Extracting prog: 1h43m53.74229645s
Minimizing prog: 15m58.651084726s
Simplifying prog options: 0s
Extracting C: 29.925362701s
Simplifying C: 22m58.550516762s


extracting reproducer from 37 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-socket-getsockname$packet-sendmsg$sock-bpf$PROG_LOAD-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$nl802154-syz_genetlink_get_family_id$netlbl_cipso-syz_init_net_socket$bt_sco-socket$nl_netfilter-sendmsg$IPCTNL_MSG_CT_NEW-syz_init_net_socket$ax25-ioctl$sock_netdev_private-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netrom_SIOCADDRT-syz_init_net_socket$ax25-bind$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_genetlink_get_family_id$tipc2-syz_genetlink_get_family_id$ipvs-setsockopt$ax25_SO_BINDTODEVICE-socket$nl_xfrm-ioctl$sock_netdev_private-writev-socket$nl_route-socket-socket$nl_route-bpf$BPF_MAP_GET_FD_BY_ID-bpf$MAP_CREATE_TAIL_CALL
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
single: failed to extract reproducer
bisect: bisecting 37 programs with base timeout 30s
testing program (duration=39s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 17, 20, 25, 20, 23, 23, 20, 5, 22, 14, 15, 2, 20, 16, 14, 16, 5, 17, 10, 12, 8, 22, 4, 6, 15, 26, 22, 26, 19, 5, 23, 24, 27, 19, 20, 29]
detailed listing:
executing program 0:
sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000340)=ANY=[@ANYBLOB="1800"], 0x18}}, 0x0)
pipe2$watch_queue(&(0x7f00000002c0), 0x80)
sendmsg$ETHTOOL_MSG_LINKINFO_SET(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000001c0)=ANY=[@ANYBLOB="00042dbd7000fd"], 0x14}, 0x1, 0x0, 0x0, 0x2010}, 0x4001)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000000)={[0x38, 0xfff, 0x0, 0x180, 0x4, 0xff, 0xf1, 0x0, 0x7fffffffffffe, 0x5, 0x4005, 0x8, 0x0, 0x45, 0x1, 0xbdb], 0xdddd0000, 0x1c4213})
bind$inet(0xffffffffffffffff, &(0x7f0000000000)={0x2, 0x4e22, @broadcast}, 0x10)
ioctl$KVM_RUN(r2, 0xae80, 0x0)
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
sched_setscheduler(0x0, 0x1, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000280), 0x181800, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0)
r1 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000040), 0x42, 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x10004, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r1, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0])
landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(0xffffffffffffffff, 0x1, &(0x7f0000000200)={0x100}, 0x0)
close(0xffffffffffffffff)
umount2(&(0x7f00000002c0)='./file0\x00', 0x0)
r2 = openat$vicodec0(0xffffff9c, &(0x7f0000001dc0), 0x2, 0x0)
ioctl$VIDIOC_DQBUF(r2, 0xc04c5611, &(0x7f0000001e00)=@overlay={0x1, 0xa, 0x4, 0x800, 0x9, {0x77359400}, {0x1, 0xc, 0x6, 0x6, 0x4, 0x1, "6db7036d"}, 0x4, 0x3, {}, 0x2})
r3 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x28081)
syz_open_procfs$namespace(0x0, &(0x7f00000003c0)='ns/net\x00')
writev(r3, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
pselect6(0x40, &(0x7f00000001c0)={0x0, 0x0, 0x5, 0xfffffffffffffffd, 0x8001, 0x0, 0x5, 0x45}, 0x0, &(0x7f0000000080)={0x3ff, 0x4, 0x100000, 0x9, 0x0, 0x10, 0x80000002}, 0x0, 0x0)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 0:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r1, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r1, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 0:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
r2 = syz_open_dev$sg(&(0x7f0000000480), 0xfffffffffffffffa, 0x1841)
writev(r2, &(0x7f0000000040)=[{&(0x7f0000000500)="9b7385220700000000000000e57c489b51b14b7aea6ef45d0c085cb7df42ccf49eabcf03d0e97bb857dbd8d553a187d0", 0x30}, {&(0x7f0000000540)="53000000d073b0f3347edc854b4bc4db1e2e1302af076bb6c9909a18e554d5ecc9db5942dac6a182a0efc18289ba2d68f7e5121dc8db62a39389242ce69529ab9bb7aad26d928b530b9345c2ccce127c140538", 0x53}], 0x2)
write$USERIO_CMD_SET_PORT_TYPE(0xffffffffffffffff, 0x0, 0x0)
ioctl$CEC_ADAP_S_LOG_ADDRS(0xffffffffffffffff, 0xc05c6104, 0x0)
ioctl$CEC_TRANSMIT(0xffffffffffffffff, 0xc0386105, 0x0)
syz_open_dev$sg(&(0x7f0000000000), 0xf9ba, 0x101)
openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000300), 0x2, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19)
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$ETHTOOL_MSG_COALESCE_GET(r4, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xc040}, 0x4000000)
r5 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000100)={'macvtap0\x00', <r6=>0x0})
sendmmsg(0xffffffffffffffff, &(0x7f0000001240), 0x0, 0x8010)
sendmsg$ETHTOOL_MSG_CHANNELS_SET(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000180)={0x30, r3, 0x1, 0x70bd2a, 0x25dfdbfb, {}, [@ETHTOOL_A_CHANNELS_COMBINED_COUNT={0x8, 0x9, 0x6}, @ETHTOOL_A_CHANNELS_HEADER={0x14, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r6}]}]}, 0x30}, 0x1, 0x0, 0x0, 0x8080}, 0x8885)
mremap(&(0x7f0000000000/0x9000)=nil, 0x600002, 0x600002, 0x7, &(0x7f0000a00000/0x600000)=nil)
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, 0x0, 0x0)
mbind(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x2)
executing program 0:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x1, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
r3 = syz_open_dev$dri(&(0x7f0000000140), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r3, 0xc02064b2, &(0x7f0000000040)={0x2, 0x2, 0x7})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r3, 0xc02064b2, 0x0)
ioctl$DRM_IOCTL_MODE_ADDFB2(r3, 0xc06864b8, &(0x7f0000000580)={0x0, 0xc1, 0x7f, 0x20203843, 0x0, [0x2], [0x800]})
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000200)={&(0x7f00000000c0), 0x0, 0x0, 0x0, 0x1, 0x59})
socket$inet6(0xa, 0x2, 0x0)
socket$kcm(0x10, 0x3, 0x10)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000040), 0x0)
socket$pppl2tp(0x18, 0x1, 0x1)
openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0)
executing program 0:
r0 = syz_open_dev$video(&(0x7f0000000100), 0x3, 0x2000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0x6, 0xfa11, 0xffffffff}, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0201, 0x0)
ioctl$SNDCTL_DSP_SPEED(r4, 0xc0045002, &(0x7f0000000080)=0x3ff)
write$dsp(r4, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
sendmsg$nl_xfrm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000500)=@newsa={0x138, 0x10, 0x1, 0xfffffffe, 0x100, {{@in6=@private0={0xfc, 0x0, '\x00', 0x1}, @in=@rand_addr=0x64010101, 0x1, 0x714, 0x4e23, 0x5, 0x0, 0x0, 0x0, 0x3a}, {@in6=@mcast2, 0x4d4, 0x6c}, @in=@dev={0xac, 0x14, 0x14, 0x3f}, {0x0, 0x192, 0x6, 0xffff, 0x8251c, 0x2, 0xfffffffffffffff8}, {0xffffffffffffffff, 0x0, 0x1f, 0xfffffffffffffffe}, {0x2, 0xfffffffc}, 0x70bd2a, 0x3504, 0x2, 0x1, 0x0, 0x20}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x8801}, 0x0)
syz_emit_ethernet(0x6a, &(0x7f00000002c0)={@local, @broadcast, @void, {@ipv4={0x800, @tipc={{0xc, 0x4, 0x0, 0x3c, 0x5c, 0x67, 0x0, 0x3, 0x6, 0x0, @rand_addr=0x64010100, @local, {[@rr={0x7, 0xf, 0x7, [@initdev={0xac, 0x1e, 0x1, 0x0}, @dev={0xac, 0x14, 0x14, 0xa}, @multicast2]}, @ssrr={0x89, 0x7, 0x1e, [@multicast1]}, @lsrr={0x83, 0x3, 0x93}]}}, @payload_mcast={{{{{{0x2c, 0x0, 0x0, 0x0, 0x0, 0xb, 0x1, 0x2, 0x5, 0x0, 0x1, 0x1, 0x0, 0x1, 0x800, 0x1, 0x1, 0x4e21, 0x4e22}, 0x1}, 0x3}, 0x1}}}}}}}, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r5 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000500)=@newsa={0x138, 0x18, 0x1, 0xfffffffe, 0x100, {{@in6=@ipv4={'\x00', '\xff\xff', @multicast2}, @in6=@private1={0xfc, 0x1, '\x00', 0x1}, 0x1, 0x71c, 0x4e23, 0x5, 0x0, 0x0, 0x0, 0x3a}, {@in6=@mcast2, 0x4d4, 0x6c}, @in=@dev={0xac, 0x14, 0x14, 0x25}, {0x0, 0x192, 0x9ba3, 0xffff, 0x8251c, 0x5, 0xfffffffffffffffc}, {0xffffffffffffffff, 0x0, 0x1f, 0xfffffffffffffffe}, {0xfffffffa, 0xfffffffc}, 0x80, 0x3500, 0x2, 0x1, 0x0, 0x20}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x8801}, 0x0)
r6 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r6, &(0x7f0000000000)={0x0, 0x3, &(0x7f0000000080)={&(0x7f00000000c0)={0x2, 0x3, 0x0, 0x9, 0xa, 0x0, 0x0, 0x0, [@sadb_address={0x3, 0x6, 0x0, 0x0, 0xe, @in={0x2, 0x0, @multicast1=0xe0000009}}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @multicast1}}]}, 0x50}}, 0x0)
ioctl$VIDIOC_S_FMT(r0, 0xc0cc5605, &(0x7f00000025c0)={0x1, @vbi={0x8, 0x449, 0x47524247, 0x0, [0x4, 0x3], [0x40, 0x2], 0x13a}})
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000180)={@local, @multicast, @void, {@ipv6={0x86dd, @generic={0xc, 0x6, '\x00', 0x0, 0x2c, 0x1, @empty, @mcast2}}}}, 0x0)
sendmsg$nl_route(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=ANY=[@ANYBLOB="0c04000010000104000000000000000000480000", @ANYRES32=r7, @ANYBLOB="101000000000000008000d0005000000e4031680a40001800c00070000000000adffffff0c00", @ANYRES16=r7], 0x40c}}, 0x0)
executing program 32:
r0 = syz_open_dev$video(&(0x7f0000000100), 0x3, 0x2000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0x6, 0xfa11, 0xffffffff}, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0201, 0x0)
ioctl$SNDCTL_DSP_SPEED(r4, 0xc0045002, &(0x7f0000000080)=0x3ff)
write$dsp(r4, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
sendmsg$nl_xfrm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000500)=@newsa={0x138, 0x10, 0x1, 0xfffffffe, 0x100, {{@in6=@private0={0xfc, 0x0, '\x00', 0x1}, @in=@rand_addr=0x64010101, 0x1, 0x714, 0x4e23, 0x5, 0x0, 0x0, 0x0, 0x3a}, {@in6=@mcast2, 0x4d4, 0x6c}, @in=@dev={0xac, 0x14, 0x14, 0x3f}, {0x0, 0x192, 0x6, 0xffff, 0x8251c, 0x2, 0xfffffffffffffff8}, {0xffffffffffffffff, 0x0, 0x1f, 0xfffffffffffffffe}, {0x2, 0xfffffffc}, 0x70bd2a, 0x3504, 0x2, 0x1, 0x0, 0x20}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x8801}, 0x0)
syz_emit_ethernet(0x6a, &(0x7f00000002c0)={@local, @broadcast, @void, {@ipv4={0x800, @tipc={{0xc, 0x4, 0x0, 0x3c, 0x5c, 0x67, 0x0, 0x3, 0x6, 0x0, @rand_addr=0x64010100, @local, {[@rr={0x7, 0xf, 0x7, [@initdev={0xac, 0x1e, 0x1, 0x0}, @dev={0xac, 0x14, 0x14, 0xa}, @multicast2]}, @ssrr={0x89, 0x7, 0x1e, [@multicast1]}, @lsrr={0x83, 0x3, 0x93}]}}, @payload_mcast={{{{{{0x2c, 0x0, 0x0, 0x0, 0x0, 0xb, 0x1, 0x2, 0x5, 0x0, 0x1, 0x1, 0x0, 0x1, 0x800, 0x1, 0x1, 0x4e21, 0x4e22}, 0x1}, 0x3}, 0x1}}}}}}}, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r5 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000500)=@newsa={0x138, 0x18, 0x1, 0xfffffffe, 0x100, {{@in6=@ipv4={'\x00', '\xff\xff', @multicast2}, @in6=@private1={0xfc, 0x1, '\x00', 0x1}, 0x1, 0x71c, 0x4e23, 0x5, 0x0, 0x0, 0x0, 0x3a}, {@in6=@mcast2, 0x4d4, 0x6c}, @in=@dev={0xac, 0x14, 0x14, 0x25}, {0x0, 0x192, 0x9ba3, 0xffff, 0x8251c, 0x5, 0xfffffffffffffffc}, {0xffffffffffffffff, 0x0, 0x1f, 0xfffffffffffffffe}, {0xfffffffa, 0xfffffffc}, 0x80, 0x3500, 0x2, 0x1, 0x0, 0x20}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x8801}, 0x0)
r6 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r6, &(0x7f0000000000)={0x0, 0x3, &(0x7f0000000080)={&(0x7f00000000c0)={0x2, 0x3, 0x0, 0x9, 0xa, 0x0, 0x0, 0x0, [@sadb_address={0x3, 0x6, 0x0, 0x0, 0xe, @in={0x2, 0x0, @multicast1=0xe0000009}}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @multicast1}}]}, 0x50}}, 0x0)
ioctl$VIDIOC_S_FMT(r0, 0xc0cc5605, &(0x7f00000025c0)={0x1, @vbi={0x8, 0x449, 0x47524247, 0x0, [0x4, 0x3], [0x40, 0x2], 0x13a}})
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000180)={@local, @multicast, @void, {@ipv6={0x86dd, @generic={0xc, 0x6, '\x00', 0x0, 0x2c, 0x1, @empty, @mcast2}}}}, 0x0)
sendmsg$nl_route(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=ANY=[@ANYBLOB="0c04000010000104000000000000000000480000", @ANYRES32=r7, @ANYBLOB="101000000000000008000d0005000000e4031680a40001800c00070000000000adffffff0c00", @ANYRES16=r7], 0x40c}}, 0x0)
executing program 5:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f0000000240), 0x2, 0x40102)
writev(r0, 0x0, 0x0)
syz_mount_image$erofs(&(0x7f0000000180), &(0x7f00000001c0)='./file1\x00', 0x0, &(0x7f0000000900)=ANY=[@ANYBLOB="00ea2eb34e7ea51c9446c55a2d1e0be39af9faf44ad59cb6ad1c94490d970e811439edddc71c9b18946b559ce53bee0a1abe562fc3f3898e5826eda1962cf6e3c4c0ade52151923a70b46eacfc1aaaebcf156e549e884bcabc1333f344f31cd30cd93cb2814e0dbc24a7a107e295e86e09283c825fe177c89c6385f68f2c843cffffffff15539bab6142ceed9265ba989d1a283fc4ffc83f3a7a6c746823e656ad78f3b5a336cdbd83dad59e0debb36b4ea5e658e253f01637cc03f704a08019f95b92fffffffff8dd21552d6967ab1b01e5d52a5793eb179deee4572770a5197127b090287bca2a4eaa1705b42c16968d0201d3ba3cc8000000657ea095f152b1b6a1e6ad8d24ad17f649ccc23d4ecbcdb5620cc48f95f563c2230f859d196e6c4f00b8e3a7b01fcb1d79dcc09b7a854ec8c31dd27ff9b4a2864e1dcaf719d20b56769d51228ecc1915fb8c8b598c11b3c296b05f9c5355fc6f19a7b28f5ae9a0d0804ccc5716cfac0246ddffa2f12077a02a959aa1b74373c38b2bcc90743b80666eae25dea73e127263b8fdbc64fe862b994ca8473d0000000000000000"], 0x1, 0x17d, &(0x7f00000004c0)="$eJzsmD9P6lAYxp/TciH35iY6u2giCTBY2qJGBgdmB038FzeJVIIWMdBB2PwUzn4CZ+JC4sfQQZ1ccHNyqGl7gAP+HdTE+PyG9zzv6dvTc94mT5OCEPJrub15uD5LJS90AP+RRELO3+mDGk2pb489Zi4ry+cn5v1Vu7OUH11PAPD9jz8/BqBT0OHJ3PeH707KcQ1aX69DQ0bqTQgYUm9Dw4bUDgS2pN5TdC2oN4zdiusYOzW3FAgzCFYQ7CDkRvfXPRYoKfsTyvVGs7VfdF2n/oXivf51CxoWlf2p76vXG1PpnwUNltQ5CKxKvYBErzdRS5TzT8QG6+vffH4KCoqfJgb+5J8KpBR/iin+kfWqh9lGszVTqRbLTtk5sO3cvDlrmnN2NjSiKL7hf39Df/qnrP/nldq4iOOo6Hl1K4r93I7iS44bD/1PQ3o6yoWcUwm/B+NiKhjSuswJIYQQQgghhBBCCCHk05mECP+CDpF/NmWvhNVPAQAA//94vnZt")
chdir(0x0)
r1 = openat$dir(0xffffffffffffff9c, 0x0, 0x0, 0x0)
lseek(r1, 0xfffffffffffffffc, 0x2)
getdents(r1, 0x0, 0x54)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r2 = syz_open_procfs(0x0, 0x0)
writev(r2, &(0x7f00000000c0)=[{}], 0x1)
openat(0xffffffffffffff9c, 0x0, 0x101042, 0x0)
r3 = syz_open_dev$dvb_demux(&(0x7f00000003c0), 0x0, 0x105e01)
ioctl$DVB_DEMUX_DMX_GET_STC(r3, 0xc0106f32, &(0x7f0000000040)={0xfffffffc})
bind$inet(0xffffffffffffffff, &(0x7f0000000240)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x1a}}, 0x10)
executing program 5:
ioctl$FAT_IOCTL_GET_ATTRIBUTES(0xffffffffffffffff, 0x80047210, 0x0)
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000700)=ANY=[@ANYBLOB="1201000000000010711e0920000000000001090224000100000000090400090103000100092105000001220500090581030002"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB='\x00\x00\b'], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f00000001c0), 0x7fff800000000, 0x1050c0)
executing program 1:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 5:
socket$nl_route(0x10, 0x3, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$nl802154(&(0x7f00000003c0), 0xffffffffffffffff)
sendmsg$NL802154_CMD_NEW_SEC_DEVKEY(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000540)={&(0x7f00000000c0)=ANY=[@ANYBLOB='\\\x00\x00\x00', @ANYRES16=r4, @ANYBLOB="0100fdffffff000000001e0000000800", @ANYRES32], 0x5c}, 0x1, 0x0, 0x0, 0x30ea32fe53398b3d}, 0x0)
executing program 4:
socket$kcm(0x10, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000480)={0x7, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x1}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
add_key$fscrypt_v1(0x0, &(0x7f0000000480)={'fscrypt:', @auto=[0x0, 0x0, 0x0, 0x34]}, &(0x7f00000000c0)={0x0, "3e82554dc8ccfbc2e85ec82d4ee9df60f6ae16b1a5f2c848722ba3b132e4fde178c945bd950b0477e801fc8a1be9b4ebbe9c2289a6b0aa00"}, 0x48, 0xfffffffffffffffe)
r3 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/timer_list\x00', 0x0, 0x0)
r4 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000180)='/proc/sys/net/ipv4/tcp_sack\x00', 0x1, 0x0)
sendfile(r4, r3, &(0x7f00000000c0)=0x8b, 0x100000500)
executing program 3:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f0000000100)={0x0, 0x5, 0x40}, 0x8)
executing program 4:
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(r1, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r3, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, 0x0, 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
syz_open_procfs(0x0, &(0x7f00000000c0)='net/softnet_stat\x00')
openat$ptp0(0xffffff9c, &(0x7f0000000080), 0x400, 0x0)
socket$vsock_stream(0x28, 0x1, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r1, &(0x7f0000000840)=[{0x0}], 0x1)
syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x2)
read$FUSE(0xffffffffffffffff, 0x0, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x1000000, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)
executing program 2:
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000000240)=0x3)
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000080)=0x7f)
ioctl$SNDCTL_DSP_SPEED(r0, 0xc0045002, &(0x7f0000000000)=0xffffffff)
read$dsp(r0, &(0x7f0000000340)=""/36, 0x24)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x8081)
writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
bind$inet(0xffffffffffffffff, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x16)
write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, 0x0, 0x2, 0x0)
executing program 5:
r0 = socket$kcm(0x10, 0x2, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[@ANYBLOB="563f00001900599c6d0e000091d028ef8020"], 0xfe33)
r1 = syz_usb_connect$hid(0x0, 0x6c, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000000000040b827ed0100000000000109022400010000000009040000010300000009210000200122050009058103"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, &(0x7f0000000b80)={0x24, 0x0, 0x0, &(0x7f0000000b00)={0x0, 0x22, 0x5, {[@global=@item_4={0x3, 0x1, 0x0, "efb9ce47"}]}}, 0x0}, 0x0)
socket(0x18, 0x2, 0x400000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='cpuacct.usage_percpu\x00', 0x275a, 0x0)
write$UHID_CREATE2(r2, &(0x7f0000000040)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x88fd537e5c114b6e, 0x12, r2, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000002c0)={0x1, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="1802000000000000000000000920000095"], &(0x7f0000000000)='syzkaller\x00', 0x8, 0xff5, &(0x7f0000001840)=""/4085, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x11d}, 0x94)
syz_usb_control_io$hid(r1, 0x0, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
write(r3, &(0x7f0000000000)="240000001a005f7f00f9f407000904bf80000000080000000000000004001e", 0x1f)
setsockopt$netlink_NETLINK_NO_ENOBUFS(r3, 0x10e, 0xc, &(0x7f0000000340)=0x6, 0x4)
sendmsg$nl_route(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=ANY=[], 0x24}}, 0x0)
syz_usb_control_io(r1, 0x0, &(0x7f0000000140)={0x44, &(0x7f0000000380)=ANY=[@ANYBLOB="20de238f6735cfaa1ae95581fcc01d6c438312cfea227f4fcfc37b4d3a1c770b753a6d3b7f2096978be96b55531635edcbb8c557d3db2e18057d4d10659af0e160984346c583ea9b14005e6873e5ced0fc4c915b498108fffe291cc3adc4539e0c9e49a5a6ebc33c4cfe7c5005e40530175f089e84bc3fc659a4f5ebe70eed9d606fddcdae9e3607456eeaca1ca60882b7e6100f9b10b78abdda9956542b06b36473472f5f61a3ee7631ee0da5af9b89165b2d54a7748bbea70a4e236d5e671f2e58864f7936661244e4d7a8824c919eafe9c1b052462481997be94145ad"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
executing program 1:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x60000b, 0x9)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f00000002c0)={0xaa, 0x100})
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x19)
executing program 3:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
ioctl$TCSETS(0xffffffffffffffff, 0x40045431, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f0000000240), 0x2, 0x40102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2f)
syz_mount_image$erofs(&(0x7f0000000180), &(0x7f00000001c0)='./file1\x00', 0x0, &(0x7f0000000900)=ANY=[@ANYBLOB="00ea2eb34e7ea51c9446c55a2d1e0be39af9faf44ad59cb6ad1c94490d970e811439edddc71c9b18946b559ce53bee0a1abe562fc3f3898e5826eda1962cf6e3c4c0ade52151923a70b46eacfc1aaaebcf156e549e884bcabc1333f344f31cd30cd93cb2814e0dbc24a7a107e295e86e09283c825fe177c89c6385f68f2c843cffffffff15539bab6142ceed9265ba989d1a283fc4ffc83f3a7a6c746823e656ad78f3b5a336cdbd83dad59e0debb36b4ea5e658e253f01637cc03f704a08019f95b92fffffffff8dd21552d6967ab1b01e5d52a5793eb179deee4572770a5197127b090287bca2a4eaa1705b42c16968d0201d3ba3cc8000000657ea095f152b1b6a1e6ad8d24ad17f649ccc23d4ecbcdb5620cc48f95f563c2230f859d196e6c4f00b8e3a7b01fcb1d79dcc09b7a854ec8c31dd27ff9b4a2864e1dcaf719d20b56769d51228ecc1915fb8c8b598c11b3c296b05f9c5355fc6f19a7b28f5ae9a0d0804ccc5716cfac0246ddffa2f12077a02a959aa1b74373c38b2bcc90743b80666eae25dea73e127263b8fdbc64fe862b994ca8473d0000000000000000"], 0x1, 0x17d, &(0x7f00000004c0)="$eJzsmD9P6lAYxp/TciH35iY6u2giCTBY2qJGBgdmB038FzeJVIIWMdBB2PwUzn4CZ+JC4sfQQZ1ccHNyqGl7gAP+HdTE+PyG9zzv6dvTc94mT5OCEPJrub15uD5LJS90AP+RRELO3+mDGk2pb489Zi4ry+cn5v1Vu7OUH11PAPD9jz8/BqBT0OHJ3PeH707KcQ1aX69DQ0bqTQgYUm9Dw4bUDgS2pN5TdC2oN4zdiusYOzW3FAgzCFYQ7CDkRvfXPRYoKfsTyvVGs7VfdF2n/oXivf51CxoWlf2p76vXG1PpnwUNltQ5CKxKvYBErzdRS5TzT8QG6+vffH4KCoqfJgb+5J8KpBR/iin+kfWqh9lGszVTqRbLTtk5sO3cvDlrmnN2NjSiKL7hf39Df/qnrP/nldq4iOOo6Hl1K4r93I7iS44bD/1PQ3o6yoWcUwm/B+NiKhjSuswJIYQQQgghhBBCCCHk05mECP+CDpF/NmWvhNVPAQAA//94vnZt")
r1 = openat$dir(0xffffffffffffff9c, 0x0, 0x0, 0x0)
lseek(r1, 0xfffffffffffffffc, 0x2)
r2 = syz_open_procfs(0x0, 0x0)
writev(r2, &(0x7f00000000c0)=[{}], 0x1)
openat(0xffffffffffffff9c, 0x0, 0x101042, 0x0)
syz_open_dev$dvb_demux(&(0x7f00000003c0), 0x0, 0x105e01)
bind$inet(0xffffffffffffffff, &(0x7f0000000240)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x1a}}, 0x10)
executing program 2:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='blkio.bfq.io_service_bytes_recursive\x00', 0x275a, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20042, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = dup(r1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000840)={0x1fe, 0x2, 0x2000, 0x1000, &(0x7f0000003000/0x1000)=nil})
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x2)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000040)=[@text64={0x40, 0x0}], 0x1, 0x11, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000200)=[@text64={0x40, 0x0, 0x3a}], 0x1, 0x8, 0x0, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 3:
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
openat$nullb(0xffffffffffffff9c, 0x0, 0x2803, 0x0)
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_TEST(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000340)={0x24, 0xb, 0x6, 0x801, 0x0, 0x0, {0x5, 0x0, 0x8}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_PROTOCOL={0x5}]}, 0x24}, 0x1, 0x0, 0x0, 0x4800}, 0x20000080)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000000))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r1, &(0x7f0000001a40)=""/102392, 0x18ff8)
r2 = syz_init_net_socket$llc(0x1a, 0x1, 0x0)
sendmmsg$inet(r2, &(0x7f0000000c40)=[{{&(0x7f0000000040)={0x2, 0x0, @multicast2}, 0x23, 0x0}}], 0x1e1730a30afb6559, 0x8014)
syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0)
executing program 1:
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil)
r0 = syz_io_uring_setup(0x82e, &(0x7f0000000300)={0x0, 0xcd1d, 0x10100, 0x1000000, 0x20000}, &(0x7f0000000040), &(0x7f0000000080), &(0x7f0000000000))
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
syz_usb_disconnect(0xffffffffffffffff)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000380)={&(0x7f0000001000)={[{0x0}, {0x0}, {0x0}, {0x0}]}, 0x4, 0x2}, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$vim2m_VIDIOC_QBUF(0xffffffffffffffff, 0xc058560f, 0x0)
executing program 2:
r0 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r0, &(0x7f0000000040)={0x2, 0x0, &(0x7f0000000340)={&(0x7f0000001380)=ANY=[@ANYBLOB], 0x70}, 0x1, 0x7}, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000300)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x1)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={<r2=>0xffffffffffffffff})
sendmmsg(r2, &(0x7f0000000180), 0x4000190, 0x0)
io_uring_enter(0xffffffffffffffff, 0x1, 0x20, 0x1, 0x0, 0x0)
ioctl$SG_SCSI_RESET(0xffffffffffffffff, 0x2284, 0x0)
recvmmsg$unix(0xffffffffffffffff, &(0x7f0000002380)=[{{0x0, 0x3f, &(0x7f0000001340)=[{&(0x7f00000002c0)=""/4096, 0x1000}], 0x1}}], 0x4000000000003b9, 0x26022, 0x0)
r3 = openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r4 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r4, 0x84, 0x64, &(0x7f0000000080)=[@in={0x2, 0x4e20, @empty}], 0x10)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r4, 0x84, 0x6f, &(0x7f00000000c0)={0x0, 0x10, &(0x7f0000000040)=[@in={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}]}, &(0x7f0000000100)=0x10)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, 0x0, 0x0)
readv(r3, &(0x7f0000000640)=[{&(0x7f0000000180)=""/117, 0x75}], 0x1)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000b80)={0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x37, '\x00', 0x0, 0x2a, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4}, 0x94)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
setsockopt$inet_msfilter(r2, 0x0, 0x29, &(0x7f00000012c0)={@initdev={0xac, 0x1e, 0x0, 0x0}, @rand_addr=0x64010102, 0x0, 0x7, [@private=0xa010100, @broadcast, @initdev={0xac, 0x1e, 0x1, 0x0}, @broadcast, @dev={0xac, 0x14, 0x14, 0x32}, @multicast2, @private=0xa010102]}, 0x2c)
executing program 2:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f0000000180)=[@in={0x2, 0x4e21, @empty}], 0x10)
sendmsg$inet_sctp(r0, &(0x7f0000000140)={&(0x7f0000000340)=@in={0x2, 0x4e21, @local}, 0x10, &(0x7f0000000380)=[{&(0x7f0000000040)='N', 0x1}], 0x1, 0x0, 0x0, 0x40080}, 0x4000890)
getsockopt$inet_sctp_SCTP_PR_STREAM_STATUS(r0, 0x84, 0x74, 0x0, &(0x7f0000000400))
executing program 4:
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200007fd, 0x0, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f00000042c0)='mounts\x00')
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/crypto\x00', 0x0, 0x0)
read$FUSE(r1, &(0x7f0000000200)={0x2020}, 0x2020)
mount(&(0x7f0000000300), &(0x7f0000000080)='.\x00', &(0x7f0000000180)='devtmpfs\x00', 0x2200892, 0x0)
pread64(r0, &(0x7f0000002240)=""/237, 0xed, 0x4eb)
executing program 4:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
openat$ptp0(0xffffffffffffff9c, 0x0, 0x0, 0x0)
msgsnd(0x0, &(0x7f0000000180)=ANY=[@ANYRESOCT], 0x2000, 0x0)
execveat$binfmt(0xffffffffffffff9c, 0x0, 0x0, 0x0, 0x0)
mknodat$loop(0xffffffffffffff9c, 0x0, 0xc000, 0x0)
syz_open_dev$usbmon(0x0, 0x9, 0xa0002)
executing program 1:
r0 = syz_usb_connect(0x3, 0x24, &(0x7f0000001c80)=ANY=[@ANYBLOB="12010000941b6508c410c1ea2f700102030109021200010000000009040102"], 0x0)
r1 = socket(0x1d, 0x2, 0x6)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, 0x0)
bind$can_j1939(r1, 0x0, 0x0)
add_key$user(0x0, &(0x7f0000000100)={'syz', 0x2}, &(0x7f0000000080)="01", 0x1, 0xffffffffffffffff)
add_key$user(&(0x7f0000000140), &(0x7f00000003c0)={'syz', 0x0}, &(0x7f0000000400)="f40fc24077021c9b084c60ffc26f26db12b9e78d629870bb26edb4a5e1cc0942ed8c58ca4fe84b94a0e31ea64089ee9ca1efb52945ffebbfea11dd3d0ddc36a10285eccab940ab5c96cb5d81dadde6cfd6ea08d5abcb00bb35436929ddabce530b63fab525337057438cf64a506d54d5c83e3e593d1d53ad0e6a44168fe8cfc6ad98b653d84636e4ddc1f2ab58762b3494250b9557f5b606a43e50874c90143034142cd5f73b8e3b", 0xa8, 0xfffffffffffffffb)
keyctl$dh_compute(0x17, 0x0, &(0x7f0000001380)=""/4093, 0xffd, 0x0)
syz_genetlink_get_family_id$mptcp(0x0, r1)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
sendmsg$inet(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000680)=[{&(0x7f00000000c0)="7b9050", 0x3}, {0x0}, {0x0}], 0x3}, 0x40090)
symlink(&(0x7f0000000080)='.\x00', &(0x7f0000000240)='./file0\x00')
getsockopt$TIPC_SRC_DROPPABLE(r1, 0x10f, 0x80, &(0x7f00000002c0), &(0x7f0000000380)=0x4)
r2 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r3 = fanotify_init(0x200, 0x0)
fanotify_mark(r3, 0x1, 0x4800003e, r2, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000580)='./file0\x00', 0x0, 0x0, 0x8, 0x0, 0x0)
lsetxattr$trusted_overlay_upper(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0), 0x0, 0x0, 0x0)
chmod(&(0x7f0000000180)='./file0\x00', 0x259)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x11}, 0x94)
r4 = socket(0x1, 0x803, 0x0)
getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
ioctl$sock_SIOCETHTOOL(r5, 0x89f1, &(0x7f0000000340)={'sit0\x00', &(0x7f00000001c0)=@ethtool_cmd={0x3a, 0x5, 0x0, 0x0, 0x7, 0x0, 0x3, 0xfc, 0x3, 0xfc, 0x0, 0x1, 0x0, 0xff, 0x0, 0x1045}})
r6 = socket(0x10, 0x803, 0x0)
sendmsg$nl_route(r6, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
executing program 2:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 5:
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040f04"], 0x7)
close(0xffffffffffffffff)
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
listen(r0, 0x0)
socket$inet_mptcp(0x2, 0x1, 0x106)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
close(r1)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c)
listen(r2, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
accept(r1, 0x0, 0x0)
recvfrom(r3, 0x0, 0x0, 0x4100, 0x0, 0x0)
mmap(&(0x7f0000200000/0x4000)=nil, 0x4000, 0x4, 0x200000006c832, 0xffffffffffffffff, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_ADD_ADDR(r4, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x38}}, 0x0)
executing program 2:
r0 = syz_usb_connect$cdc_ncm(0x0, 0x7a, &(0x7f0000000140)=ANY=[@ANYBLOB="12010000020000402505a1a44000010203010902680002010040000904000001020e0000052406000105240000000d370f0100000000000000000006241a0000000c241b4800f3ff00050080050905810300020000000904010000020d00000904010102020d0000090582020004000000090503020002"], 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000780)={0x84, &(0x7f0000000300)={0x0, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
executing program 4:
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000040)=0x90000)
ioctl$TIOCSTI(0xffffffffffffffff, 0x5412, &(0x7f0000000140)=0x8)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="4400000096ca077900000000000000", @ANYRES32=0x0, @ANYBLOB="0000000008290400240012800b000100697036746e6c0000140002800600120000000000060012"], 0x44}}, 0x0)
r1 = syz_usb_connect(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000014da2108ab1204000000000000010902240001b30000040904410c17ff5d810009050f1f05e13f000009058303"], 0x0)
io_uring_setup(0x160f, 0x0)
socket$netlink(0x10, 0x3, 0x0)
recvmsg$kcm(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, 0x0}, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x1, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(0xffffffffffffffff, 0x8933, &(0x7f00000001c0)={'batadv0\x00', <r2=>0x0})
sendto$packet(0xffffffffffffffff, 0x0, 0x0, 0x24000805, &(0x7f0000000340)={0x11, 0x86dd, r2, 0x1, 0x0, 0x6, @local}, 0x14)
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000640)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x41c, 0x3c}}, './file0\x00'})
r3 = syz_open_dev$sndctrl(&(0x7f0000000300), 0x1, 0x0)
r4 = socket$packet(0x11, 0x2, 0x300)
setsockopt$SO_ATTACH_FILTER(r4, 0x1, 0x1a, &(0x7f0000000000)={0x2, &(0x7f0000000440)=[{0x20, 0x2, 0x81, 0xfffff034}, {0x6, 0x1, 0x12, 0xffffffff}]}, 0x8)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x42901, 0x0)
r5 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @broadcast})
ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r3, 0xc2c45512, &(0x7f0000000340)={{0x8, 0x6, 0x0, 0x5, '\x00', 0xfffffffd}, 0x0, [0x101, 0x0, 0x0, 0x0, 0x4000000, 0x100001, 0x7, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x80000003, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x4, 0x4, 0x5, 0x0, 0x0, 0xe4, 0x0, 0x9, 0x3, 0x800, 0x8, 0x0, 0x0, 0x6, 0x0, 0x0, 0xa, 0x1, 0xcdc, 0x0, 0xffffffff, 0x600000, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x2, 0x0, 0x1559, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x80000001, 0x8, 0x4, 0x800, 0x0, 0x3, 0x2, 0x0, 0x3, 0x0, 0x2, 0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x9, 0x80000000, 0x400000, 0x3, 0xc13, 0x0, 0x0, 0xfffffffc, 0x80000000, 0x0, 0x9, 0x80000000, 0xfffffffd, 0x0, 0x3, 0x800001, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x3, 0x0, 0x40000000, 0x2cbb, 0x2, 0x7b1ae8f, 0x6c, 0x0, 0x80000005, 0x0, 0x3, 0x2d6, 0x80000, 0x6, 0x100000, 0x0, 0x0, 0x4, 0x1, 0x2002001, 0x0, 0x0, 0xd686, 0x0, 0x8, 0x40000000, 0xfffffffb]})
socket$inet6_udp(0xa, 0x2, 0x0)
syz_open_dev$radio(&(0x7f0000000000), 0x2, 0x2)
syz_usb_ep_read(r1, 0xf, 0xffffffffffffffd2, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
executing program 3:
r0 = syz_open_dev$I2C(&(0x7f0000000040), 0x0, 0x80)
ioctl$I2C_PEC(r0, 0x708, 0xfffffffffffffffe)
pwrite64(0xffffffffffffffff, 0x0, 0x0, 0x5)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x2, 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="9feb010018000000000000"], 0x0, 0x34}, 0x28)
syz_io_uring_setup(0x7b6, &(0x7f0000000500)={0x0, 0x146, 0x0, 0x2, 0x400000}, &(0x7f0000000300)=<r2=>0x0, &(0x7f0000000280)=<r3=>0x0, &(0x7f0000000100)=<r4=>0x0)
syz_io_uring_submit(r2, r3, r4, &(0x7f00000001c0)=@IORING_OP_WRITE={0x17, 0x6, 0x4000, @fd, 0x8, 0x0, 0x0, 0x0, 0x1})
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000180)={{0xffffffffffffffff, <r5=>0xffffffffffffffff}, &(0x7f00000000c0), &(0x7f0000000100)}, 0x20)
bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000800)={0xffffffffffffffff, 0x20, &(0x7f00000007c0)={&(0x7f0000000600)=""/249, 0xf9, <r6=>0x0, 0x0}}, 0x10)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000940)=@bpf_lsm={0x1d, 0x3, &(0x7f0000000340)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x9b}}, &(0x7f0000000480)='syzkaller\x00', 0x3, 0x0, 0x0, 0x41100, 0x9, '\x00', 0x0, 0x1b, r1, 0x8, &(0x7f00000004c0)={0x1, 0x4}, 0x8, 0x10, &(0x7f00000005c0)={0x0, 0x6, 0x7, 0x8000}, 0x10, r6, 0x0, 0x0, &(0x7f0000000840)=[r1, r5], &(0x7f0000000880)}, 0x94)
r7 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r7, &(0x7f0000019680)=""/102392, 0x18ff8)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0000}]})
pivot_root(0x0, 0x0)
write$cgroup_int(0xffffffffffffffff, &(0x7f0000000040)=0x1c9, 0x12)
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, 0x0)
gettid()
r8 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0xc0040, 0x0)
ioctl$LOOP_CTL_REMOVE(r8, 0x4c81, 0x0)
ioctl$I2C_SMBUS(r0, 0x720, &(0x7f00000000c0)={0x1, 0x1, 0x5, &(0x7f0000000000)={0x1f, "90f5000012f300800000000000049942a55e00"}})
executing program 5:
r0 = openat$tun(0xffffff9c, &(0x7f0000000000), 0x200, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x50)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1, 0x50, 0xffffffffffffffff, 0x0)
r1 = socket(0x2c, 0x3, 0x1000)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
syz_genetlink_get_family_id$ethtool(0x0, r1)
prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000080)={0x1, &(0x7f0000000040)=[{0x200000000006, 0x0, 0x0, 0x7ffc0002}]})
ioctl$sock_FIOGETOWN(r2, 0x8903, &(0x7f00000001c0)=<r4=>0x0)
sched_setattr(r4, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x100000001, 0xfffffe0000000001, 0xfa11, 0x65aa}, 0x0)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file2\x00', 0x81c0, 0x0)
syz_io_uring_setup(0x4ad9, &(0x7f0000000300)={0x0, 0x9731, 0x4000, 0x3, 0x145}, &(0x7f00000003c0), 0x0, &(0x7f0000000000))
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x15)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
syz_open_procfs(0x0, &(0x7f0000000180)='cgroup\x00')
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000010000000900010073797a30000000002c000000030a01020000000000000000010000000900010073797a30000000000900030073797a312000000038000000030a01040000000000000000010000010900010073797a30000000000c00024000000000000000010900030003000000000000001400000011"], 0xac}, 0x1, 0x0, 0x0, 0x8040}, 0x0)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600722, 0x19)
ioctl$TUNSETLINK(r0, 0x400454cd, 0x10e)
r6 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000001c0), 0x4b301, 0x0)
ioctl$TIOCSETD(r6, 0x5423, &(0x7f0000000240)=0xd)
writev(r6, &(0x7f0000000080)=[{&(0x7f0000000280)='*', 0x1}], 0x1)
syz_usb_connect(0x5, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="1201000092ecc620ac05c2773aeb0102030109022400010000"], 0x0)
executing program 1:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2})
r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r1)
r2 = socket$unix(0x1, 0x1, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r4=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000026c0)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r4, {0x0, 0xb}, {0xffff, 0xffff}, {0xfff2, 0x2}}, [@qdisc_kind_options=@q_cbs={{0x8}, {0x1c, 0x2, @TCA_CBS_PARMS={0x18, 0x1, {0x0, '\x00', 0x1, 0x4, 0x100, 0x8}}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x20000001}, 0x0)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000300)={'syzkaller0\x00', @multicast})
socket$phonet_pipe(0x23, 0x5, 0x2)
r5 = socket$kcm(0x11, 0x3, 0x0)
r6 = socket$unix(0x1, 0x5, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r8=>0x0})
sendmsg$nl_route_sched(r7, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000001c0)=@newqdisc={0x44, 0x24, 0x4ee4e6a52ff56541, 0x70b926, 0x25dfdc01, {0x0, 0x0, 0x0, r8, {0x0, 0xd}, {0xc, 0xb}, {0xffff, 0xffe0}}, [@qdisc_kind_options=@q_gred={{0x9}, {0x14, 0x2, [@TCA_GRED_DPS={0x10, 0x3, {0xe, 0x0, 0x0, 0x6}}]}}]}, 0x44}, 0x1, 0x0, 0x0, 0x240040e0}, 0x4890)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r9=>0x0})
setsockopt$sock_attach_bpf(r5, 0x107, 0xf, &(0x7f0000000600), 0x56)
sendmsg$kcm(r5, &(0x7f00000000c0)={&(0x7f0000000580)=@xdp={0x2c, 0x0, r9, 0x3e}, 0x80, &(0x7f0000000080)=[{&(0x7f0000000180)="27030200590214000600002fb96dbcf706e10500000088a8ffff86ddee162fd4b8bf4a31accb", 0xfdef}], 0x1}, 0x0)
executing program 1:
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(r1, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r3, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-socket-getsockname$packet-sendmsg$sock-bpf$PROG_LOAD-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$nl802154-syz_genetlink_get_family_id$netlbl_cipso-syz_init_net_socket$bt_sco-socket$nl_netfilter-sendmsg$IPCTNL_MSG_CT_NEW-syz_init_net_socket$ax25-ioctl$sock_netdev_private-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netrom_SIOCADDRT-syz_init_net_socket$ax25-bind$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_genetlink_get_family_id$tipc2-syz_genetlink_get_family_id$ipvs-setsockopt$ax25_SO_BINDTODEVICE-socket$nl_xfrm-ioctl$sock_netdev_private-writev-socket$nl_route-socket-socket$nl_route-bpf$BPF_MAP_GET_FD_BY_ID-bpf$MAP_CREATE_TAIL_CALL
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
single: failed to extract reproducer
bisect: bisecting 37 programs with base timeout 1m40s
testing program (duration=1m49s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 17, 20, 25, 20, 23, 23, 20, 5, 22, 14, 15, 2, 20, 16, 14, 16, 5, 17, 10, 12, 8, 22, 4, 6, 15, 26, 22, 26, 19, 5, 23, 24, 27, 19, 20, 29]
detailed listing:
executing program 0:
sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000340)=ANY=[@ANYBLOB="1800"], 0x18}}, 0x0)
pipe2$watch_queue(&(0x7f00000002c0), 0x80)
sendmsg$ETHTOOL_MSG_LINKINFO_SET(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000001c0)=ANY=[@ANYBLOB="00042dbd7000fd"], 0x14}, 0x1, 0x0, 0x0, 0x2010}, 0x4001)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000000)={[0x38, 0xfff, 0x0, 0x180, 0x4, 0xff, 0xf1, 0x0, 0x7fffffffffffe, 0x5, 0x4005, 0x8, 0x0, 0x45, 0x1, 0xbdb], 0xdddd0000, 0x1c4213})
bind$inet(0xffffffffffffffff, &(0x7f0000000000)={0x2, 0x4e22, @broadcast}, 0x10)
ioctl$KVM_RUN(r2, 0xae80, 0x0)
executing program 0:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
sched_setscheduler(0x0, 0x1, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000280), 0x181800, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0)
r1 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000040), 0x42, 0x0)
mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000002100), 0x10004, &(0x7f0000002140)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r1, @ANYBLOB=',rootmode=0000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0])
landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH(0xffffffffffffffff, 0x1, &(0x7f0000000200)={0x100}, 0x0)
close(0xffffffffffffffff)
umount2(&(0x7f00000002c0)='./file0\x00', 0x0)
r2 = openat$vicodec0(0xffffff9c, &(0x7f0000001dc0), 0x2, 0x0)
ioctl$VIDIOC_DQBUF(r2, 0xc04c5611, &(0x7f0000001e00)=@overlay={0x1, 0xa, 0x4, 0x800, 0x9, {0x77359400}, {0x1, 0xc, 0x6, 0x6, 0x4, 0x1, "6db7036d"}, 0x4, 0x3, {}, 0x2})
r3 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x28081)
syz_open_procfs$namespace(0x0, &(0x7f00000003c0)='ns/net\x00')
writev(r3, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
pselect6(0x40, &(0x7f00000001c0)={0x0, 0x0, 0x5, 0xfffffffffffffffd, 0x8001, 0x0, 0x5, 0x45}, 0x0, &(0x7f0000000080)={0x3ff, 0x4, 0x100000, 0x9, 0x0, 0x10, 0x80000002}, 0x0, 0x0)
close_range(r0, 0xffffffffffffffff, 0x0)
executing program 0:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r1, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r1, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 0:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0xfffffe0000000001, 0xfa11, 0xffffffff}, 0x0)
r2 = syz_open_dev$sg(&(0x7f0000000480), 0xfffffffffffffffa, 0x1841)
writev(r2, &(0x7f0000000040)=[{&(0x7f0000000500)="9b7385220700000000000000e57c489b51b14b7aea6ef45d0c085cb7df42ccf49eabcf03d0e97bb857dbd8d553a187d0", 0x30}, {&(0x7f0000000540)="53000000d073b0f3347edc854b4bc4db1e2e1302af076bb6c9909a18e554d5ecc9db5942dac6a182a0efc18289ba2d68f7e5121dc8db62a39389242ce69529ab9bb7aad26d928b530b9345c2ccce127c140538", 0x53}], 0x2)
write$USERIO_CMD_SET_PORT_TYPE(0xffffffffffffffff, 0x0, 0x0)
ioctl$CEC_ADAP_S_LOG_ADDRS(0xffffffffffffffff, 0xc05c6104, 0x0)
ioctl$CEC_TRANSMIT(0xffffffffffffffff, 0xc0386105, 0x0)
syz_open_dev$sg(&(0x7f0000000000), 0xf9ba, 0x101)
openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000300), 0x2, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19)
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$ETHTOOL_MSG_COALESCE_GET(r4, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xc040}, 0x4000000)
r5 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000100)={'macvtap0\x00', <r6=>0x0})
sendmmsg(0xffffffffffffffff, &(0x7f0000001240), 0x0, 0x8010)
sendmsg$ETHTOOL_MSG_CHANNELS_SET(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000180)={0x30, r3, 0x1, 0x70bd2a, 0x25dfdbfb, {}, [@ETHTOOL_A_CHANNELS_COMBINED_COUNT={0x8, 0x9, 0x6}, @ETHTOOL_A_CHANNELS_HEADER={0x14, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r6}]}]}, 0x30}, 0x1, 0x0, 0x0, 0x8080}, 0x8885)
mremap(&(0x7f0000000000/0x9000)=nil, 0x600002, 0x600002, 0x7, &(0x7f0000a00000/0x600000)=nil)
setsockopt$XDP_UMEM_REG(0xffffffffffffffff, 0x11b, 0x4, 0x0, 0x0)
mbind(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x0, 0x2)
executing program 0:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x7, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x1, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
r3 = syz_open_dev$dri(&(0x7f0000000140), 0x1, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r3, 0xc02064b2, &(0x7f0000000040)={0x2, 0x2, 0x7})
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r3, 0xc02064b2, 0x0)
ioctl$DRM_IOCTL_MODE_ADDFB2(r3, 0xc06864b8, &(0x7f0000000580)={0x0, 0xc1, 0x7f, 0x20203843, 0x0, [0x2], [0x800]})
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000200)={&(0x7f00000000c0), 0x0, 0x0, 0x0, 0x1, 0x59})
socket$inet6(0xa, 0x2, 0x0)
socket$kcm(0x10, 0x3, 0x10)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000040), 0x0)
socket$pppl2tp(0x18, 0x1, 0x1)
openat$cgroup_root(0xffffffffffffff9c, 0x0, 0x200002, 0x0)
executing program 0:
r0 = syz_open_dev$video(&(0x7f0000000100), 0x3, 0x2000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0x6, 0xfa11, 0xffffffff}, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0201, 0x0)
ioctl$SNDCTL_DSP_SPEED(r4, 0xc0045002, &(0x7f0000000080)=0x3ff)
write$dsp(r4, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
sendmsg$nl_xfrm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000500)=@newsa={0x138, 0x10, 0x1, 0xfffffffe, 0x100, {{@in6=@private0={0xfc, 0x0, '\x00', 0x1}, @in=@rand_addr=0x64010101, 0x1, 0x714, 0x4e23, 0x5, 0x0, 0x0, 0x0, 0x3a}, {@in6=@mcast2, 0x4d4, 0x6c}, @in=@dev={0xac, 0x14, 0x14, 0x3f}, {0x0, 0x192, 0x6, 0xffff, 0x8251c, 0x2, 0xfffffffffffffff8}, {0xffffffffffffffff, 0x0, 0x1f, 0xfffffffffffffffe}, {0x2, 0xfffffffc}, 0x70bd2a, 0x3504, 0x2, 0x1, 0x0, 0x20}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x8801}, 0x0)
syz_emit_ethernet(0x6a, &(0x7f00000002c0)={@local, @broadcast, @void, {@ipv4={0x800, @tipc={{0xc, 0x4, 0x0, 0x3c, 0x5c, 0x67, 0x0, 0x3, 0x6, 0x0, @rand_addr=0x64010100, @local, {[@rr={0x7, 0xf, 0x7, [@initdev={0xac, 0x1e, 0x1, 0x0}, @dev={0xac, 0x14, 0x14, 0xa}, @multicast2]}, @ssrr={0x89, 0x7, 0x1e, [@multicast1]}, @lsrr={0x83, 0x3, 0x93}]}}, @payload_mcast={{{{{{0x2c, 0x0, 0x0, 0x0, 0x0, 0xb, 0x1, 0x2, 0x5, 0x0, 0x1, 0x1, 0x0, 0x1, 0x800, 0x1, 0x1, 0x4e21, 0x4e22}, 0x1}, 0x3}, 0x1}}}}}}}, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r5 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000500)=@newsa={0x138, 0x18, 0x1, 0xfffffffe, 0x100, {{@in6=@ipv4={'\x00', '\xff\xff', @multicast2}, @in6=@private1={0xfc, 0x1, '\x00', 0x1}, 0x1, 0x71c, 0x4e23, 0x5, 0x0, 0x0, 0x0, 0x3a}, {@in6=@mcast2, 0x4d4, 0x6c}, @in=@dev={0xac, 0x14, 0x14, 0x25}, {0x0, 0x192, 0x9ba3, 0xffff, 0x8251c, 0x5, 0xfffffffffffffffc}, {0xffffffffffffffff, 0x0, 0x1f, 0xfffffffffffffffe}, {0xfffffffa, 0xfffffffc}, 0x80, 0x3500, 0x2, 0x1, 0x0, 0x20}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x8801}, 0x0)
r6 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r6, &(0x7f0000000000)={0x0, 0x3, &(0x7f0000000080)={&(0x7f00000000c0)={0x2, 0x3, 0x0, 0x9, 0xa, 0x0, 0x0, 0x0, [@sadb_address={0x3, 0x6, 0x0, 0x0, 0xe, @in={0x2, 0x0, @multicast1=0xe0000009}}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @multicast1}}]}, 0x50}}, 0x0)
ioctl$VIDIOC_S_FMT(r0, 0xc0cc5605, &(0x7f00000025c0)={0x1, @vbi={0x8, 0x449, 0x47524247, 0x0, [0x4, 0x3], [0x40, 0x2], 0x13a}})
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000180)={@local, @multicast, @void, {@ipv6={0x86dd, @generic={0xc, 0x6, '\x00', 0x0, 0x2c, 0x1, @empty, @mcast2}}}}, 0x0)
sendmsg$nl_route(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=ANY=[@ANYBLOB="0c04000010000104000000000000000000480000", @ANYRES32=r7, @ANYBLOB="101000000000000008000d0005000000e4031680a40001800c00070000000000adffffff0c00", @ANYRES16=r7], 0x40c}}, 0x0)
executing program 32:
r0 = syz_open_dev$video(&(0x7f0000000100), 0x3, 0x2000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x0, 0x6, 0xfa11, 0xffffffff}, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = openat$adsp1(0xffffffffffffff9c, &(0x7f0000000040), 0xa0201, 0x0)
ioctl$SNDCTL_DSP_SPEED(r4, 0xc0045002, &(0x7f0000000080)=0x3ff)
write$dsp(r4, &(0x7f00000012c0)="a52876830a602214f6b4e928d758f38a5a7cb4b31c4c09289e9ebb6286784ca3", 0x4000)
sendmsg$nl_xfrm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000500)=@newsa={0x138, 0x10, 0x1, 0xfffffffe, 0x100, {{@in6=@private0={0xfc, 0x0, '\x00', 0x1}, @in=@rand_addr=0x64010101, 0x1, 0x714, 0x4e23, 0x5, 0x0, 0x0, 0x0, 0x3a}, {@in6=@mcast2, 0x4d4, 0x6c}, @in=@dev={0xac, 0x14, 0x14, 0x3f}, {0x0, 0x192, 0x6, 0xffff, 0x8251c, 0x2, 0xfffffffffffffff8}, {0xffffffffffffffff, 0x0, 0x1f, 0xfffffffffffffffe}, {0x2, 0xfffffffc}, 0x70bd2a, 0x3504, 0x2, 0x1, 0x0, 0x20}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x8801}, 0x0)
syz_emit_ethernet(0x6a, &(0x7f00000002c0)={@local, @broadcast, @void, {@ipv4={0x800, @tipc={{0xc, 0x4, 0x0, 0x3c, 0x5c, 0x67, 0x0, 0x3, 0x6, 0x0, @rand_addr=0x64010100, @local, {[@rr={0x7, 0xf, 0x7, [@initdev={0xac, 0x1e, 0x1, 0x0}, @dev={0xac, 0x14, 0x14, 0xa}, @multicast2]}, @ssrr={0x89, 0x7, 0x1e, [@multicast1]}, @lsrr={0x83, 0x3, 0x93}]}}, @payload_mcast={{{{{{0x2c, 0x0, 0x0, 0x0, 0x0, 0xb, 0x1, 0x2, 0x5, 0x0, 0x1, 0x1, 0x0, 0x1, 0x800, 0x1, 0x1, 0x4e21, 0x4e22}, 0x1}, 0x3}, 0x1}}}}}}}, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r5 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000500)=@newsa={0x138, 0x18, 0x1, 0xfffffffe, 0x100, {{@in6=@ipv4={'\x00', '\xff\xff', @multicast2}, @in6=@private1={0xfc, 0x1, '\x00', 0x1}, 0x1, 0x71c, 0x4e23, 0x5, 0x0, 0x0, 0x0, 0x3a}, {@in6=@mcast2, 0x4d4, 0x6c}, @in=@dev={0xac, 0x14, 0x14, 0x25}, {0x0, 0x192, 0x9ba3, 0xffff, 0x8251c, 0x5, 0xfffffffffffffffc}, {0xffffffffffffffff, 0x0, 0x1f, 0xfffffffffffffffe}, {0xfffffffa, 0xfffffffc}, 0x80, 0x3500, 0x2, 0x1, 0x0, 0x20}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}, 0x1, 0x0, 0x0, 0x8801}, 0x0)
r6 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r6, &(0x7f0000000000)={0x0, 0x3, &(0x7f0000000080)={&(0x7f00000000c0)={0x2, 0x3, 0x0, 0x9, 0xa, 0x0, 0x0, 0x0, [@sadb_address={0x3, 0x6, 0x0, 0x0, 0xe, @in={0x2, 0x0, @multicast1=0xe0000009}}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @multicast1}}]}, 0x50}}, 0x0)
ioctl$VIDIOC_S_FMT(r0, 0xc0cc5605, &(0x7f00000025c0)={0x1, @vbi={0x8, 0x449, 0x47524247, 0x0, [0x4, 0x3], [0x40, 0x2], 0x13a}})
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_emit_ethernet(0x36, &(0x7f0000000180)={@local, @multicast, @void, {@ipv6={0x86dd, @generic={0xc, 0x6, '\x00', 0x0, 0x2c, 0x1, @empty, @mcast2}}}}, 0x0)
sendmsg$nl_route(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000140)=ANY=[@ANYBLOB="0c04000010000104000000000000000000480000", @ANYRES32=r7, @ANYBLOB="101000000000000008000d0005000000e4031680a40001800c00070000000000adffffff0c00", @ANYRES16=r7], 0x40c}}, 0x0)
executing program 5:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f0000000240), 0x2, 0x40102)
writev(r0, 0x0, 0x0)
syz_mount_image$erofs(&(0x7f0000000180), &(0x7f00000001c0)='./file1\x00', 0x0, &(0x7f0000000900)=ANY=[@ANYBLOB="00ea2eb34e7ea51c9446c55a2d1e0be39af9faf44ad59cb6ad1c94490d970e811439edddc71c9b18946b559ce53bee0a1abe562fc3f3898e5826eda1962cf6e3c4c0ade52151923a70b46eacfc1aaaebcf156e549e884bcabc1333f344f31cd30cd93cb2814e0dbc24a7a107e295e86e09283c825fe177c89c6385f68f2c843cffffffff15539bab6142ceed9265ba989d1a283fc4ffc83f3a7a6c746823e656ad78f3b5a336cdbd83dad59e0debb36b4ea5e658e253f01637cc03f704a08019f95b92fffffffff8dd21552d6967ab1b01e5d52a5793eb179deee4572770a5197127b090287bca2a4eaa1705b42c16968d0201d3ba3cc8000000657ea095f152b1b6a1e6ad8d24ad17f649ccc23d4ecbcdb5620cc48f95f563c2230f859d196e6c4f00b8e3a7b01fcb1d79dcc09b7a854ec8c31dd27ff9b4a2864e1dcaf719d20b56769d51228ecc1915fb8c8b598c11b3c296b05f9c5355fc6f19a7b28f5ae9a0d0804ccc5716cfac0246ddffa2f12077a02a959aa1b74373c38b2bcc90743b80666eae25dea73e127263b8fdbc64fe862b994ca8473d0000000000000000"], 0x1, 0x17d, &(0x7f00000004c0)="$eJzsmD9P6lAYxp/TciH35iY6u2giCTBY2qJGBgdmB038FzeJVIIWMdBB2PwUzn4CZ+JC4sfQQZ1ccHNyqGl7gAP+HdTE+PyG9zzv6dvTc94mT5OCEPJrub15uD5LJS90AP+RRELO3+mDGk2pb489Zi4ry+cn5v1Vu7OUH11PAPD9jz8/BqBT0OHJ3PeH707KcQ1aX69DQ0bqTQgYUm9Dw4bUDgS2pN5TdC2oN4zdiusYOzW3FAgzCFYQ7CDkRvfXPRYoKfsTyvVGs7VfdF2n/oXivf51CxoWlf2p76vXG1PpnwUNltQ5CKxKvYBErzdRS5TzT8QG6+vffH4KCoqfJgb+5J8KpBR/iin+kfWqh9lGszVTqRbLTtk5sO3cvDlrmnN2NjSiKL7hf39Df/qnrP/nldq4iOOo6Hl1K4r93I7iS44bD/1PQ3o6yoWcUwm/B+NiKhjSuswJIYQQQgghhBBCCCHk05mECP+CDpF/NmWvhNVPAQAA//94vnZt")
chdir(0x0)
r1 = openat$dir(0xffffffffffffff9c, 0x0, 0x0, 0x0)
lseek(r1, 0xfffffffffffffffc, 0x2)
getdents(r1, 0x0, 0x54)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r2 = syz_open_procfs(0x0, 0x0)
writev(r2, &(0x7f00000000c0)=[{}], 0x1)
openat(0xffffffffffffff9c, 0x0, 0x101042, 0x0)
r3 = syz_open_dev$dvb_demux(&(0x7f00000003c0), 0x0, 0x105e01)
ioctl$DVB_DEMUX_DMX_GET_STC(r3, 0xc0106f32, &(0x7f0000000040)={0xfffffffc})
bind$inet(0xffffffffffffffff, &(0x7f0000000240)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x1a}}, 0x10)
executing program 5:
ioctl$FAT_IOCTL_GET_ATTRIBUTES(0xffffffffffffffff, 0x80047210, 0x0)
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000700)=ANY=[@ANYBLOB="1201000000000010711e0920000000000001090224000100000000090400090103000100092105000001220500090581030002"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB='\x00\x00\b'], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_open_dev$hidraw(&(0x7f00000001c0), 0x7fff800000000, 0x1050c0)
executing program 1:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 5:
socket$nl_route(0x10, 0x3, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$nl802154(&(0x7f00000003c0), 0xffffffffffffffff)
sendmsg$NL802154_CMD_NEW_SEC_DEVKEY(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000540)={&(0x7f00000000c0)=ANY=[@ANYBLOB='\\\x00\x00\x00', @ANYRES16=r4, @ANYBLOB="0100fdffffff000000001e0000000800", @ANYRES32], 0x5c}, 0x1, 0x0, 0x0, 0x30ea32fe53398b3d}, 0x0)
executing program 4:
socket$kcm(0x10, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000480)={0x7, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x1}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
add_key$fscrypt_v1(0x0, &(0x7f0000000480)={'fscrypt:', @auto=[0x0, 0x0, 0x0, 0x34]}, &(0x7f00000000c0)={0x0, "3e82554dc8ccfbc2e85ec82d4ee9df60f6ae16b1a5f2c848722ba3b132e4fde178c945bd950b0477e801fc8a1be9b4ebbe9c2289a6b0aa00"}, 0x48, 0xfffffffffffffffe)
r3 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/timer_list\x00', 0x0, 0x0)
r4 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000180)='/proc/sys/net/ipv4/tcp_sack\x00', 0x1, 0x0)
sendfile(r4, r3, &(0x7f00000000c0)=0x8b, 0x100000500)
executing program 3:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f0000000100)={0x0, 0x5, 0x40}, 0x8)
executing program 4:
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(r1, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r3, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, 0x0, 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
syz_open_procfs(0x0, &(0x7f00000000c0)='net/softnet_stat\x00')
openat$ptp0(0xffffff9c, &(0x7f0000000080), 0x400, 0x0)
socket$vsock_stream(0x28, 0x1, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r1, &(0x7f0000000840)=[{0x0}], 0x1)
syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x2)
read$FUSE(0xffffffffffffffff, 0x0, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x1000000, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)
executing program 2:
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000000240)=0x3)
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000080)=0x7f)
ioctl$SNDCTL_DSP_SPEED(r0, 0xc0045002, &(0x7f0000000000)=0xffffffff)
read$dsp(r0, &(0x7f0000000340)=""/36, 0x24)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x8081)
writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
bind$inet(0xffffffffffffffff, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x16)
write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, 0x0, 0x2, 0x0)
executing program 5:
r0 = socket$kcm(0x10, 0x2, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[@ANYBLOB="563f00001900599c6d0e000091d028ef8020"], 0xfe33)
r1 = syz_usb_connect$hid(0x0, 0x6c, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000000000040b827ed0100000000000109022400010000000009040000010300000009210000200122050009058103"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, &(0x7f0000000b80)={0x24, 0x0, 0x0, &(0x7f0000000b00)={0x0, 0x22, 0x5, {[@global=@item_4={0x3, 0x1, 0x0, "efb9ce47"}]}}, 0x0}, 0x0)
socket(0x18, 0x2, 0x400000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='cpuacct.usage_percpu\x00', 0x275a, 0x0)
write$UHID_CREATE2(r2, &(0x7f0000000040)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x88fd537e5c114b6e, 0x12, r2, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000002c0)={0x1, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="1802000000000000000000000920000095"], &(0x7f0000000000)='syzkaller\x00', 0x8, 0xff5, &(0x7f0000001840)=""/4085, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x11d}, 0x94)
syz_usb_control_io$hid(r1, 0x0, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
write(r3, &(0x7f0000000000)="240000001a005f7f00f9f407000904bf80000000080000000000000004001e", 0x1f)
setsockopt$netlink_NETLINK_NO_ENOBUFS(r3, 0x10e, 0xc, &(0x7f0000000340)=0x6, 0x4)
sendmsg$nl_route(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=ANY=[], 0x24}}, 0x0)
syz_usb_control_io(r1, 0x0, &(0x7f0000000140)={0x44, &(0x7f0000000380)=ANY=[@ANYBLOB="20de238f6735cfaa1ae95581fcc01d6c438312cfea227f4fcfc37b4d3a1c770b753a6d3b7f2096978be96b55531635edcbb8c557d3db2e18057d4d10659af0e160984346c583ea9b14005e6873e5ced0fc4c915b498108fffe291cc3adc4539e0c9e49a5a6ebc33c4cfe7c5005e40530175f089e84bc3fc659a4f5ebe70eed9d606fddcdae9e3607456eeaca1ca60882b7e6100f9b10b78abdda9956542b06b36473472f5f61a3ee7631ee0da5af9b89165b2d54a7748bbea70a4e236d5e671f2e58864f7936661244e4d7a8824c919eafe9c1b052462481997be94145ad"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
executing program 1:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x60000b, 0x9)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f00000002c0)={0xaa, 0x100})
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x19)
executing program 3:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
ioctl$TCSETS(0xffffffffffffffff, 0x40045431, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f0000000240), 0x2, 0x40102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2f)
syz_mount_image$erofs(&(0x7f0000000180), &(0x7f00000001c0)='./file1\x00', 0x0, &(0x7f0000000900)=ANY=[@ANYBLOB="00ea2eb34e7ea51c9446c55a2d1e0be39af9faf44ad59cb6ad1c94490d970e811439edddc71c9b18946b559ce53bee0a1abe562fc3f3898e5826eda1962cf6e3c4c0ade52151923a70b46eacfc1aaaebcf156e549e884bcabc1333f344f31cd30cd93cb2814e0dbc24a7a107e295e86e09283c825fe177c89c6385f68f2c843cffffffff15539bab6142ceed9265ba989d1a283fc4ffc83f3a7a6c746823e656ad78f3b5a336cdbd83dad59e0debb36b4ea5e658e253f01637cc03f704a08019f95b92fffffffff8dd21552d6967ab1b01e5d52a5793eb179deee4572770a5197127b090287bca2a4eaa1705b42c16968d0201d3ba3cc8000000657ea095f152b1b6a1e6ad8d24ad17f649ccc23d4ecbcdb5620cc48f95f563c2230f859d196e6c4f00b8e3a7b01fcb1d79dcc09b7a854ec8c31dd27ff9b4a2864e1dcaf719d20b56769d51228ecc1915fb8c8b598c11b3c296b05f9c5355fc6f19a7b28f5ae9a0d0804ccc5716cfac0246ddffa2f12077a02a959aa1b74373c38b2bcc90743b80666eae25dea73e127263b8fdbc64fe862b994ca8473d0000000000000000"], 0x1, 0x17d, &(0x7f00000004c0)="$eJzsmD9P6lAYxp/TciH35iY6u2giCTBY2qJGBgdmB038FzeJVIIWMdBB2PwUzn4CZ+JC4sfQQZ1ccHNyqGl7gAP+HdTE+PyG9zzv6dvTc94mT5OCEPJrub15uD5LJS90AP+RRELO3+mDGk2pb489Zi4ry+cn5v1Vu7OUH11PAPD9jz8/BqBT0OHJ3PeH707KcQ1aX69DQ0bqTQgYUm9Dw4bUDgS2pN5TdC2oN4zdiusYOzW3FAgzCFYQ7CDkRvfXPRYoKfsTyvVGs7VfdF2n/oXivf51CxoWlf2p76vXG1PpnwUNltQ5CKxKvYBErzdRS5TzT8QG6+vffH4KCoqfJgb+5J8KpBR/iin+kfWqh9lGszVTqRbLTtk5sO3cvDlrmnN2NjSiKL7hf39Df/qnrP/nldq4iOOo6Hl1K4r93I7iS44bD/1PQ3o6yoWcUwm/B+NiKhjSuswJIYQQQgghhBBCCCHk05mECP+CDpF/NmWvhNVPAQAA//94vnZt")
r1 = openat$dir(0xffffffffffffff9c, 0x0, 0x0, 0x0)
lseek(r1, 0xfffffffffffffffc, 0x2)
r2 = syz_open_procfs(0x0, 0x0)
writev(r2, &(0x7f00000000c0)=[{}], 0x1)
openat(0xffffffffffffff9c, 0x0, 0x101042, 0x0)
syz_open_dev$dvb_demux(&(0x7f00000003c0), 0x0, 0x105e01)
bind$inet(0xffffffffffffffff, &(0x7f0000000240)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x1a}}, 0x10)
executing program 2:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='blkio.bfq.io_service_bytes_recursive\x00', 0x275a, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20042, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = dup(r1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000840)={0x1fe, 0x2, 0x2000, 0x1000, &(0x7f0000003000/0x1000)=nil})
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x2)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000040)=[@text64={0x40, 0x0}], 0x1, 0x11, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000200)=[@text64={0x40, 0x0, 0x3a}], 0x1, 0x8, 0x0, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 3:
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
openat$nullb(0xffffffffffffff9c, 0x0, 0x2803, 0x0)
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_TEST(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000340)={0x24, 0xb, 0x6, 0x801, 0x0, 0x0, {0x5, 0x0, 0x8}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_PROTOCOL={0x5}]}, 0x24}, 0x1, 0x0, 0x0, 0x4800}, 0x20000080)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000000))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r1, &(0x7f0000001a40)=""/102392, 0x18ff8)
r2 = syz_init_net_socket$llc(0x1a, 0x1, 0x0)
sendmmsg$inet(r2, &(0x7f0000000c40)=[{{&(0x7f0000000040)={0x2, 0x0, @multicast2}, 0x23, 0x0}}], 0x1e1730a30afb6559, 0x8014)
syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0)
executing program 1:
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil)
r0 = syz_io_uring_setup(0x82e, &(0x7f0000000300)={0x0, 0xcd1d, 0x10100, 0x1000000, 0x20000}, &(0x7f0000000040), &(0x7f0000000080), &(0x7f0000000000))
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
syz_usb_disconnect(0xffffffffffffffff)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000380)={&(0x7f0000001000)={[{0x0}, {0x0}, {0x0}, {0x0}]}, 0x4, 0x2}, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$vim2m_VIDIOC_QBUF(0xffffffffffffffff, 0xc058560f, 0x0)
executing program 2:
r0 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r0, &(0x7f0000000040)={0x2, 0x0, &(0x7f0000000340)={&(0x7f0000001380)=ANY=[@ANYBLOB], 0x70}, 0x1, 0x7}, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000300)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x1)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={<r2=>0xffffffffffffffff})
sendmmsg(r2, &(0x7f0000000180), 0x4000190, 0x0)
io_uring_enter(0xffffffffffffffff, 0x1, 0x20, 0x1, 0x0, 0x0)
ioctl$SG_SCSI_RESET(0xffffffffffffffff, 0x2284, 0x0)
recvmmsg$unix(0xffffffffffffffff, &(0x7f0000002380)=[{{0x0, 0x3f, &(0x7f0000001340)=[{&(0x7f00000002c0)=""/4096, 0x1000}], 0x1}}], 0x4000000000003b9, 0x26022, 0x0)
r3 = openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r4 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r4, 0x84, 0x64, &(0x7f0000000080)=[@in={0x2, 0x4e20, @empty}], 0x10)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r4, 0x84, 0x6f, &(0x7f00000000c0)={0x0, 0x10, &(0x7f0000000040)=[@in={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}]}, &(0x7f0000000100)=0x10)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, 0x0, 0x0)
readv(r3, &(0x7f0000000640)=[{&(0x7f0000000180)=""/117, 0x75}], 0x1)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000b80)={0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x37, '\x00', 0x0, 0x2a, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4}, 0x94)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
setsockopt$inet_msfilter(r2, 0x0, 0x29, &(0x7f00000012c0)={@initdev={0xac, 0x1e, 0x0, 0x0}, @rand_addr=0x64010102, 0x0, 0x7, [@private=0xa010100, @broadcast, @initdev={0xac, 0x1e, 0x1, 0x0}, @broadcast, @dev={0xac, 0x14, 0x14, 0x32}, @multicast2, @private=0xa010102]}, 0x2c)
executing program 2:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f0000000180)=[@in={0x2, 0x4e21, @empty}], 0x10)
sendmsg$inet_sctp(r0, &(0x7f0000000140)={&(0x7f0000000340)=@in={0x2, 0x4e21, @local}, 0x10, &(0x7f0000000380)=[{&(0x7f0000000040)='N', 0x1}], 0x1, 0x0, 0x0, 0x40080}, 0x4000890)
getsockopt$inet_sctp_SCTP_PR_STREAM_STATUS(r0, 0x84, 0x74, 0x0, &(0x7f0000000400))
executing program 4:
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200007fd, 0x0, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f00000042c0)='mounts\x00')
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/crypto\x00', 0x0, 0x0)
read$FUSE(r1, &(0x7f0000000200)={0x2020}, 0x2020)
mount(&(0x7f0000000300), &(0x7f0000000080)='.\x00', &(0x7f0000000180)='devtmpfs\x00', 0x2200892, 0x0)
pread64(r0, &(0x7f0000002240)=""/237, 0xed, 0x4eb)
executing program 4:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
openat$ptp0(0xffffffffffffff9c, 0x0, 0x0, 0x0)
msgsnd(0x0, &(0x7f0000000180)=ANY=[@ANYRESOCT], 0x2000, 0x0)
execveat$binfmt(0xffffffffffffff9c, 0x0, 0x0, 0x0, 0x0)
mknodat$loop(0xffffffffffffff9c, 0x0, 0xc000, 0x0)
syz_open_dev$usbmon(0x0, 0x9, 0xa0002)
executing program 1:
r0 = syz_usb_connect(0x3, 0x24, &(0x7f0000001c80)=ANY=[@ANYBLOB="12010000941b6508c410c1ea2f700102030109021200010000000009040102"], 0x0)
r1 = socket(0x1d, 0x2, 0x6)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, 0x0)
bind$can_j1939(r1, 0x0, 0x0)
add_key$user(0x0, &(0x7f0000000100)={'syz', 0x2}, &(0x7f0000000080)="01", 0x1, 0xffffffffffffffff)
add_key$user(&(0x7f0000000140), &(0x7f00000003c0)={'syz', 0x0}, &(0x7f0000000400)="f40fc24077021c9b084c60ffc26f26db12b9e78d629870bb26edb4a5e1cc0942ed8c58ca4fe84b94a0e31ea64089ee9ca1efb52945ffebbfea11dd3d0ddc36a10285eccab940ab5c96cb5d81dadde6cfd6ea08d5abcb00bb35436929ddabce530b63fab525337057438cf64a506d54d5c83e3e593d1d53ad0e6a44168fe8cfc6ad98b653d84636e4ddc1f2ab58762b3494250b9557f5b606a43e50874c90143034142cd5f73b8e3b", 0xa8, 0xfffffffffffffffb)
keyctl$dh_compute(0x17, 0x0, &(0x7f0000001380)=""/4093, 0xffd, 0x0)
syz_genetlink_get_family_id$mptcp(0x0, r1)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
sendmsg$inet(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000680)=[{&(0x7f00000000c0)="7b9050", 0x3}, {0x0}, {0x0}], 0x3}, 0x40090)
symlink(&(0x7f0000000080)='.\x00', &(0x7f0000000240)='./file0\x00')
getsockopt$TIPC_SRC_DROPPABLE(r1, 0x10f, 0x80, &(0x7f00000002c0), &(0x7f0000000380)=0x4)
r2 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r3 = fanotify_init(0x200, 0x0)
fanotify_mark(r3, 0x1, 0x4800003e, r2, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000580)='./file0\x00', 0x0, 0x0, 0x8, 0x0, 0x0)
lsetxattr$trusted_overlay_upper(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0), 0x0, 0x0, 0x0)
chmod(&(0x7f0000000180)='./file0\x00', 0x259)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x11}, 0x94)
r4 = socket(0x1, 0x803, 0x0)
getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
ioctl$sock_SIOCETHTOOL(r5, 0x89f1, &(0x7f0000000340)={'sit0\x00', &(0x7f00000001c0)=@ethtool_cmd={0x3a, 0x5, 0x0, 0x0, 0x7, 0x0, 0x3, 0xfc, 0x3, 0xfc, 0x0, 0x1, 0x0, 0xff, 0x0, 0x1045}})
r6 = socket(0x10, 0x803, 0x0)
sendmsg$nl_route(r6, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
executing program 2:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 5:
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040f04"], 0x7)
close(0xffffffffffffffff)
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
listen(r0, 0x0)
socket$inet_mptcp(0x2, 0x1, 0x106)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
close(r1)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c)
listen(r2, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
accept(r1, 0x0, 0x0)
recvfrom(r3, 0x0, 0x0, 0x4100, 0x0, 0x0)
mmap(&(0x7f0000200000/0x4000)=nil, 0x4000, 0x4, 0x200000006c832, 0xffffffffffffffff, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_ADD_ADDR(r4, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x38}}, 0x0)
executing program 2:
r0 = syz_usb_connect$cdc_ncm(0x0, 0x7a, &(0x7f0000000140)=ANY=[@ANYBLOB="12010000020000402505a1a44000010203010902680002010040000904000001020e0000052406000105240000000d370f0100000000000000000006241a0000000c241b4800f3ff00050080050905810300020000000904010000020d00000904010102020d0000090582020004000000090503020002"], 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000780)={0x84, &(0x7f0000000300)={0x0, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
executing program 4:
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000040)=0x90000)
ioctl$TIOCSTI(0xffffffffffffffff, 0x5412, &(0x7f0000000140)=0x8)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="4400000096ca077900000000000000", @ANYRES32=0x0, @ANYBLOB="0000000008290400240012800b000100697036746e6c0000140002800600120000000000060012"], 0x44}}, 0x0)
r1 = syz_usb_connect(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000014da2108ab1204000000000000010902240001b30000040904410c17ff5d810009050f1f05e13f000009058303"], 0x0)
io_uring_setup(0x160f, 0x0)
socket$netlink(0x10, 0x3, 0x0)
recvmsg$kcm(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, 0x0}, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x1, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(0xffffffffffffffff, 0x8933, &(0x7f00000001c0)={'batadv0\x00', <r2=>0x0})
sendto$packet(0xffffffffffffffff, 0x0, 0x0, 0x24000805, &(0x7f0000000340)={0x11, 0x86dd, r2, 0x1, 0x0, 0x6, @local}, 0x14)
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000640)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x41c, 0x3c}}, './file0\x00'})
r3 = syz_open_dev$sndctrl(&(0x7f0000000300), 0x1, 0x0)
r4 = socket$packet(0x11, 0x2, 0x300)
setsockopt$SO_ATTACH_FILTER(r4, 0x1, 0x1a, &(0x7f0000000000)={0x2, &(0x7f0000000440)=[{0x20, 0x2, 0x81, 0xfffff034}, {0x6, 0x1, 0x12, 0xffffffff}]}, 0x8)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x42901, 0x0)
r5 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @broadcast})
ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r3, 0xc2c45512, &(0x7f0000000340)={{0x8, 0x6, 0x0, 0x5, '\x00', 0xfffffffd}, 0x0, [0x101, 0x0, 0x0, 0x0, 0x4000000, 0x100001, 0x7, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x80000003, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x4, 0x4, 0x5, 0x0, 0x0, 0xe4, 0x0, 0x9, 0x3, 0x800, 0x8, 0x0, 0x0, 0x6, 0x0, 0x0, 0xa, 0x1, 0xcdc, 0x0, 0xffffffff, 0x600000, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x2, 0x0, 0x1559, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x80000001, 0x8, 0x4, 0x800, 0x0, 0x3, 0x2, 0x0, 0x3, 0x0, 0x2, 0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x9, 0x80000000, 0x400000, 0x3, 0xc13, 0x0, 0x0, 0xfffffffc, 0x80000000, 0x0, 0x9, 0x80000000, 0xfffffffd, 0x0, 0x3, 0x800001, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x3, 0x0, 0x40000000, 0x2cbb, 0x2, 0x7b1ae8f, 0x6c, 0x0, 0x80000005, 0x0, 0x3, 0x2d6, 0x80000, 0x6, 0x100000, 0x0, 0x0, 0x4, 0x1, 0x2002001, 0x0, 0x0, 0xd686, 0x0, 0x8, 0x40000000, 0xfffffffb]})
socket$inet6_udp(0xa, 0x2, 0x0)
syz_open_dev$radio(&(0x7f0000000000), 0x2, 0x2)
syz_usb_ep_read(r1, 0xf, 0xffffffffffffffd2, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
executing program 3:
r0 = syz_open_dev$I2C(&(0x7f0000000040), 0x0, 0x80)
ioctl$I2C_PEC(r0, 0x708, 0xfffffffffffffffe)
pwrite64(0xffffffffffffffff, 0x0, 0x0, 0x5)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x2, 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="9feb010018000000000000"], 0x0, 0x34}, 0x28)
syz_io_uring_setup(0x7b6, &(0x7f0000000500)={0x0, 0x146, 0x0, 0x2, 0x400000}, &(0x7f0000000300)=<r2=>0x0, &(0x7f0000000280)=<r3=>0x0, &(0x7f0000000100)=<r4=>0x0)
syz_io_uring_submit(r2, r3, r4, &(0x7f00000001c0)=@IORING_OP_WRITE={0x17, 0x6, 0x4000, @fd, 0x8, 0x0, 0x0, 0x0, 0x1})
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000180)={{0xffffffffffffffff, <r5=>0xffffffffffffffff}, &(0x7f00000000c0), &(0x7f0000000100)}, 0x20)
bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000800)={0xffffffffffffffff, 0x20, &(0x7f00000007c0)={&(0x7f0000000600)=""/249, 0xf9, <r6=>0x0, 0x0}}, 0x10)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000940)=@bpf_lsm={0x1d, 0x3, &(0x7f0000000340)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x9b}}, &(0x7f0000000480)='syzkaller\x00', 0x3, 0x0, 0x0, 0x41100, 0x9, '\x00', 0x0, 0x1b, r1, 0x8, &(0x7f00000004c0)={0x1, 0x4}, 0x8, 0x10, &(0x7f00000005c0)={0x0, 0x6, 0x7, 0x8000}, 0x10, r6, 0x0, 0x0, &(0x7f0000000840)=[r1, r5], &(0x7f0000000880)}, 0x94)
r7 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r7, &(0x7f0000019680)=""/102392, 0x18ff8)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0000}]})
pivot_root(0x0, 0x0)
write$cgroup_int(0xffffffffffffffff, &(0x7f0000000040)=0x1c9, 0x12)
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, 0x0)
gettid()
r8 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0xc0040, 0x0)
ioctl$LOOP_CTL_REMOVE(r8, 0x4c81, 0x0)
ioctl$I2C_SMBUS(r0, 0x720, &(0x7f00000000c0)={0x1, 0x1, 0x5, &(0x7f0000000000)={0x1f, "90f5000012f300800000000000049942a55e00"}})
executing program 5:
r0 = openat$tun(0xffffff9c, &(0x7f0000000000), 0x200, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x50)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1, 0x50, 0xffffffffffffffff, 0x0)
r1 = socket(0x2c, 0x3, 0x1000)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
syz_genetlink_get_family_id$ethtool(0x0, r1)
prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000080)={0x1, &(0x7f0000000040)=[{0x200000000006, 0x0, 0x0, 0x7ffc0002}]})
ioctl$sock_FIOGETOWN(r2, 0x8903, &(0x7f00000001c0)=<r4=>0x0)
sched_setattr(r4, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x100000001, 0xfffffe0000000001, 0xfa11, 0x65aa}, 0x0)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file2\x00', 0x81c0, 0x0)
syz_io_uring_setup(0x4ad9, &(0x7f0000000300)={0x0, 0x9731, 0x4000, 0x3, 0x145}, &(0x7f00000003c0), 0x0, &(0x7f0000000000))
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x15)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
syz_open_procfs(0x0, &(0x7f0000000180)='cgroup\x00')
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000010000000900010073797a30000000002c000000030a01020000000000000000010000000900010073797a30000000000900030073797a312000000038000000030a01040000000000000000010000010900010073797a30000000000c00024000000000000000010900030003000000000000001400000011"], 0xac}, 0x1, 0x0, 0x0, 0x8040}, 0x0)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600722, 0x19)
ioctl$TUNSETLINK(r0, 0x400454cd, 0x10e)
r6 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000001c0), 0x4b301, 0x0)
ioctl$TIOCSETD(r6, 0x5423, &(0x7f0000000240)=0xd)
writev(r6, &(0x7f0000000080)=[{&(0x7f0000000280)='*', 0x1}], 0x1)
syz_usb_connect(0x5, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="1201000092ecc620ac05c2773aeb0102030109022400010000"], 0x0)
executing program 1:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2})
r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r1)
r2 = socket$unix(0x1, 0x1, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r4=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000026c0)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r4, {0x0, 0xb}, {0xffff, 0xffff}, {0xfff2, 0x2}}, [@qdisc_kind_options=@q_cbs={{0x8}, {0x1c, 0x2, @TCA_CBS_PARMS={0x18, 0x1, {0x0, '\x00', 0x1, 0x4, 0x100, 0x8}}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x20000001}, 0x0)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000300)={'syzkaller0\x00', @multicast})
socket$phonet_pipe(0x23, 0x5, 0x2)
r5 = socket$kcm(0x11, 0x3, 0x0)
r6 = socket$unix(0x1, 0x5, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r8=>0x0})
sendmsg$nl_route_sched(r7, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000001c0)=@newqdisc={0x44, 0x24, 0x4ee4e6a52ff56541, 0x70b926, 0x25dfdc01, {0x0, 0x0, 0x0, r8, {0x0, 0xd}, {0xc, 0xb}, {0xffff, 0xffe0}}, [@qdisc_kind_options=@q_gred={{0x9}, {0x14, 0x2, [@TCA_GRED_DPS={0x10, 0x3, {0xe, 0x0, 0x0, 0x6}}]}}]}, 0x44}, 0x1, 0x0, 0x0, 0x240040e0}, 0x4890)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r9=>0x0})
setsockopt$sock_attach_bpf(r5, 0x107, 0xf, &(0x7f0000000600), 0x56)
sendmsg$kcm(r5, &(0x7f00000000c0)={&(0x7f0000000580)=@xdp={0x2c, 0x0, r9, 0x3e}, 0x80, &(0x7f0000000080)=[{&(0x7f0000000180)="27030200590214000600002fb96dbcf706e10500000088a8ffff86ddee162fd4b8bf4a31accb", 0xfdef}], 0x1}, 0x0)
executing program 1:
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(r1, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r3, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
bisect: bisecting 37 programs
bisect: split chunks (needed=false): <36>
bisect: split chunk #0 of len 36 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=1m46s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 20, 16, 14, 16, 5, 17, 10, 12, 8, 22, 4, 6, 15, 26, 22, 26, 19, 5, 23, 24, 27, 19, 20, 29]
detailed listing:
executing program 3:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f0000000100)={0x0, 0x5, 0x40}, 0x8)
executing program 4:
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(r1, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r3, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 3:
openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x1, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, 0x0, 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
syz_open_procfs(0x0, &(0x7f00000000c0)='net/softnet_stat\x00')
openat$ptp0(0xffffff9c, &(0x7f0000000080), 0x400, 0x0)
socket$vsock_stream(0x28, 0x1, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
writev(r1, &(0x7f0000000840)=[{0x0}], 0x1)
syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x2)
read$FUSE(0xffffffffffffffff, 0x0, 0x0)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x1000000, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)
executing program 2:
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$SNDCTL_DSP_SETFRAGMENT(r0, 0xc004500a, &(0x7f0000000240)=0x3)
ioctl$SNDCTL_DSP_CHANNELS(r0, 0xc0045006, &(0x7f0000000080)=0x7f)
ioctl$SNDCTL_DSP_SPEED(r0, 0xc0045002, &(0x7f0000000000)=0xffffffff)
read$dsp(r0, &(0x7f0000000340)=""/36, 0x24)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x5)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r1 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x8081)
writev(r1, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
bind$inet(0xffffffffffffffff, &(0x7f00000001c0)={0x2, 0x0, @local}, 0x16)
write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, 0x0, 0x2, 0x0)
executing program 5:
r0 = socket$kcm(0x10, 0x2, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[@ANYBLOB="563f00001900599c6d0e000091d028ef8020"], 0xfe33)
r1 = syz_usb_connect$hid(0x0, 0x6c, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000000000040b827ed0100000000000109022400010000000009040000010300000009210000200122050009058103"], 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io$hid(r1, &(0x7f0000000b80)={0x24, 0x0, 0x0, &(0x7f0000000b00)={0x0, 0x22, 0x5, {[@global=@item_4={0x3, 0x1, 0x0, "efb9ce47"}]}}, 0x0}, 0x0)
socket(0x18, 0x2, 0x400000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='cpuacct.usage_percpu\x00', 0x275a, 0x0)
write$UHID_CREATE2(r2, &(0x7f0000000040)=ANY=[], 0x118)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x88fd537e5c114b6e, 0x12, r2, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000002c0)={0x1, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="1802000000000000000000000920000095"], &(0x7f0000000000)='syzkaller\x00', 0x8, 0xff5, &(0x7f0000001840)=""/4085, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x11d}, 0x94)
syz_usb_control_io$hid(r1, 0x0, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
write(r3, &(0x7f0000000000)="240000001a005f7f00f9f407000904bf80000000080000000000000004001e", 0x1f)
setsockopt$netlink_NETLINK_NO_ENOBUFS(r3, 0x10e, 0xc, &(0x7f0000000340)=0x6, 0x4)
sendmsg$nl_route(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=ANY=[], 0x24}}, 0x0)
syz_usb_control_io(r1, 0x0, &(0x7f0000000140)={0x44, &(0x7f0000000380)=ANY=[@ANYBLOB="20de238f6735cfaa1ae95581fcc01d6c438312cfea227f4fcfc37b4d3a1c770b753a6d3b7f2096978be96b55531635edcbb8c557d3db2e18057d4d10659af0e160984346c583ea9b14005e6873e5ced0fc4c915b498108fffe291cc3adc4539e0c9e49a5a6ebc33c4cfe7c5005e40530175f089e84bc3fc659a4f5ebe70eed9d606fddcdae9e3607456eeaca1ca60882b7e6100f9b10b78abdda9956542b06b36473472f5f61a3ee7631ee0da5af9b89165b2d54a7748bbea70a4e236d5e671f2e58864f7936661244e4d7a8824c919eafe9c1b052462481997be94145ad"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
executing program 1:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x60000b, 0x9)
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f00000002c0)={0xaa, 0x100})
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x19)
executing program 3:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
ioctl$TCSETS(0xffffffffffffffff, 0x40045431, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x7)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x80200, 0x0)
r0 = syz_open_dev$sndmidi(&(0x7f0000000240), 0x2, 0x40102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2f)
syz_mount_image$erofs(&(0x7f0000000180), &(0x7f00000001c0)='./file1\x00', 0x0, &(0x7f0000000900)=ANY=[@ANYBLOB="00ea2eb34e7ea51c9446c55a2d1e0be39af9faf44ad59cb6ad1c94490d970e811439edddc71c9b18946b559ce53bee0a1abe562fc3f3898e5826eda1962cf6e3c4c0ade52151923a70b46eacfc1aaaebcf156e549e884bcabc1333f344f31cd30cd93cb2814e0dbc24a7a107e295e86e09283c825fe177c89c6385f68f2c843cffffffff15539bab6142ceed9265ba989d1a283fc4ffc83f3a7a6c746823e656ad78f3b5a336cdbd83dad59e0debb36b4ea5e658e253f01637cc03f704a08019f95b92fffffffff8dd21552d6967ab1b01e5d52a5793eb179deee4572770a5197127b090287bca2a4eaa1705b42c16968d0201d3ba3cc8000000657ea095f152b1b6a1e6ad8d24ad17f649ccc23d4ecbcdb5620cc48f95f563c2230f859d196e6c4f00b8e3a7b01fcb1d79dcc09b7a854ec8c31dd27ff9b4a2864e1dcaf719d20b56769d51228ecc1915fb8c8b598c11b3c296b05f9c5355fc6f19a7b28f5ae9a0d0804ccc5716cfac0246ddffa2f12077a02a959aa1b74373c38b2bcc90743b80666eae25dea73e127263b8fdbc64fe862b994ca8473d0000000000000000"], 0x1, 0x17d, &(0x7f00000004c0)="$eJzsmD9P6lAYxp/TciH35iY6u2giCTBY2qJGBgdmB038FzeJVIIWMdBB2PwUzn4CZ+JC4sfQQZ1ccHNyqGl7gAP+HdTE+PyG9zzv6dvTc94mT5OCEPJrub15uD5LJS90AP+RRELO3+mDGk2pb489Zi4ry+cn5v1Vu7OUH11PAPD9jz8/BqBT0OHJ3PeH707KcQ1aX69DQ0bqTQgYUm9Dw4bUDgS2pN5TdC2oN4zdiusYOzW3FAgzCFYQ7CDkRvfXPRYoKfsTyvVGs7VfdF2n/oXivf51CxoWlf2p76vXG1PpnwUNltQ5CKxKvYBErzdRS5TzT8QG6+vffH4KCoqfJgb+5J8KpBR/iin+kfWqh9lGszVTqRbLTtk5sO3cvDlrmnN2NjSiKL7hf39Df/qnrP/nldq4iOOo6Hl1K4r93I7iS44bD/1PQ3o6yoWcUwm/B+NiKhjSuswJIYQQQgghhBBCCCHk05mECP+CDpF/NmWvhNVPAQAA//94vnZt")
r1 = openat$dir(0xffffffffffffff9c, 0x0, 0x0, 0x0)
lseek(r1, 0xfffffffffffffffc, 0x2)
r2 = syz_open_procfs(0x0, 0x0)
writev(r2, &(0x7f00000000c0)=[{}], 0x1)
openat(0xffffffffffffff9c, 0x0, 0x101042, 0x0)
syz_open_dev$dvb_demux(&(0x7f00000003c0), 0x0, 0x105e01)
bind$inet(0xffffffffffffffff, &(0x7f0000000240)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x1a}}, 0x10)
executing program 2:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='blkio.bfq.io_service_bytes_recursive\x00', 0x275a, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x20042, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = dup(r1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000840)={0x1fe, 0x2, 0x2000, 0x1000, &(0x7f0000003000/0x1000)=nil})
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x2)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000040)=[@text64={0x40, 0x0}], 0x1, 0x11, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000200)=[@text64={0x40, 0x0, 0x3a}], 0x1, 0x8, 0x0, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
executing program 3:
bind$netlink(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
openat$nullb(0xffffffffffffff9c, 0x0, 0x2803, 0x0)
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_TEST(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000340)={0x24, 0xb, 0x6, 0x801, 0x0, 0x0, {0x5, 0x0, 0x8}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_PROTOCOL={0x5}]}, 0x24}, 0x1, 0x0, 0x0, 0x4800}, 0x20000080)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f0000000000))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r1 = syz_open_dev$MSR(&(0x7f00000001c0), 0x0, 0x0)
read$msr(r1, &(0x7f0000001a40)=""/102392, 0x18ff8)
r2 = syz_init_net_socket$llc(0x1a, 0x1, 0x0)
sendmmsg$inet(r2, &(0x7f0000000c40)=[{{&(0x7f0000000040)={0x2, 0x0, @multicast2}, 0x23, 0x0}}], 0x1e1730a30afb6559, 0x8014)
syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f000200000009050502000000001009058b1e20"], 0x0)
executing program 1:
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil)
r0 = syz_io_uring_setup(0x82e, &(0x7f0000000300)={0x0, 0xcd1d, 0x10100, 0x1000000, 0x20000}, &(0x7f0000000040), &(0x7f0000000080), &(0x7f0000000000))
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
syz_usb_disconnect(0xffffffffffffffff)
io_uring_register$IORING_REGISTER_PBUF_RING(r0, 0x16, &(0x7f0000000380)={&(0x7f0000001000)={[{0x0}, {0x0}, {0x0}, {0x0}]}, 0x4, 0x2}, 0x1)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$vim2m_VIDIOC_QBUF(0xffffffffffffffff, 0xc058560f, 0x0)
executing program 2:
r0 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r0, &(0x7f0000000040)={0x2, 0x0, &(0x7f0000000340)={&(0x7f0000001380)=ANY=[@ANYBLOB], 0x70}, 0x1, 0x7}, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000300)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000200)=0x1)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
r1 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r1, &(0x7f0000032680)=""/102392, 0x18ff8)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={<r2=>0xffffffffffffffff})
sendmmsg(r2, &(0x7f0000000180), 0x4000190, 0x0)
io_uring_enter(0xffffffffffffffff, 0x1, 0x20, 0x1, 0x0, 0x0)
ioctl$SG_SCSI_RESET(0xffffffffffffffff, 0x2284, 0x0)
recvmmsg$unix(0xffffffffffffffff, &(0x7f0000002380)=[{{0x0, 0x3f, &(0x7f0000001340)=[{&(0x7f00000002c0)=""/4096, 0x1000}], 0x1}}], 0x4000000000003b9, 0x26022, 0x0)
r3 = openat$misdntimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r4 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r4, 0x84, 0x64, &(0x7f0000000080)=[@in={0x2, 0x4e20, @empty}], 0x10)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r4, 0x84, 0x6f, &(0x7f00000000c0)={0x0, 0x10, &(0x7f0000000040)=[@in={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}]}, &(0x7f0000000100)=0x10)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r4, 0x84, 0x9, 0x0, 0x0)
readv(r3, &(0x7f0000000640)=[{&(0x7f0000000180)=""/117, 0x75}], 0x1)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000b80)={0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x37, '\x00', 0x0, 0x2a, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4}, 0x94)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
setsockopt$inet_msfilter(r2, 0x0, 0x29, &(0x7f00000012c0)={@initdev={0xac, 0x1e, 0x0, 0x0}, @rand_addr=0x64010102, 0x0, 0x7, [@private=0xa010100, @broadcast, @initdev={0xac, 0x1e, 0x1, 0x0}, @broadcast, @dev={0xac, 0x14, 0x14, 0x32}, @multicast2, @private=0xa010102]}, 0x2c)
executing program 2:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f0000000180)=[@in={0x2, 0x4e21, @empty}], 0x10)
sendmsg$inet_sctp(r0, &(0x7f0000000140)={&(0x7f0000000340)=@in={0x2, 0x4e21, @local}, 0x10, &(0x7f0000000380)=[{&(0x7f0000000040)='N', 0x1}], 0x1, 0x0, 0x0, 0x40080}, 0x4000890)
getsockopt$inet_sctp_SCTP_PR_STREAM_STATUS(r0, 0x84, 0x74, 0x0, &(0x7f0000000400))
executing program 4:
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200007fd, 0x0, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f00000042c0)='mounts\x00')
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/crypto\x00', 0x0, 0x0)
read$FUSE(r1, &(0x7f0000000200)={0x2020}, 0x2020)
mount(&(0x7f0000000300), &(0x7f0000000080)='.\x00', &(0x7f0000000180)='devtmpfs\x00', 0x2200892, 0x0)
pread64(r0, &(0x7f0000002240)=""/237, 0xed, 0x4eb)
executing program 4:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
openat$ptp0(0xffffffffffffff9c, 0x0, 0x0, 0x0)
msgsnd(0x0, &(0x7f0000000180)=ANY=[@ANYRESOCT], 0x2000, 0x0)
execveat$binfmt(0xffffffffffffff9c, 0x0, 0x0, 0x0, 0x0)
mknodat$loop(0xffffffffffffff9c, 0x0, 0xc000, 0x0)
syz_open_dev$usbmon(0x0, 0x9, 0xa0002)
executing program 1:
r0 = syz_usb_connect(0x3, 0x24, &(0x7f0000001c80)=ANY=[@ANYBLOB="12010000941b6508c410c1ea2f700102030109021200010000000009040102"], 0x0)
r1 = socket(0x1d, 0x2, 0x6)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, 0x0)
bind$can_j1939(r1, 0x0, 0x0)
add_key$user(0x0, &(0x7f0000000100)={'syz', 0x2}, &(0x7f0000000080)="01", 0x1, 0xffffffffffffffff)
add_key$user(&(0x7f0000000140), &(0x7f00000003c0)={'syz', 0x0}, &(0x7f0000000400)="f40fc24077021c9b084c60ffc26f26db12b9e78d629870bb26edb4a5e1cc0942ed8c58ca4fe84b94a0e31ea64089ee9ca1efb52945ffebbfea11dd3d0ddc36a10285eccab940ab5c96cb5d81dadde6cfd6ea08d5abcb00bb35436929ddabce530b63fab525337057438cf64a506d54d5c83e3e593d1d53ad0e6a44168fe8cfc6ad98b653d84636e4ddc1f2ab58762b3494250b9557f5b606a43e50874c90143034142cd5f73b8e3b", 0xa8, 0xfffffffffffffffb)
keyctl$dh_compute(0x17, 0x0, &(0x7f0000001380)=""/4093, 0xffd, 0x0)
syz_genetlink_get_family_id$mptcp(0x0, r1)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
sendmsg$inet(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000680)=[{&(0x7f00000000c0)="7b9050", 0x3}, {0x0}, {0x0}], 0x3}, 0x40090)
symlink(&(0x7f0000000080)='.\x00', &(0x7f0000000240)='./file0\x00')
getsockopt$TIPC_SRC_DROPPABLE(r1, 0x10f, 0x80, &(0x7f00000002c0), &(0x7f0000000380)=0x4)
r2 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r3 = fanotify_init(0x200, 0x0)
fanotify_mark(r3, 0x1, 0x4800003e, r2, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000580)='./file0\x00', 0x0, 0x0, 0x8, 0x0, 0x0)
lsetxattr$trusted_overlay_upper(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0), 0x0, 0x0, 0x0)
chmod(&(0x7f0000000180)='./file0\x00', 0x259)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x11}, 0x94)
r4 = socket(0x1, 0x803, 0x0)
getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
ioctl$sock_SIOCETHTOOL(r5, 0x89f1, &(0x7f0000000340)={'sit0\x00', &(0x7f00000001c0)=@ethtool_cmd={0x3a, 0x5, 0x0, 0x0, 0x7, 0x0, 0x3, 0xfc, 0x3, 0xfc, 0x0, 0x1, 0x0, 0xff, 0x0, 0x1045}})
r6 = socket(0x10, 0x803, 0x0)
sendmsg$nl_route(r6, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
executing program 2:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 5:
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040f04"], 0x7)
close(0xffffffffffffffff)
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
listen(r0, 0x0)
socket$inet_mptcp(0x2, 0x1, 0x106)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
close(r1)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c)
listen(r2, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
accept(r1, 0x0, 0x0)
recvfrom(r3, 0x0, 0x0, 0x4100, 0x0, 0x0)
mmap(&(0x7f0000200000/0x4000)=nil, 0x4000, 0x4, 0x200000006c832, 0xffffffffffffffff, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_ADD_ADDR(r4, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x38}}, 0x0)
executing program 2:
r0 = syz_usb_connect$cdc_ncm(0x0, 0x7a, &(0x7f0000000140)=ANY=[@ANYBLOB="12010000020000402505a1a44000010203010902680002010040000904000001020e0000052406000105240000000d370f0100000000000000000006241a0000000c241b4800f3ff00050080050905810300020000000904010000020d00000904010102020d0000090582020004000000090503020002"], 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000780)={0x84, &(0x7f0000000300)={0x0, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
executing program 4:
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000040)=0x90000)
ioctl$TIOCSTI(0xffffffffffffffff, 0x5412, &(0x7f0000000140)=0x8)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="4400000096ca077900000000000000", @ANYRES32=0x0, @ANYBLOB="0000000008290400240012800b000100697036746e6c0000140002800600120000000000060012"], 0x44}}, 0x0)
r1 = syz_usb_connect(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000014da2108ab1204000000000000010902240001b30000040904410c17ff5d810009050f1f05e13f000009058303"], 0x0)
io_uring_setup(0x160f, 0x0)
socket$netlink(0x10, 0x3, 0x0)
recvmsg$kcm(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, 0x0}, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x1, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(0xffffffffffffffff, 0x8933, &(0x7f00000001c0)={'batadv0\x00', <r2=>0x0})
sendto$packet(0xffffffffffffffff, 0x0, 0x0, 0x24000805, &(0x7f0000000340)={0x11, 0x86dd, r2, 0x1, 0x0, 0x6, @local}, 0x14)
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000640)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x41c, 0x3c}}, './file0\x00'})
r3 = syz_open_dev$sndctrl(&(0x7f0000000300), 0x1, 0x0)
r4 = socket$packet(0x11, 0x2, 0x300)
setsockopt$SO_ATTACH_FILTER(r4, 0x1, 0x1a, &(0x7f0000000000)={0x2, &(0x7f0000000440)=[{0x20, 0x2, 0x81, 0xfffff034}, {0x6, 0x1, 0x12, 0xffffffff}]}, 0x8)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x42901, 0x0)
r5 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @broadcast})
ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r3, 0xc2c45512, &(0x7f0000000340)={{0x8, 0x6, 0x0, 0x5, '\x00', 0xfffffffd}, 0x0, [0x101, 0x0, 0x0, 0x0, 0x4000000, 0x100001, 0x7, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x80000003, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x4, 0x4, 0x5, 0x0, 0x0, 0xe4, 0x0, 0x9, 0x3, 0x800, 0x8, 0x0, 0x0, 0x6, 0x0, 0x0, 0xa, 0x1, 0xcdc, 0x0, 0xffffffff, 0x600000, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x2, 0x0, 0x1559, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x80000001, 0x8, 0x4, 0x800, 0x0, 0x3, 0x2, 0x0, 0x3, 0x0, 0x2, 0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x9, 0x80000000, 0x400000, 0x3, 0xc13, 0x0, 0x0, 0xfffffffc, 0x80000000, 0x0, 0x9, 0x80000000, 0xfffffffd, 0x0, 0x3, 0x800001, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x3, 0x0, 0x40000000, 0x2cbb, 0x2, 0x7b1ae8f, 0x6c, 0x0, 0x80000005, 0x0, 0x3, 0x2d6, 0x80000, 0x6, 0x100000, 0x0, 0x0, 0x4, 0x1, 0x2002001, 0x0, 0x0, 0xd686, 0x0, 0x8, 0x40000000, 0xfffffffb]})
socket$inet6_udp(0xa, 0x2, 0x0)
syz_open_dev$radio(&(0x7f0000000000), 0x2, 0x2)
syz_usb_ep_read(r1, 0xf, 0xffffffffffffffd2, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
executing program 3:
r0 = syz_open_dev$I2C(&(0x7f0000000040), 0x0, 0x80)
ioctl$I2C_PEC(r0, 0x708, 0xfffffffffffffffe)
pwrite64(0xffffffffffffffff, 0x0, 0x0, 0x5)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x2, 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="9feb010018000000000000"], 0x0, 0x34}, 0x28)
syz_io_uring_setup(0x7b6, &(0x7f0000000500)={0x0, 0x146, 0x0, 0x2, 0x400000}, &(0x7f0000000300)=<r2=>0x0, &(0x7f0000000280)=<r3=>0x0, &(0x7f0000000100)=<r4=>0x0)
syz_io_uring_submit(r2, r3, r4, &(0x7f00000001c0)=@IORING_OP_WRITE={0x17, 0x6, 0x4000, @fd, 0x8, 0x0, 0x0, 0x0, 0x1})
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000180)={{0xffffffffffffffff, <r5=>0xffffffffffffffff}, &(0x7f00000000c0), &(0x7f0000000100)}, 0x20)
bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000800)={0xffffffffffffffff, 0x20, &(0x7f00000007c0)={&(0x7f0000000600)=""/249, 0xf9, <r6=>0x0, 0x0}}, 0x10)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000940)=@bpf_lsm={0x1d, 0x3, &(0x7f0000000340)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x9b}}, &(0x7f0000000480)='syzkaller\x00', 0x3, 0x0, 0x0, 0x41100, 0x9, '\x00', 0x0, 0x1b, r1, 0x8, &(0x7f00000004c0)={0x1, 0x4}, 0x8, 0x10, &(0x7f00000005c0)={0x0, 0x6, 0x7, 0x8000}, 0x10, r6, 0x0, 0x0, &(0x7f0000000840)=[r1, r5], &(0x7f0000000880)}, 0x94)
r7 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r7, &(0x7f0000019680)=""/102392, 0x18ff8)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0000}]})
pivot_root(0x0, 0x0)
write$cgroup_int(0xffffffffffffffff, &(0x7f0000000040)=0x1c9, 0x12)
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, 0x0)
gettid()
r8 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0xc0040, 0x0)
ioctl$LOOP_CTL_REMOVE(r8, 0x4c81, 0x0)
ioctl$I2C_SMBUS(r0, 0x720, &(0x7f00000000c0)={0x1, 0x1, 0x5, &(0x7f0000000000)={0x1f, "90f5000012f300800000000000049942a55e00"}})
executing program 5:
r0 = openat$tun(0xffffff9c, &(0x7f0000000000), 0x200, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x50)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1, 0x50, 0xffffffffffffffff, 0x0)
r1 = socket(0x2c, 0x3, 0x1000)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
syz_genetlink_get_family_id$ethtool(0x0, r1)
prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000080)={0x1, &(0x7f0000000040)=[{0x200000000006, 0x0, 0x0, 0x7ffc0002}]})
ioctl$sock_FIOGETOWN(r2, 0x8903, &(0x7f00000001c0)=<r4=>0x0)
sched_setattr(r4, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x100000001, 0xfffffe0000000001, 0xfa11, 0x65aa}, 0x0)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file2\x00', 0x81c0, 0x0)
syz_io_uring_setup(0x4ad9, &(0x7f0000000300)={0x0, 0x9731, 0x4000, 0x3, 0x145}, &(0x7f00000003c0), 0x0, &(0x7f0000000000))
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x15)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
syz_open_procfs(0x0, &(0x7f0000000180)='cgroup\x00')
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000010000000900010073797a30000000002c000000030a01020000000000000000010000000900010073797a30000000000900030073797a312000000038000000030a01040000000000000000010000010900010073797a30000000000c00024000000000000000010900030003000000000000001400000011"], 0xac}, 0x1, 0x0, 0x0, 0x8040}, 0x0)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600722, 0x19)
ioctl$TUNSETLINK(r0, 0x400454cd, 0x10e)
r6 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000001c0), 0x4b301, 0x0)
ioctl$TIOCSETD(r6, 0x5423, &(0x7f0000000240)=0xd)
writev(r6, &(0x7f0000000080)=[{&(0x7f0000000280)='*', 0x1}], 0x1)
syz_usb_connect(0x5, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="1201000092ecc620ac05c2773aeb0102030109022400010000"], 0x0)
executing program 1:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2})
r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r1)
r2 = socket$unix(0x1, 0x1, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r4=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000026c0)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r4, {0x0, 0xb}, {0xffff, 0xffff}, {0xfff2, 0x2}}, [@qdisc_kind_options=@q_cbs={{0x8}, {0x1c, 0x2, @TCA_CBS_PARMS={0x18, 0x1, {0x0, '\x00', 0x1, 0x4, 0x100, 0x8}}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x20000001}, 0x0)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000300)={'syzkaller0\x00', @multicast})
socket$phonet_pipe(0x23, 0x5, 0x2)
r5 = socket$kcm(0x11, 0x3, 0x0)
r6 = socket$unix(0x1, 0x5, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r8=>0x0})
sendmsg$nl_route_sched(r7, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000001c0)=@newqdisc={0x44, 0x24, 0x4ee4e6a52ff56541, 0x70b926, 0x25dfdc01, {0x0, 0x0, 0x0, r8, {0x0, 0xd}, {0xc, 0xb}, {0xffff, 0xffe0}}, [@qdisc_kind_options=@q_gred={{0x9}, {0x14, 0x2, [@TCA_GRED_DPS={0x10, 0x3, {0xe, 0x0, 0x0, 0x6}}]}}]}, 0x44}, 0x1, 0x0, 0x0, 0x240040e0}, 0x4890)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r9=>0x0})
setsockopt$sock_attach_bpf(r5, 0x107, 0xf, &(0x7f0000000600), 0x56)
sendmsg$kcm(r5, &(0x7f00000000c0)={&(0x7f0000000580)=@xdp={0x2c, 0x0, r9, 0x3e}, 0x80, &(0x7f0000000080)=[{&(0x7f0000000180)="27030200590214000600002fb96dbcf706e10500000088a8ffff86ddee162fd4b8bf4a31accb", 0xfdef}], 0x1}, 0x0)
executing program 1:
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(r1, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r3, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/3
testing program (duration=1m43s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 15, 26, 22, 26, 19, 5, 23, 24, 27, 19, 20, 29]
detailed listing:
executing program 4:
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200007fd, 0x0, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f00000042c0)='mounts\x00')
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/crypto\x00', 0x0, 0x0)
read$FUSE(r1, &(0x7f0000000200)={0x2020}, 0x2020)
mount(&(0x7f0000000300), &(0x7f0000000080)='.\x00', &(0x7f0000000180)='devtmpfs\x00', 0x2200892, 0x0)
pread64(r0, &(0x7f0000002240)=""/237, 0xed, 0x4eb)
executing program 4:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
openat$ptp0(0xffffffffffffff9c, 0x0, 0x0, 0x0)
msgsnd(0x0, &(0x7f0000000180)=ANY=[@ANYRESOCT], 0x2000, 0x0)
execveat$binfmt(0xffffffffffffff9c, 0x0, 0x0, 0x0, 0x0)
mknodat$loop(0xffffffffffffff9c, 0x0, 0xc000, 0x0)
syz_open_dev$usbmon(0x0, 0x9, 0xa0002)
executing program 1:
r0 = syz_usb_connect(0x3, 0x24, &(0x7f0000001c80)=ANY=[@ANYBLOB="12010000941b6508c410c1ea2f700102030109021200010000000009040102"], 0x0)
r1 = socket(0x1d, 0x2, 0x6)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, 0x0)
bind$can_j1939(r1, 0x0, 0x0)
add_key$user(0x0, &(0x7f0000000100)={'syz', 0x2}, &(0x7f0000000080)="01", 0x1, 0xffffffffffffffff)
add_key$user(&(0x7f0000000140), &(0x7f00000003c0)={'syz', 0x0}, &(0x7f0000000400)="f40fc24077021c9b084c60ffc26f26db12b9e78d629870bb26edb4a5e1cc0942ed8c58ca4fe84b94a0e31ea64089ee9ca1efb52945ffebbfea11dd3d0ddc36a10285eccab940ab5c96cb5d81dadde6cfd6ea08d5abcb00bb35436929ddabce530b63fab525337057438cf64a506d54d5c83e3e593d1d53ad0e6a44168fe8cfc6ad98b653d84636e4ddc1f2ab58762b3494250b9557f5b606a43e50874c90143034142cd5f73b8e3b", 0xa8, 0xfffffffffffffffb)
keyctl$dh_compute(0x17, 0x0, &(0x7f0000001380)=""/4093, 0xffd, 0x0)
syz_genetlink_get_family_id$mptcp(0x0, r1)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
sendmsg$inet(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000680)=[{&(0x7f00000000c0)="7b9050", 0x3}, {0x0}, {0x0}], 0x3}, 0x40090)
symlink(&(0x7f0000000080)='.\x00', &(0x7f0000000240)='./file0\x00')
getsockopt$TIPC_SRC_DROPPABLE(r1, 0x10f, 0x80, &(0x7f00000002c0), &(0x7f0000000380)=0x4)
r2 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r3 = fanotify_init(0x200, 0x0)
fanotify_mark(r3, 0x1, 0x4800003e, r2, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000580)='./file0\x00', 0x0, 0x0, 0x8, 0x0, 0x0)
lsetxattr$trusted_overlay_upper(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0), 0x0, 0x0, 0x0)
chmod(&(0x7f0000000180)='./file0\x00', 0x259)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x11}, 0x94)
r4 = socket(0x1, 0x803, 0x0)
getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
ioctl$sock_SIOCETHTOOL(r5, 0x89f1, &(0x7f0000000340)={'sit0\x00', &(0x7f00000001c0)=@ethtool_cmd={0x3a, 0x5, 0x0, 0x0, 0x7, 0x0, 0x3, 0xfc, 0x3, 0xfc, 0x0, 0x1, 0x0, 0xff, 0x0, 0x1045}})
r6 = socket(0x10, 0x803, 0x0)
sendmsg$nl_route(r6, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
executing program 2:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 5:
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040f04"], 0x7)
close(0xffffffffffffffff)
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
listen(r0, 0x0)
socket$inet_mptcp(0x2, 0x1, 0x106)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
close(r1)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c)
listen(r2, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
accept(r1, 0x0, 0x0)
recvfrom(r3, 0x0, 0x0, 0x4100, 0x0, 0x0)
mmap(&(0x7f0000200000/0x4000)=nil, 0x4000, 0x4, 0x200000006c832, 0xffffffffffffffff, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_ADD_ADDR(r4, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x38}}, 0x0)
executing program 2:
r0 = syz_usb_connect$cdc_ncm(0x0, 0x7a, &(0x7f0000000140)=ANY=[@ANYBLOB="12010000020000402505a1a44000010203010902680002010040000904000001020e0000052406000105240000000d370f0100000000000000000006241a0000000c241b4800f3ff00050080050905810300020000000904010000020d00000904010102020d0000090582020004000000090503020002"], 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000780)={0x84, &(0x7f0000000300)={0x0, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
executing program 4:
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000040)=0x90000)
ioctl$TIOCSTI(0xffffffffffffffff, 0x5412, &(0x7f0000000140)=0x8)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="4400000096ca077900000000000000", @ANYRES32=0x0, @ANYBLOB="0000000008290400240012800b000100697036746e6c0000140002800600120000000000060012"], 0x44}}, 0x0)
r1 = syz_usb_connect(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000014da2108ab1204000000000000010902240001b30000040904410c17ff5d810009050f1f05e13f000009058303"], 0x0)
io_uring_setup(0x160f, 0x0)
socket$netlink(0x10, 0x3, 0x0)
recvmsg$kcm(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, 0x0}, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x1, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(0xffffffffffffffff, 0x8933, &(0x7f00000001c0)={'batadv0\x00', <r2=>0x0})
sendto$packet(0xffffffffffffffff, 0x0, 0x0, 0x24000805, &(0x7f0000000340)={0x11, 0x86dd, r2, 0x1, 0x0, 0x6, @local}, 0x14)
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000640)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x41c, 0x3c}}, './file0\x00'})
r3 = syz_open_dev$sndctrl(&(0x7f0000000300), 0x1, 0x0)
r4 = socket$packet(0x11, 0x2, 0x300)
setsockopt$SO_ATTACH_FILTER(r4, 0x1, 0x1a, &(0x7f0000000000)={0x2, &(0x7f0000000440)=[{0x20, 0x2, 0x81, 0xfffff034}, {0x6, 0x1, 0x12, 0xffffffff}]}, 0x8)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x42901, 0x0)
r5 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @broadcast})
ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r3, 0xc2c45512, &(0x7f0000000340)={{0x8, 0x6, 0x0, 0x5, '\x00', 0xfffffffd}, 0x0, [0x101, 0x0, 0x0, 0x0, 0x4000000, 0x100001, 0x7, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x80000003, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x4, 0x4, 0x5, 0x0, 0x0, 0xe4, 0x0, 0x9, 0x3, 0x800, 0x8, 0x0, 0x0, 0x6, 0x0, 0x0, 0xa, 0x1, 0xcdc, 0x0, 0xffffffff, 0x600000, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x2, 0x0, 0x1559, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x80000001, 0x8, 0x4, 0x800, 0x0, 0x3, 0x2, 0x0, 0x3, 0x0, 0x2, 0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x9, 0x80000000, 0x400000, 0x3, 0xc13, 0x0, 0x0, 0xfffffffc, 0x80000000, 0x0, 0x9, 0x80000000, 0xfffffffd, 0x0, 0x3, 0x800001, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x3, 0x0, 0x40000000, 0x2cbb, 0x2, 0x7b1ae8f, 0x6c, 0x0, 0x80000005, 0x0, 0x3, 0x2d6, 0x80000, 0x6, 0x100000, 0x0, 0x0, 0x4, 0x1, 0x2002001, 0x0, 0x0, 0xd686, 0x0, 0x8, 0x40000000, 0xfffffffb]})
socket$inet6_udp(0xa, 0x2, 0x0)
syz_open_dev$radio(&(0x7f0000000000), 0x2, 0x2)
syz_usb_ep_read(r1, 0xf, 0xffffffffffffffd2, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
executing program 3:
r0 = syz_open_dev$I2C(&(0x7f0000000040), 0x0, 0x80)
ioctl$I2C_PEC(r0, 0x708, 0xfffffffffffffffe)
pwrite64(0xffffffffffffffff, 0x0, 0x0, 0x5)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x2, 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="9feb010018000000000000"], 0x0, 0x34}, 0x28)
syz_io_uring_setup(0x7b6, &(0x7f0000000500)={0x0, 0x146, 0x0, 0x2, 0x400000}, &(0x7f0000000300)=<r2=>0x0, &(0x7f0000000280)=<r3=>0x0, &(0x7f0000000100)=<r4=>0x0)
syz_io_uring_submit(r2, r3, r4, &(0x7f00000001c0)=@IORING_OP_WRITE={0x17, 0x6, 0x4000, @fd, 0x8, 0x0, 0x0, 0x0, 0x1})
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000180)={{0xffffffffffffffff, <r5=>0xffffffffffffffff}, &(0x7f00000000c0), &(0x7f0000000100)}, 0x20)
bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000800)={0xffffffffffffffff, 0x20, &(0x7f00000007c0)={&(0x7f0000000600)=""/249, 0xf9, <r6=>0x0, 0x0}}, 0x10)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000940)=@bpf_lsm={0x1d, 0x3, &(0x7f0000000340)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x9b}}, &(0x7f0000000480)='syzkaller\x00', 0x3, 0x0, 0x0, 0x41100, 0x9, '\x00', 0x0, 0x1b, r1, 0x8, &(0x7f00000004c0)={0x1, 0x4}, 0x8, 0x10, &(0x7f00000005c0)={0x0, 0x6, 0x7, 0x8000}, 0x10, r6, 0x0, 0x0, &(0x7f0000000840)=[r1, r5], &(0x7f0000000880)}, 0x94)
r7 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r7, &(0x7f0000019680)=""/102392, 0x18ff8)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0000}]})
pivot_root(0x0, 0x0)
write$cgroup_int(0xffffffffffffffff, &(0x7f0000000040)=0x1c9, 0x12)
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, 0x0)
gettid()
r8 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0xc0040, 0x0)
ioctl$LOOP_CTL_REMOVE(r8, 0x4c81, 0x0)
ioctl$I2C_SMBUS(r0, 0x720, &(0x7f00000000c0)={0x1, 0x1, 0x5, &(0x7f0000000000)={0x1f, "90f5000012f300800000000000049942a55e00"}})
executing program 5:
r0 = openat$tun(0xffffff9c, &(0x7f0000000000), 0x200, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x50)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1, 0x50, 0xffffffffffffffff, 0x0)
r1 = socket(0x2c, 0x3, 0x1000)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
syz_genetlink_get_family_id$ethtool(0x0, r1)
prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000080)={0x1, &(0x7f0000000040)=[{0x200000000006, 0x0, 0x0, 0x7ffc0002}]})
ioctl$sock_FIOGETOWN(r2, 0x8903, &(0x7f00000001c0)=<r4=>0x0)
sched_setattr(r4, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x100000001, 0xfffffe0000000001, 0xfa11, 0x65aa}, 0x0)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file2\x00', 0x81c0, 0x0)
syz_io_uring_setup(0x4ad9, &(0x7f0000000300)={0x0, 0x9731, 0x4000, 0x3, 0x145}, &(0x7f00000003c0), 0x0, &(0x7f0000000000))
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x15)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
syz_open_procfs(0x0, &(0x7f0000000180)='cgroup\x00')
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000010000000900010073797a30000000002c000000030a01020000000000000000010000000900010073797a30000000000900030073797a312000000038000000030a01040000000000000000010000010900010073797a30000000000c00024000000000000000010900030003000000000000001400000011"], 0xac}, 0x1, 0x0, 0x0, 0x8040}, 0x0)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600722, 0x19)
ioctl$TUNSETLINK(r0, 0x400454cd, 0x10e)
r6 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000001c0), 0x4b301, 0x0)
ioctl$TIOCSETD(r6, 0x5423, &(0x7f0000000240)=0xd)
writev(r6, &(0x7f0000000080)=[{&(0x7f0000000280)='*', 0x1}], 0x1)
syz_usb_connect(0x5, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="1201000092ecc620ac05c2773aeb0102030109022400010000"], 0x0)
executing program 1:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2})
r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r1)
r2 = socket$unix(0x1, 0x1, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r4=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000026c0)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r4, {0x0, 0xb}, {0xffff, 0xffff}, {0xfff2, 0x2}}, [@qdisc_kind_options=@q_cbs={{0x8}, {0x1c, 0x2, @TCA_CBS_PARMS={0x18, 0x1, {0x0, '\x00', 0x1, 0x4, 0x100, 0x8}}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x20000001}, 0x0)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000300)={'syzkaller0\x00', @multicast})
socket$phonet_pipe(0x23, 0x5, 0x2)
r5 = socket$kcm(0x11, 0x3, 0x0)
r6 = socket$unix(0x1, 0x5, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r8=>0x0})
sendmsg$nl_route_sched(r7, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000001c0)=@newqdisc={0x44, 0x24, 0x4ee4e6a52ff56541, 0x70b926, 0x25dfdc01, {0x0, 0x0, 0x0, r8, {0x0, 0xd}, {0xc, 0xb}, {0xffff, 0xffe0}}, [@qdisc_kind_options=@q_gred={{0x9}, {0x14, 0x2, [@TCA_GRED_DPS={0x10, 0x3, {0xe, 0x0, 0x0, 0x6}}]}}]}, 0x44}, 0x1, 0x0, 0x0, 0x240040e0}, 0x4890)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r9=>0x0})
setsockopt$sock_attach_bpf(r5, 0x107, 0xf, &(0x7f0000000600), 0x56)
sendmsg$kcm(r5, &(0x7f00000000c0)={&(0x7f0000000580)=@xdp={0x2c, 0x0, r9, 0x3e}, 0x80, &(0x7f0000000080)=[{&(0x7f0000000180)="27030200590214000600002fb96dbcf706e10500000088a8ffff86ddee162fd4b8bf4a31accb", 0xfdef}], 0x1}, 0x0)
executing program 1:
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(r1, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r3, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
bisect: the chunk can be dropped
bisect: testing without sub-chunk 3/3
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-socket-getsockname$packet-sendmsg$sock-bpf$PROG_LOAD-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$nl802154-syz_genetlink_get_family_id$netlbl_cipso-syz_init_net_socket$bt_sco-socket$nl_netfilter-sendmsg$IPCTNL_MSG_CT_NEW-syz_init_net_socket$ax25-ioctl$sock_netdev_private-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netrom_SIOCADDRT-syz_init_net_socket$ax25-bind$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_genetlink_get_family_id$tipc2-syz_genetlink_get_family_id$ipvs-setsockopt$ax25_SO_BINDTODEVICE-socket$nl_xfrm-ioctl$sock_netdev_private-writev-socket$nl_route-socket-socket$nl_route-bpf$BPF_MAP_GET_FD_BY_ID-bpf$MAP_CREATE_TAIL_CALL
detailed listing:
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
bisect: split chunks (needed=true): <12>
bisect: split chunk #0 of len 12 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 23, 24, 27, 19, 20, 29]
detailed listing:
executing program 2:
r0 = syz_usb_connect$cdc_ncm(0x0, 0x7a, &(0x7f0000000140)=ANY=[@ANYBLOB="12010000020000402505a1a44000010203010902680002010040000904000001020e0000052406000105240000000d370f0100000000000000000006241a0000000c241b4800f3ff00050080050905810300020000000904010000020d00000904010102020d0000090582020004000000090503020002"], 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000780)={0x84, &(0x7f0000000300)={0x0, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
executing program 4:
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000040)=0x90000)
ioctl$TIOCSTI(0xffffffffffffffff, 0x5412, &(0x7f0000000140)=0x8)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="4400000096ca077900000000000000", @ANYRES32=0x0, @ANYBLOB="0000000008290400240012800b000100697036746e6c0000140002800600120000000000060012"], 0x44}}, 0x0)
r1 = syz_usb_connect(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000014da2108ab1204000000000000010902240001b30000040904410c17ff5d810009050f1f05e13f000009058303"], 0x0)
io_uring_setup(0x160f, 0x0)
socket$netlink(0x10, 0x3, 0x0)
recvmsg$kcm(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, 0x0}, 0x0)
openat$kvm(0xffffffffffffff9c, 0x0, 0x1, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(0xffffffffffffffff, 0x8933, &(0x7f00000001c0)={'batadv0\x00', <r2=>0x0})
sendto$packet(0xffffffffffffffff, 0x0, 0x0, 0x24000805, &(0x7f0000000340)={0x11, 0x86dd, r2, 0x1, 0x0, 0x6, @local}, 0x14)
ioctl$AUTOFS_DEV_IOCTL_FAIL(0xffffffffffffffff, 0xc0189377, &(0x7f0000000640)={{0x1, 0x1, 0x18, 0xffffffffffffffff, {0x41c, 0x3c}}, './file0\x00'})
r3 = syz_open_dev$sndctrl(&(0x7f0000000300), 0x1, 0x0)
r4 = socket$packet(0x11, 0x2, 0x300)
setsockopt$SO_ATTACH_FILTER(r4, 0x1, 0x1a, &(0x7f0000000000)={0x2, &(0x7f0000000440)=[{0x20, 0x2, 0x81, 0xfffff034}, {0x6, 0x1, 0x12, 0xffffffff}]}, 0x8)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x42901, 0x0)
r5 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @broadcast})
ioctl$SNDRV_CTL_IOCTL_ELEM_READ(r3, 0xc2c45512, &(0x7f0000000340)={{0x8, 0x6, 0x0, 0x5, '\x00', 0xfffffffd}, 0x0, [0x101, 0x0, 0x0, 0x0, 0x4000000, 0x100001, 0x7, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x80000003, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x4, 0x4, 0x5, 0x0, 0x0, 0xe4, 0x0, 0x9, 0x3, 0x800, 0x8, 0x0, 0x0, 0x6, 0x0, 0x0, 0xa, 0x1, 0xcdc, 0x0, 0xffffffff, 0x600000, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x2, 0x0, 0x1559, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x80000001, 0x8, 0x4, 0x800, 0x0, 0x3, 0x2, 0x0, 0x3, 0x0, 0x2, 0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x9, 0x80000000, 0x400000, 0x3, 0xc13, 0x0, 0x0, 0xfffffffc, 0x80000000, 0x0, 0x9, 0x80000000, 0xfffffffd, 0x0, 0x3, 0x800001, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x3, 0x0, 0x40000000, 0x2cbb, 0x2, 0x7b1ae8f, 0x6c, 0x0, 0x80000005, 0x0, 0x3, 0x2d6, 0x80000, 0x6, 0x100000, 0x0, 0x0, 0x4, 0x1, 0x2002001, 0x0, 0x0, 0xd686, 0x0, 0x8, 0x40000000, 0xfffffffb]})
socket$inet6_udp(0xa, 0x2, 0x0)
syz_open_dev$radio(&(0x7f0000000000), 0x2, 0x2)
syz_usb_ep_read(r1, 0xf, 0xffffffffffffffd2, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
executing program 3:
r0 = syz_open_dev$I2C(&(0x7f0000000040), 0x0, 0x80)
ioctl$I2C_PEC(r0, 0x708, 0xfffffffffffffffe)
pwrite64(0xffffffffffffffff, 0x0, 0x0, 0x5)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x2, 0x0, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="9feb010018000000000000"], 0x0, 0x34}, 0x28)
syz_io_uring_setup(0x7b6, &(0x7f0000000500)={0x0, 0x146, 0x0, 0x2, 0x400000}, &(0x7f0000000300)=<r2=>0x0, &(0x7f0000000280)=<r3=>0x0, &(0x7f0000000100)=<r4=>0x0)
syz_io_uring_submit(r2, r3, r4, &(0x7f00000001c0)=@IORING_OP_WRITE={0x17, 0x6, 0x4000, @fd, 0x8, 0x0, 0x0, 0x0, 0x1})
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000180)={{0xffffffffffffffff, <r5=>0xffffffffffffffff}, &(0x7f00000000c0), &(0x7f0000000100)}, 0x20)
bpf$BPF_GET_BTF_INFO(0xf, &(0x7f0000000800)={0xffffffffffffffff, 0x20, &(0x7f00000007c0)={&(0x7f0000000600)=""/249, 0xf9, <r6=>0x0, 0x0}}, 0x10)
bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000940)=@bpf_lsm={0x1d, 0x3, &(0x7f0000000340)=@framed={{0x18, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x9b}}, &(0x7f0000000480)='syzkaller\x00', 0x3, 0x0, 0x0, 0x41100, 0x9, '\x00', 0x0, 0x1b, r1, 0x8, &(0x7f00000004c0)={0x1, 0x4}, 0x8, 0x10, &(0x7f00000005c0)={0x0, 0x6, 0x7, 0x8000}, 0x10, r6, 0x0, 0x0, &(0x7f0000000840)=[r1, r5], &(0x7f0000000880)}, 0x94)
r7 = syz_open_dev$MSR(&(0x7f0000000240), 0x0, 0x0)
read$msr(r7, &(0x7f0000019680)=""/102392, 0x18ff8)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0000}]})
pivot_root(0x0, 0x0)
write$cgroup_int(0xffffffffffffffff, &(0x7f0000000040)=0x1c9, 0x12)
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(0xffffffffffffffff, 0xc01864c6, 0x0)
gettid()
r8 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0xc0040, 0x0)
ioctl$LOOP_CTL_REMOVE(r8, 0x4c81, 0x0)
ioctl$I2C_SMBUS(r0, 0x720, &(0x7f00000000c0)={0x1, 0x1, 0x5, &(0x7f0000000000)={0x1f, "90f5000012f300800000000000049942a55e00"}})
executing program 5:
r0 = openat$tun(0xffffff9c, &(0x7f0000000000), 0x200, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x50)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1, 0x50, 0xffffffffffffffff, 0x0)
r1 = socket(0x2c, 0x3, 0x1000)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r3, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
syz_genetlink_get_family_id$ethtool(0x0, r1)
prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000080)={0x1, &(0x7f0000000040)=[{0x200000000006, 0x0, 0x0, 0x7ffc0002}]})
ioctl$sock_FIOGETOWN(r2, 0x8903, &(0x7f00000001c0)=<r4=>0x0)
sched_setattr(r4, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x9, 0x100000001, 0xfffffe0000000001, 0xfa11, 0x65aa}, 0x0)
mknodat(0xffffffffffffff9c, &(0x7f00000000c0)='./file2\x00', 0x81c0, 0x0)
syz_io_uring_setup(0x4ad9, &(0x7f0000000300)={0x0, 0x9731, 0x4000, 0x3, 0x145}, &(0x7f00000003c0), 0x0, &(0x7f0000000000))
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x15)
madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e)
syz_open_procfs(0x0, &(0x7f0000000180)='cgroup\x00')
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000010000000900010073797a30000000002c000000030a01020000000000000000010000000900010073797a30000000000900030073797a312000000038000000030a01040000000000000000010000010900010073797a30000000000c00024000000000000000010900030003000000000000001400000011"], 0xac}, 0x1, 0x0, 0x0, 0x8040}, 0x0)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600722, 0x19)
ioctl$TUNSETLINK(r0, 0x400454cd, 0x10e)
r6 = openat$ttyS3(0xffffffffffffff9c, &(0x7f00000001c0), 0x4b301, 0x0)
ioctl$TIOCSETD(r6, 0x5423, &(0x7f0000000240)=0xd)
writev(r6, &(0x7f0000000080)=[{&(0x7f0000000280)='*', 0x1}], 0x1)
syz_usb_connect(0x5, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="1201000092ecc620ac05c2773aeb0102030109022400010000"], 0x0)
executing program 1:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2})
r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0x102, 0x0)
close(r1)
r2 = socket$unix(0x1, 0x1, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r4=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000026c0)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r4, {0x0, 0xb}, {0xffff, 0xffff}, {0xfff2, 0x2}}, [@qdisc_kind_options=@q_cbs={{0x8}, {0x1c, 0x2, @TCA_CBS_PARMS={0x18, 0x1, {0x0, '\x00', 0x1, 0x4, 0x100, 0x8}}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x20000001}, 0x0)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000300)={'syzkaller0\x00', @multicast})
socket$phonet_pipe(0x23, 0x5, 0x2)
r5 = socket$kcm(0x11, 0x3, 0x0)
r6 = socket$unix(0x1, 0x5, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r8=>0x0})
sendmsg$nl_route_sched(r7, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000001c0)=@newqdisc={0x44, 0x24, 0x4ee4e6a52ff56541, 0x70b926, 0x25dfdc01, {0x0, 0x0, 0x0, r8, {0x0, 0xd}, {0xc, 0xb}, {0xffff, 0xffe0}}, [@qdisc_kind_options=@q_gred={{0x9}, {0x14, 0x2, [@TCA_GRED_DPS={0x10, 0x3, {0xe, 0x0, 0x0, 0x6}}]}}]}, 0x44}, 0x1, 0x0, 0x0, 0x240040e0}, 0x4890)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r9=>0x0})
setsockopt$sock_attach_bpf(r5, 0x107, 0xf, &(0x7f0000000600), 0x56)
sendmsg$kcm(r5, &(0x7f00000000c0)={&(0x7f0000000580)=@xdp={0x2c, 0x0, r9, 0x3e}, 0x80, &(0x7f0000000080)=[{&(0x7f0000000180)="27030200590214000600002fb96dbcf706e10500000088a8ffff86ddee162fd4b8bf4a31accb", 0xfdef}], 0x1}, 0x0)
executing program 1:
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x6)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x48, 0x0, 0x0)
connect$unix(r1, &(0x7f00000007c0)=@file={0x0, './file1/file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
socket$inet(0xa, 0x1, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x19, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x4000}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x14, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x6, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200}, 0x94)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan1\x00'})
r3 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ioctl(r3, 0x8b2c, &(0x7f0000000040))
socket$packet(0x11, 0x2, 0x300)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8)
ioctl$VIDIOC_S_PARM(r3, 0xc0cc5616, &(0x7f0000000840)={0x5, @output={0x0, 0x1, {0x9, 0xfffffff9}, 0x101, 0x2}})
mount(0x0, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000080)='xfs\x00', 0x2208004, 0x0)
syz_open_dev$cec(&(0x7f0000000200), 0xffffffffffffffff, 0x4ae60)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 15, 26, 22, 26, 19, 29]
detailed listing:
executing program 4:
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200007fd, 0x0, 0x0)
r0 = syz_open_procfs(0x0, &(0x7f00000042c0)='mounts\x00')
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/crypto\x00', 0x0, 0x0)
read$FUSE(r1, &(0x7f0000000200)={0x2020}, 0x2020)
mount(&(0x7f0000000300), &(0x7f0000000080)='.\x00', &(0x7f0000000180)='devtmpfs\x00', 0x2200892, 0x0)
pread64(r0, &(0x7f0000002240)=""/237, 0xed, 0x4eb)
executing program 4:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x100}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
openat$ptp0(0xffffffffffffff9c, 0x0, 0x0, 0x0)
msgsnd(0x0, &(0x7f0000000180)=ANY=[@ANYRESOCT], 0x2000, 0x0)
execveat$binfmt(0xffffffffffffff9c, 0x0, 0x0, 0x0, 0x0)
mknodat$loop(0xffffffffffffff9c, 0x0, 0xc000, 0x0)
syz_open_dev$usbmon(0x0, 0x9, 0xa0002)
executing program 1:
r0 = syz_usb_connect(0x3, 0x24, &(0x7f0000001c80)=ANY=[@ANYBLOB="12010000941b6508c410c1ea2f700102030109021200010000000009040102"], 0x0)
r1 = socket(0x1d, 0x2, 0x6)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, 0x0)
bind$can_j1939(r1, 0x0, 0x0)
add_key$user(0x0, &(0x7f0000000100)={'syz', 0x2}, &(0x7f0000000080)="01", 0x1, 0xffffffffffffffff)
add_key$user(&(0x7f0000000140), &(0x7f00000003c0)={'syz', 0x0}, &(0x7f0000000400)="f40fc24077021c9b084c60ffc26f26db12b9e78d629870bb26edb4a5e1cc0942ed8c58ca4fe84b94a0e31ea64089ee9ca1efb52945ffebbfea11dd3d0ddc36a10285eccab940ab5c96cb5d81dadde6cfd6ea08d5abcb00bb35436929ddabce530b63fab525337057438cf64a506d54d5c83e3e593d1d53ad0e6a44168fe8cfc6ad98b653d84636e4ddc1f2ab58762b3494250b9557f5b606a43e50874c90143034142cd5f73b8e3b", 0xa8, 0xfffffffffffffffb)
keyctl$dh_compute(0x17, 0x0, &(0x7f0000001380)=""/4093, 0xffd, 0x0)
syz_genetlink_get_family_id$mptcp(0x0, r1)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
sendmsg$inet(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000680)=[{&(0x7f00000000c0)="7b9050", 0x3}, {0x0}, {0x0}], 0x3}, 0x40090)
symlink(&(0x7f0000000080)='.\x00', &(0x7f0000000240)='./file0\x00')
getsockopt$TIPC_SRC_DROPPABLE(r1, 0x10f, 0x80, &(0x7f00000002c0), &(0x7f0000000380)=0x4)
r2 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x0)
r3 = fanotify_init(0x200, 0x0)
fanotify_mark(r3, 0x1, 0x4800003e, r2, 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000580)='./file0\x00', 0x0, 0x0, 0x8, 0x0, 0x0)
lsetxattr$trusted_overlay_upper(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0), 0x0, 0x0, 0x0)
chmod(&(0x7f0000000180)='./file0\x00', 0x259)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000100)={0x1f, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x11}, 0x94)
r4 = socket(0x1, 0x803, 0x0)
getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
r5 = socket$inet6_tcp(0xa, 0x1, 0x0)
ioctl$sock_SIOCETHTOOL(r5, 0x89f1, &(0x7f0000000340)={'sit0\x00', &(0x7f00000001c0)=@ethtool_cmd={0x3a, 0x5, 0x0, 0x0, 0x7, 0x0, 0x3, 0xfc, 0x3, 0xfc, 0x0, 0x1, 0x0, 0xff, 0x0, 0x1045}})
r6 = socket(0x10, 0x803, 0x0)
sendmsg$nl_route(r6, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
executing program 2:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 5:
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040f04"], 0x7)
close(0xffffffffffffffff)
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
listen(r0, 0x0)
socket$inet_mptcp(0x2, 0x1, 0x106)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
close(r1)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c)
listen(r2, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
accept(r1, 0x0, 0x0)
recvfrom(r3, 0x0, 0x0, 0x4100, 0x0, 0x0)
mmap(&(0x7f0000200000/0x4000)=nil, 0x4000, 0x4, 0x200000006c832, 0xffffffffffffffff, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_ADD_ADDR(r4, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x38}}, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <6>
bisect: split chunk #0 of len 6 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [22, 26, 19, 29]
detailed listing:
executing program 2:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 5:
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040f04"], 0x7)
close(0xffffffffffffffff)
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
listen(r0, 0x0)
socket$inet_mptcp(0x2, 0x1, 0x106)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
close(r1)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c)
listen(r2, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
accept(r1, 0x0, 0x0)
recvfrom(r3, 0x0, 0x0, 0x4100, 0x0, 0x0)
mmap(&(0x7f0000200000/0x4000)=nil, 0x4000, 0x4, 0x200000006c832, 0xffffffffffffffff, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_ADD_ADDR(r4, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x38}}, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <3>
bisect: split chunk #0 of len 3 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [19, 29]
detailed listing:
executing program 5:
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040f04"], 0x7)
close(0xffffffffffffffff)
r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)
listen(r0, 0x0)
socket$inet_mptcp(0x2, 0x1, 0x106)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
close(r1)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c)
listen(r2, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
accept(r1, 0x0, 0x0)
recvfrom(r3, 0x0, 0x0, 0x4100, 0x0, 0x0)
mmap(&(0x7f0000200000/0x4000)=nil, 0x4000, 0x4, 0x200000006c832, 0xffffffffffffffff, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_ADD_ADDR(r4, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x38}}, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [22, 26, 29]
detailed listing:
executing program 2:
syz_usb_connect(0x0, 0x5a, 0x0, 0x0)
socketpair$unix(0x1, 0x3, 0x0, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(0xffffffffffffffff, 0x110, 0x2, 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000380)='./cgroup.cpu/cgroup.procs\x00', 0x0, 0x0)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$COMEDI_DEVCONFIG(0xffffffffffffffff, 0x40946400, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000380)={0x8, 0x100008b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000000)=0x3)
r0 = syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x143102)
writev(r0, &(0x7f0000000840)=[{&(0x7f00000002c0)="94", 0xf000}, {0x0}], 0x2)
r1 = userfaultfd(0x801)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x4000800)
ioctl$UFFDIO_API(r1, 0xc018aa3f, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000000, 0x5d032, 0xffffffffffffffff, 0x0)
r2 = userfaultfd(0x80801)
ioctl$UFFDIO_REGISTER(r2, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x5})
ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_usb_connect$cdc_ncm(0x3, 0x72, 0x0, 0x0)
sendmsg$IPCTNL_MSG_CT_GET(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000340)=ANY=[@ANYBLOB="5c0000000101010100000000000000000a0000003c00018005000280050001003a0000002c00010900000300fc02000000"], 0x5c}}, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <2>
bisect: split chunk #0 of len 2 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [26, 29]
detailed listing:
executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <1>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 2 programs left: 

executing program 4:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)


bisect: trying to concatenate
bisect: concatenate 2 entries
minimizing program #0 before concatenation
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [25, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
ioctl$sock_rose_SIOCDELRT(r5, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@null, @default, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [24, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
r5 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r5, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x6, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bpq0, 0x0, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @bcast, @null]})
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [23, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
syz_init_net_socket$rose(0xb, 0x5, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [22, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
syz_open_procfs$namespace(0x0, &(0x7f0000000240)='ns/time_for_children\x00')
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [21, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
r4 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r4, 0x890b, &(0x7f0000000380)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x0}, 0x7, @null, @bpq0, 0x0, [@bcast, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [20, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
syz_init_net_socket$rose(0xb, 0x5, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [19, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_NODES(0xffffffffffffffff, 0x0, 0x20000000)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [18, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
syz_genetlink_get_family_id$tipc(&(0x7f00000002c0), 0xffffffffffffffff)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [17, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
ioctl$int_in(0xffffffffffffffff, 0x5421, &(0x7f00000000c0)=0x7)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [16, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
ioctl$FS_IOC_RESVSP(0xffffffffffffffff, 0x40305829, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [15, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r3, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$F2FS_IOC_GET_FEATURES(r1, 0x8004f50c, 0x0)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [13, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r2, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [12, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r2, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [12, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
write(r2, &(0x7f0000000400)="1113687780fefab361d94a0dd7a95379ac0c0fc249f56b53ef19017a44f186ed885373f8d443e66e17ac32c4f3b60d8625d9fd6479f5fab5700bcfe817c722624f3bdf32404846e404cd8fe797ba8bbf9edf29167c5450b2b0888b8d33a629239d0c4d325c76ceedc47f4718084ba57ead2e225957b3e1a773d78304551ac0b60f2f0003071204d5c52ddeca97cc637a60df6b7cc1038f67100f4ac283388c1c8ce3d147a7b2e794872a7c5fdc", 0xad)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [12, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080))
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000000300)={0x614b, 0x0, 0x8001, 0x10, 0x5, 0xfffffc01, 0x10001, 0x9}, &(0x7f0000000340)=0x20)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [11, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
setsockopt$inet_sctp6_SCTP_HMAC_IDENT(r0, 0x84, 0x16, &(0x7f0000000040)=ANY=[@ANYBLOB="180000f6d8369d723fd7fd6437dab4cead00"], 0x4)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [10, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
getpeername(r0, 0x0, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [9, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
sendto$inet6(r0, &(0x7f00000004c0)='W', 0x1, 0x4, &(0x7f0000000100)={0xa, 0x0, 0x3, @loopback, 0x8}, 0x1c)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [8, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000380)={0xfffc}, 0x8)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [7, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
socket$inet6_sctp(0xa, 0x1, 0x84)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 29]
detailed listing:
executing program 0:
socket(0xa, 0x5, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 29]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r3)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r6 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r6, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r7 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r7, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r7)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
writev(r8, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
r9 = bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0300000004000000040000000a000000000000", @ANYRES32=r9, @ANYBLOB, @ANYRES32=r2, @ANYRES32, @ANYBLOB="020000000500000003100000000000000000000000000000a8000000ed2228772fc2070ea999d50ab9e0faee217dc00b7c69dea8378dd2bb6f38e6bab3980fa4299775bdf52acc5e2edefaaa22817f0d385d75aebb542cb01306a8580724c2650c5c838f8f3a989e470098e8b7e384e679418c4b1d73e4dacd0f10f24b6ed340b63340eb49ad761c0c0583bdda408b0a1b818e43575cb2f2b5c8fbd82fd5b5e92ccced3c27f7f675c4e0155507457e82ad2b3f40613f6b16b2fa806c9a7600"], 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
minimized 26 calls -> 5 calls
minimizing program #1 before concatenation
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 28]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r5 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r5, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r6 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r6, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r6)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r7 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
writev(r7, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)
bpf$BPF_MAP_GET_FD_BY_ID(0xe, &(0x7f0000000100)={0x0, 0x2, 0x10}, 0xc)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 27]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r5 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r5, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r6 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r6, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r6)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r7 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
writev(r7, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)
socket$nl_route(0x10, 0x3, 0x0)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 26]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r5 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r5, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r6 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r6, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r6)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r7 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
writev(r7, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket(0x2, 0x1, 0x3ffffe)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 25]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r5 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r5, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r6 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r6, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r6)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r7 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
writev(r7, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 24]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r5 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r5, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r6 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r6, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r6)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r7 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
writev(r7, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 23]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r5 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r5, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r6 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r6, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r6)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 22]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r4 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r5 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r5, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r5)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
socket$nl_xfrm(0x10, 0x3, 0x6)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 21]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r4 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r5 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r5, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r5)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 20]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r2)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r4 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r5 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r5, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r5)
syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), r1)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 19]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r4 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r4, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000600), r4)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 18]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r4 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r4, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000180)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 17]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
r4 = syz_init_net_socket$ax25(0x3, 0x5, 0xca)
bind$ax25(r4, &(0x7f0000000280)={{0x3, @default, 0x1}, [@null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @null]}, 0x48)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 16]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})
syz_init_net_socket$ax25(0x3, 0x5, 0xca)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 15]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)
ioctl$sock_netrom_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000000)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bpq0, 0x1, 'syz1\x00', @null, 0x7, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]})

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 14]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 13]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
syz_init_net_socket$ax25(0x3, 0x2, 0x0)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 13]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 12]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=ANY=[@ANYBLOB="8000000000010104000000000000000002000000240001801400018008000100e000000108000200e00000010c000280050001000000000024000280140001800800010000000000080002007f0000010c00028005000100000000000800074000000000080003400000100e140005800500"], 0x80}}, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 12]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
socket$nl_netfilter(0x10, 0x3, 0xc)
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 11]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 10]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
syz_genetlink_get_family_id$netlbl_cipso(0x0, r1)
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 9]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 8]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 7]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x8, 0x16, &(0x7f00000022c0)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, '\x00', 0x0, @fallback=0xe, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8}, 0x94)
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 6]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$sock(r0, &(0x7f0000000400)={0x0, 0x0, 0x0}, 0x8000)
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 5]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
getsockname$packet(0xffffffffffffffff, &(0x7f0000000300)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
r0 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r0, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 4]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
socket$nl_route(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0)
r0 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r0, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 3]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
socket$nl_route(0x10, 0x3, 0x0)
r0 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r0, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 2]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
executing program 0:
r0 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r0, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
minimized 29 calls -> 2 calls
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
bisect: concatenation succeeded
found reproducer with 7 syscalls
minimizing guilty program
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
syz_init_net_socket$ax25(0x3, 0x2, 0x0)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: lost connection to test machine
suppressed program crash: lost connection to test machine
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080))
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, 0x0)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, 0x0, 0x0)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, 0x0)
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program did not crash
testing program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=1m0.914089536s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
simplifying C reproducer
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program did not crash
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program did not crash
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program did not crash
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
validation run: crashed=true
testing program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
validation run: crashed=true
testing program (duration=1m0.914089536s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-ioctl$sock_SIOCGIFINDEX-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r1, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f0000000240)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
validation run: crashed=true
reproducing took 2h28m40.633908659s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in ax25_fillin_cb_from_dev net/ax25/af_ax25.c:468 [inline]
BUG: KASAN: use-after-free in ax25_fillin_cb+0x459/0x640 net/ax25/af_ax25.c:495
Read of size 4 at addr ffff888070e66738 by task syz.0.19/4420

CPU: 1 PID: 4420 Comm: syz.0.19 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 ax25_fillin_cb_from_dev net/ax25/af_ax25.c:468 [inline]
 ax25_fillin_cb+0x459/0x640 net/ax25/af_ax25.c:495
 ax25_setsockopt+0x8c9/0xa60 net/ax25/af_ax25.c:690
 __sys_setsockopt+0x2bf/0x3d0 net/socket.c:2212
 __do_sys_setsockopt net/socket.c:2223 [inline]
 __se_sys_setsockopt net/socket.c:2220 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2220
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f6657023819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd3b446b48 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007f665729cfa0 RCX: 00007f6657023819
RDX: 0000000000000019 RSI: 0000000000000101 RDI: 0000000000000007
RBP: 00007f66570b9c91 R08: 0000000000000010 R09: 0000000000000000
R10: 0000200000000240 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f665729cfac R14: 00007f665729cfa0 R15: 00007f665729cfa0
 </TASK>

Allocated by task 4407:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:607 [inline]
 kzalloc include/linux/slab.h:738 [inline]
 ax25_dev_device_up+0x50/0x580 net/ax25/ax25_dev.c:55
 ax25_device_event+0x483/0x4f0 net/ax25/af_ax25.c:139
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391
 call_netdevice_notifiers_extack net/core/dev.c:2074 [inline]
 call_netdevice_notifiers net/core/dev.c:2088 [inline]
 __dev_notify_flags+0x194/0x300 net/core/dev.c:8917
 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8955
 dev_ifsioc+0x130/0xd50 net/core/dev_ioctl.c:324
 dev_ioctl+0x545/0xe30 net/core/dev_ioctl.c:572
 sock_do_ioctl+0x245/0x320 net/socket.c:1161
 sock_ioctl+0x4d2/0x710 net/socket.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 4416:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kfree+0xef/0x2a0 mm/slub.c:4564
 ax25_dev_put include/net/ax25.h:302 [inline]
 ax25_release+0x661/0x870 net/ax25/af_ax25.c:1062
 __sock_release net/socket.c:651 [inline]
 sock_close+0xd5/0x240 net/socket.c:1345
 __fput+0x234/0x930 fs/file_table.c:311
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop+0x10f/0x130 kernel/entry/common.c:181
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff888070e66700
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of
 192-byte region [ffff888070e66700, ffff888070e667c0)
The buggy address belongs to the page:
page:ffffea0001c39980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x70e66
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888016c41a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 4336, ts 85797534685, free_ts 85797141273
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192
 __alloc_pages+0x1ee/0x480 mm/page_alloc.c:5501
 __alloc_pages_node include/linux/gfp.h:570 [inline]
 alloc_slab_page mm/slub.c:1782 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xb6/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x80a/0xdd0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 __kmalloc_node+0x200/0x3b0 mm/slub.c:4456
 kmalloc_array_node include/linux/slab.h:700 [inline]
 kcalloc_node include/linux/slab.h:705 [inline]
 memcg_alloc_page_obj_cgroups+0x81/0x120 mm/memcontrol.c:2839
 memcg_slab_post_alloc_hook mm/slab.h:313 [inline]
 slab_post_alloc_hook+0xba/0x380 mm/slab.h:526
 slab_alloc_node mm/slub.c:3225 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3238
 dup_fd+0x53/0xc70 fs/file.c:316
 copy_files+0x72/0xe0 kernel/fork.c:1564
 copy_process+0x16aa/0x3e20 kernel/fork.c:2278
 kernel_clone+0x23f/0x990 kernel/fork.c:2679
 __do_sys_clone kernel/fork.c:2796 [inline]
 __se_sys_clone kernel/fork.c:2780 [inline]
 __x64_sys_clone+0x19a/0x210 kernel/fork.c:2780
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x8f/0x2a0 mm/page_alloc.c:3396
 __vunmap+0x8b9/0xa50 mm/vmalloc.c:2628
 __do_replace+0x85b/0x9c0 net/ipv6/netfilter/ip6_tables.c:1109
 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
 do_ip6t_set_ctl+0xaaa/0xd90 net/ipv6/netfilter/ip6_tables.c:1646
 nf_setsockopt+0x25f/0x280 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x2086/0x3cc0 net/ipv6/ipv6_sockglue.c:1014
 tcp_setsockopt+0x240/0x1e90 net/ipv4/tcp.c:3722
 __sys_setsockopt+0x2bf/0x3d0 net/socket.c:2212
 __do_sys_setsockopt net/socket.c:2223 [inline]
 __se_sys_setsockopt net/socket.c:2220 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2220
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff888070e66600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888070e66680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888070e66700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff888070e66780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888070e66800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in ax25_fillin_cb_from_dev net/ax25/af_ax25.c:468 [inline]
BUG: KASAN: use-after-free in ax25_fillin_cb+0x459/0x640 net/ax25/af_ax25.c:495
Read of size 4 at addr ffff888070e66738 by task syz.0.19/4420

CPU: 1 PID: 4420 Comm: syz.0.19 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 ax25_fillin_cb_from_dev net/ax25/af_ax25.c:468 [inline]
 ax25_fillin_cb+0x459/0x640 net/ax25/af_ax25.c:495
 ax25_setsockopt+0x8c9/0xa60 net/ax25/af_ax25.c:690
 __sys_setsockopt+0x2bf/0x3d0 net/socket.c:2212
 __do_sys_setsockopt net/socket.c:2223 [inline]
 __se_sys_setsockopt net/socket.c:2220 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2220
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f6657023819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd3b446b48 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007f665729cfa0 RCX: 00007f6657023819
RDX: 0000000000000019 RSI: 0000000000000101 RDI: 0000000000000007
RBP: 00007f66570b9c91 R08: 0000000000000010 R09: 0000000000000000
R10: 0000200000000240 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f665729cfac R14: 00007f665729cfa0 R15: 00007f665729cfa0
 </TASK>

Allocated by task 4407:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:607 [inline]
 kzalloc include/linux/slab.h:738 [inline]
 ax25_dev_device_up+0x50/0x580 net/ax25/ax25_dev.c:55
 ax25_device_event+0x483/0x4f0 net/ax25/af_ax25.c:139
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xcb/0x160 kernel/notifier.c:391
 call_netdevice_notifiers_extack net/core/dev.c:2074 [inline]
 call_netdevice_notifiers net/core/dev.c:2088 [inline]
 __dev_notify_flags+0x194/0x300 net/core/dev.c:8917
 dev_change_flags+0xe3/0x1a0 net/core/dev.c:8955
 dev_ifsioc+0x130/0xd50 net/core/dev_ioctl.c:324
 dev_ioctl+0x545/0xe30 net/core/dev_ioctl.c:572
 sock_do_ioctl+0x245/0x320 net/socket.c:1161
 sock_ioctl+0x4d2/0x710 net/socket.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 4416:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kfree+0xef/0x2a0 mm/slub.c:4564
 ax25_dev_put include/net/ax25.h:302 [inline]
 ax25_release+0x661/0x870 net/ax25/af_ax25.c:1062
 __sock_release net/socket.c:651 [inline]
 sock_close+0xd5/0x240 net/socket.c:1345
 __fput+0x234/0x930 fs/file_table.c:311
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop+0x10f/0x130 kernel/entry/common.c:181
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff888070e66700
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of
 192-byte region [ffff888070e66700, ffff888070e667c0)
The buggy address belongs to the page:
page:ffffea0001c39980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x70e66
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888016c41a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 4336, ts 85797534685, free_ts 85797141273
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192
 __alloc_pages+0x1ee/0x480 mm/page_alloc.c:5501
 __alloc_pages_node include/linux/gfp.h:570 [inline]
 alloc_slab_page mm/slub.c:1782 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xb6/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x80a/0xdd0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 __kmalloc_node+0x200/0x3b0 mm/slub.c:4456
 kmalloc_array_node include/linux/slab.h:700 [inline]
 kcalloc_node include/linux/slab.h:705 [inline]
 memcg_alloc_page_obj_cgroups+0x81/0x120 mm/memcontrol.c:2839
 memcg_slab_post_alloc_hook mm/slab.h:313 [inline]
 slab_post_alloc_hook+0xba/0x380 mm/slab.h:526
 slab_alloc_node mm/slub.c:3225 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3238
 dup_fd+0x53/0xc70 fs/file.c:316
 copy_files+0x72/0xe0 kernel/fork.c:1564
 copy_process+0x16aa/0x3e20 kernel/fork.c:2278
 kernel_clone+0x23f/0x990 kernel/fork.c:2679
 __do_sys_clone kernel/fork.c:2796 [inline]
 __se_sys_clone kernel/fork.c:2780 [inline]
 __x64_sys_clone+0x19a/0x210 kernel/fork.c:2780
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x8f/0x2a0 mm/page_alloc.c:3396
 __vunmap+0x8b9/0xa50 mm/vmalloc.c:2628
 __do_replace+0x85b/0x9c0 net/ipv6/netfilter/ip6_tables.c:1109
 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
 do_ip6t_set_ctl+0xaaa/0xd90 net/ipv6/netfilter/ip6_tables.c:1646
 nf_setsockopt+0x25f/0x280 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x2086/0x3cc0 net/ipv6/ipv6_sockglue.c:1014
 tcp_setsockopt+0x240/0x1e90 net/ipv4/tcp.c:3722
 __sys_setsockopt+0x2bf/0x3d0 net/socket.c:2212
 __do_sys_setsockopt net/socket.c:2223 [inline]
 __se_sys_setsockopt net/socket.c:2220 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2220
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff888070e66600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888070e66680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888070e66700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff888070e66780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888070e66800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================