Extracting prog: 35.451537416s
Minimizing prog: 17m18.113143758s
Simplifying prog options: 2m39.530610011s
Extracting C: 27.601344437s
Simplifying C: 0s


extracting reproducer from 25 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program crashed: WARNING: refcount bug in io_submit_one
single: successfully extracted reproducer
found reproducer with 8 syscalls
minimizing guilty program
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0))
openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r0, 0x0, 0x27)

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(0xffffffffffffffff, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r1, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, 0xffffffffffffffff, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r1, 0x0, 0x27)
io_submit(0x0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r0, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(0x0, 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(0x0, &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), 0x0, &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', 0x0, 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(0x0)
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r1, 0x0, 0x27)
io_submit(0x0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r0, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, 0x0, 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, 0x0, 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r1, 0x0, 0x27)
io_submit(r0, 0x0, 0x0)

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r1, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[0x0])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, 0x0, 0x0, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0), 0x0, 0xff010000}])

program did not crash
extracting C reproducer
testing compiled C program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
program crashed: WARNING: refcount bug in netfs_put_subrequest
a never seen crash title: WARNING: refcount bug in netfs_put_subrequest, ignore
simplifying guilty program options
testing program (duration=46.560244593s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program crashed: KASAN: slab-use-after-free Write in io_submit_one
a never seen crash title: KASAN: slab-use-after-free Write in io_submit_one, ignore
testing program (duration=46.560244593s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program did not crash
testing program (duration=46.560244593s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdir-mount$9p_virtio-chdir-io_setup-openat-openat-write$FUSE_NOTIFY_INVAL_ENTRY-io_submit
detailed listing:
executing program 0:
mkdir(&(0x7f0000000300)='./bus\x00', 0x40)
mount$9p_virtio(&(0x7f0000000100), &(0x7f0000000380)='./bus\x00', &(0x7f00000003c0), 0x814004, 0x0)
chdir(&(0x7f0000000140)='./bus\x00')
io_setup(0x1, &(0x7f00000004c0)=<r0=>0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x101042, 0x0)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x401, 0x0)
write$FUSE_NOTIFY_INVAL_ENTRY(r2, 0x0, 0x27)
io_submit(r0, 0x1, &(0x7f00000002c0)=[&(0x7f0000000300)={0xffffff7f00000000, 0x0, 0x0, 0x0, 0xeffd, r1, &(0x7f00000001c0)="ba", 0x1, 0xff010000}])

program crashed: KASAN: slab-use-after-free Write in io_submit_one
a never seen crash title: KASAN: slab-use-after-free Write in io_submit_one, ignore
reproducing took 21m0.696658182s
repro crashed as (corrupted=false):
netfs: Couldn't get user pages (rc=-14)
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 6161 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 2 UID: 0 PID: 6161 Comm: syz.2.23 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 78 71 f5 fc 84 db 0f 85 66 ff ff ff e8 cb 76 f5 fc c6 05 e5 68 86 0b 01 90 48 c7 c7 00 fb d2 8b e8 97 b2 b5 fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 a8 76 f5 fc 0f b6 1d c0 68 86 0b 31
RSP: 0018:ffffc90003707c68 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817a1159
RDX: ffff888030ea4880 RSI: ffffffff817a1166 RDI: 0000000000000001
RBP: ffff88802ae26208 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888028ae0000 R14: ffff88802ae26140 R15: ffff88802ae261f8
FS:  00007f2ba684e6c0(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2ba682d000 CR3: 0000000025218000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __refcount_sub_and_test include/linux/refcount.h:275 [inline]
 __refcount_dec_and_test include/linux/refcount.h:307 [inline]
 refcount_dec_and_test include/linux/refcount.h:325 [inline]
 iocb_put fs/aio.c:1208 [inline]
 io_submit_one+0x103f/0x1da0 fs/aio.c:2055
 __do_sys_io_submit fs/aio.c:2111 [inline]
 __se_sys_io_submit fs/aio.c:2081 [inline]
 __x64_sys_io_submit+0x1b2/0x340 fs/aio.c:2081
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ba598cde9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ba684e038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007f2ba5ba5fa0 RCX: 00007f2ba598cde9
RDX: 00004000000002c0 RSI: 0000000000000001 RDI: 00007f2ba682d000
RBP: 00007f2ba5a0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2ba5ba5fa0 R15: 00007ffcdd315028
 </TASK>

final repro crashed as (corrupted=false):
netfs: Couldn't get user pages (rc=-14)
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 6161 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 2 UID: 0 PID: 6161 Comm: syz.2.23 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 78 71 f5 fc 84 db 0f 85 66 ff ff ff e8 cb 76 f5 fc c6 05 e5 68 86 0b 01 90 48 c7 c7 00 fb d2 8b e8 97 b2 b5 fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 a8 76 f5 fc 0f b6 1d c0 68 86 0b 31
RSP: 0018:ffffc90003707c68 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817a1159
RDX: ffff888030ea4880 RSI: ffffffff817a1166 RDI: 0000000000000001
RBP: ffff88802ae26208 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888028ae0000 R14: ffff88802ae26140 R15: ffff88802ae261f8
FS:  00007f2ba684e6c0(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2ba682d000 CR3: 0000000025218000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __refcount_sub_and_test include/linux/refcount.h:275 [inline]
 __refcount_dec_and_test include/linux/refcount.h:307 [inline]
 refcount_dec_and_test include/linux/refcount.h:325 [inline]
 iocb_put fs/aio.c:1208 [inline]
 io_submit_one+0x103f/0x1da0 fs/aio.c:2055
 __do_sys_io_submit fs/aio.c:2111 [inline]
 __se_sys_io_submit fs/aio.c:2081 [inline]
 __x64_sys_io_submit+0x1b2/0x340 fs/aio.c:2081
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ba598cde9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ba684e038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007f2ba5ba5fa0 RCX: 00007f2ba598cde9
RDX: 00004000000002c0 RSI: 0000000000000001 RDI: 00007f2ba682d000
RBP: 00007f2ba5a0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2ba5ba5fa0 R15: 00007ffcdd315028
 </TASK>