 kernel/locking/mutex.c:295
Write of size 8 at addr ffff88812d82d550 by task syz.2.17/374

CPU: 1 PID: 374 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <TASK>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 print_address_description+0x71/0x200 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:420
 kasan_report+0x122/0x150 mm/kasan/report.c:524
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
 atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1779 [inline]
 __mutex_trylock_fast kernel/locking/mutex.c:176 [inline]
 mutex_lock+0x86/0x1b0 kernel/locking/mutex.c:295
 pppol2tp_release+0x194/0x2d0 net/l2tp/l2tp_ppp.c:441
 __sock_release net/socket.c:652 [inline]
 sock_close+0xf1/0x290 net/socket.c:1389
 __fput+0x1fc/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fc48af9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffdc160b68 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffdc160c50 RCX: 00007fc48af9ce59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000067d3 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b33120000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc48b215fac R14: 00007fc48b215fa8 R15: 00007fc48b215fa0
 </TASK>

Allocated by task 374:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:380 [inline]
 __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 __do_kmalloc_node mm/slab_common.c:938 [inline]
 __kmalloc+0xb1/0x1e0 mm/slab_common.c:951
 kmalloc include/linux/slab.h:568 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 l2tp_session_create+0x38/0xbe0 net/l2tp/l2tp_core.c:1609
 pppol2tp_connect+0xbef/0x1620 net/l2tp/l2tp_ppp.c:771
 __sys_connect_file net/socket.c:2000 [inline]
 __sys_connect+0x3da/0x460 net/socket.c:2017
 __do_sys_connect net/socket.c:2027 [inline]
 __se_sys_connect net/socket.c:2024 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2024
 x64_sys_call+0x88d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 374:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:242
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:250
 kasan_slab_free include/linux/kasan.h:178 [inline]
 slab_free_hook mm/slub.c:1750 [inline]
 slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
 slab_free mm/slub.c:3712 [inline]
 __kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728
 kfree+0x6f/0xf0 mm/slab_common.c:990
 l2tp_session_free net/l2tp/l2tp_core.c:168 [inline]
 l2tp_session_put+0xaf/0x1a0 net/l2tp/l2tp_core.c:193
 l2tp_session_delete+0x3f0/0x4e0 net/l2tp/l2tp_core.c:1582
 pppol2tp_release+0x185/0x2d0 net/l2tp/l2tp_ppp.c:438
 __sock_release net/socket.c:652 [inline]
 sock_close+0xf1/0x290 net/socket.c:1389
 __fput+0x1fc/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff88812d82d400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 336 bytes inside of
 512-byte region [ffff88812d82d400, ffff88812d82d600)

The buggy address belongs to the physical page:
page:ffffea0004b60b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d82c
head:ffffea0004b60b00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 60, tgid 60 (kworker/1:2), ts 26581019118, free_ts 25883776141
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2672
 prep_new_page+0x1c/0x110 mm/page_alloc.c:2679
 get_page_from_freelist+0x2d12/0x2d80 mm/page_alloc.c:4585
 __alloc_pages+0x1fa/0x610 mm/page_alloc.c:5929
 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
 allocate_slab mm/slub.c:1967 [inline]
 new_slab+0x98/0x3d0 mm/slub.c:2020
 ___slab_alloc+0x6bd/0xb20 mm/slub.c:3177
 __slab_alloc+0x5e/0xa0 mm/slub.c:3263
 slab_alloc_node mm/slub.c:3348 [inline]
 __kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423
 __do_kmalloc_node mm/slab_common.c:937 [inline]
 __kmalloc_node_track_caller+0xa0/0x1e0 mm/slab_common.c:958
 kmalloc_reserve net/core/skbuff.c:449 [inline]
 __alloc_skb+0x236/0x4b0 net/core/skbuff.c:518
 alloc_skb include/linux/skbuff.h:1322 [inline]
 nlmsg_new include/net/netlink.h:987 [inline]
 inet6_ifa_notify net/ipv6/addrconf.c:5569 [inline]
 __ipv6_ifa_notify+0x200/0xe80 net/ipv6/addrconf.c:6227
 ipv6_ifa_notify net/ipv6/addrconf.c:6279 [inline]
 addrconf_dad_completed+0x190/0xe80 net/ipv6/addrconf.c:4283
 addrconf_dad_work+0xc41/0x14d0 net/ipv6/addrconf.c:-1
 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302
 worker_thread+0xa29/0x11e0 kernel/workqueue.c:2449
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1580 [inline]
 free_pcp_prepare mm/page_alloc.c:1654 [inline]
 free_unref_page_prepare+0x7f8/0x800 mm/page_alloc.c:3620
 free_unref_page+0x95/0x540 mm/page_alloc.c:3718
 free_the_page mm/page_alloc.c:863 [inline]
 __free_pages+0x67/0x100 mm/page_alloc.c:6019
 __vunmap+0x9c0/0xb80 mm/vmalloc.c:2739
 __vfree mm/vmalloc.c:2788 [inline]
 vfree+0x61/0x90 mm/vmalloc.c:2819
 kcov_put kernel/kcov.c:437 [inline]
 kcov_close+0x2b/0x50 kernel/kcov.c:533
 __fput+0x1fc/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 exit_task_work include/linux/task_work.h:39 [inline]
 do_exit+0xa35/0x2660 kernel/exit.c:886
 do_group_exit+0x225/0x2e0 kernel/exit.c:1029
 get_signal+0x13b5/0x1520 kernel/signal.c:2891
 arch_do_signal_or_restart+0xd1/0x1140 arch/x86/kernel/signal.c:871
 exit_to_user_mode_loop+0x7a/0xb0 kernel/entry/common.c:174
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303

Memory state around the buggy address:
 ffff88812d82d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812d82d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88812d82d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88812d82d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812d82d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================