Extracting prog: 21m15.777668731s
Minimizing prog: 24m0.243490874s
Simplifying prog options: 6m35.615532903s
Extracting C: 2m37.01308585s
Simplifying C: 0s


30 programs, 3 VMs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 30 programs
single: executing 5 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE-bpf$MAP_UPDATE_BATCH-bpf$MAP_DELETE_ELEM
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$nl_route-socket-getsockname$packet-sendmsg$nl_route
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x0, 0x12, &(0x7f0000000080)=@framed={{0x18, 0x5}, [@func, @map_fd, @generic, @initr0, @exit, @printk={@llu, {0x2, 0x3, 0x3, 0xa, 0x0}, {0x7, 0x1, 0xc, 0x1, 0x5}, {0x7, 0x0, 0x0, 0x1, 0x0, 0x0, 0xfffffe00}, {}, {}, {0x85, 0x0, 0x0, 0x2d}}]}, 0x0}, 0x90)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x1, 0x803, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x6, &(0x7f0000000140)={&(0x7f00000013c0)=@newlink={0x64, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x88a9fde5}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x18, 0x2, 0x0, 0x1, [@IFLA_VLAN_FLAGS={0xc, 0x2, {0x1c, 0x1f}}, @IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r2}, @IFLA_MASTER={0x8, 0xa, r2}, @IFLA_ADDRESS={0xa, 0x1, @dev}]}, 0x64}}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-connect$bt_l2cap-setsockopt$bt_BT_SECURITY
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @any, 0x4}, 0xe)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed, 0x7ff}, 0xe)
setsockopt$bt_BT_SECURITY(r0, 0x112, 0x4, &(0x7f0000000000)={0x2}, 0x2)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 15s
testing program (duration=22s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 10, 17, 7, 28, 14, 5, 30, 4, 5, 5, 17, 3, 2, 3, 1, 9, 16, 1, 5, 6, 2, 5, 7, 5, 7, 2, 11, 1, 3]
detailed listing:
executing program 4:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000100)={0x26, 'skcipher\x00', 0x0, 0x0, 'cts(cbc(serpent))\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, 0x0, 0x0)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmmsg$alg(r1, &(0x7f0000003540)=[{0x0, 0x0, &(0x7f0000001400)=[{&(0x7f0000000180)="31ab732abda06e22281b2f0df75394f0", 0x10}], 0x1, &(0x7f0000001480)=[@op={0x18, 0x117, 0x3, 0x1}], 0x18}], 0x1, 0x0)
recvmmsg(r1, &(0x7f0000000040)=[{{0x0, 0x0, &(0x7f0000001680)=[{&(0x7f0000003980)=""/4103, 0x1007}], 0x1}}], 0x1, 0x60, 0x0)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff)
socket$nl_generic(0x10, 0x3, 0x10)
r0 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x11, 0x8, &(0x7f0000003900)=ANY=[@ANYRES8=r0], &(0x7f0000000380)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x2c, '\x00', 0x0, 0x23, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000540)='rcu_utilization\x00', r1}, 0x10)
openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000380), 0xffffffffffffffff)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$IPVS_CMD_FLUSH(r3, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000100)=ANY=[@ANYBLOB="c4000000", @ANYRES16=r2, @ANYBLOB="01000000000000000000010000002c000280060002004e2000000800090010000000060002004e210000080007000101000006000f000700000008000400ff7fffff1400028008000600020000000800090008000000080004000200000060000180080009005600000007000600666f00000c0007002000000002000000080008000100000008000b00736970000600010002000000080005"], 0xc4}}, 0x0)
executing program 4:
r0 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r1=>0x0})
bind$packet(r0, &(0x7f00000000c0)={0x11, 0x0, r1, 0x1, 0x0, 0x6, @random="e4bb98e2876d"}, 0x14)
getsockname$packet(r0, &(0x7f0000000080)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0xe, 0x4, 0x8, 0x8}, 0x48)
bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f00000001c0)={r3, &(0x7f0000000000)="de", 0x0}, 0x20)
r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x48)
bpf$MAP_GET_NEXT_KEY(0x4, 0x0, 0x0)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000180)={r4, &(0x7f00000000c0), &(0x7f0000000000)=""/10, 0x2}, 0x20)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000080)={'pim6reg1\x00', 0xe511})
close(r5)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000002c40)={0x8, 0x17, &(0x7f00000007c0)=@ringbuf={{}, {{0x18, 0x1, 0x1, 0x0, r6}, {}, {}, {0x85, 0x0, 0x0, 0x5}}, {{0x6, 0x0, 0xb}, {0x65, 0x0, 0xc}}, [@printk={@lld, {0x3, 0x3, 0x3, 0xa, 0x9}, {0x5, 0x1, 0x2, 0xa, 0x9}, {0x7, 0x0, 0x3, 0x9}, {}, {}, {0x15}}], {{0x5, 0x1, 0x3, 0x3}, {0x5, 0x0, 0xb, 0x3}, {0x85, 0x0, 0x0, 0x76}}}, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
socket$xdp(0x2c, 0x3, 0x0)
sendmsg$kcm(r0, &(0x7f0000000280)={&(0x7f0000000200)=@un=@file={0x1, './file0\x00'}, 0x80, &(0x7f0000001780), 0x0, &(0x7f0000000100)=ANY=[], 0x20}, 0x4008040)
bind$packet(r0, &(0x7f0000000040)={0x11, 0x9, r2, 0x1, 0xff, 0x6, @local}, 0x14)
executing program 4:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
shutdown(r0, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x10, &(0x7f0000000380)=[@in={0x2, 0x0, @private=0xa010101}]}, &(0x7f0000000180)=0x10)
r1 = socket$inet(0x2, 0x80001, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f00000002c0)={r2, @in6={{0xa, 0x0, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x304}, 0x9c)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000001580)={r2, @in={{0x2, 0x0, @empty}}}, &(0x7f0000000540)=0x9c)
executing program 4:
r0 = socket$nl_route(0x10, 0x3, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000040)={0x0, 0x1c, &(0x7f00000020c0)=[@in6={0xa, 0x0, 0x0, @remote, 0x34}]}, &(0x7f0000002100)=0x10)
socket$nl_netfilter(0x10, 0x3, 0xc)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000180)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0}, 0x48)
r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x11, 0xf, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014001100b7030000000000008500000083000000bf0900000000000055090100000000009500000000000000bf91000000000000b7020000000000008500000085000000b70000000000000095"], &(0x7f0000001dc0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000080)='sched_switch\x00', r2}, 0x2d)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='memory.events\x00', 0x26e1, 0x0)
close(r3)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000002c0)='memory.events\x00', 0x7a05, 0x1700)
ioctl$FS_IOC_SETFLAGS(r4, 0x40086602, &(0x7f0000000140))
pwritev(r4, &(0x7f00000004c0)=[{0x0}, {0x0}, {&(0x7f0000000200)="db", 0xfffff000}], 0x3, 0x8040000, 0x0)
pwritev(r3, 0x0, 0x0, 0x4000000, 0x0)
write$binfmt_elf64(r3, &(0x7f00000007c0)=ANY=[], 0x2a8)
r5 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
socket$tipc(0x1e, 0x5, 0x0)
setsockopt$WPAN_SECURITY(r5, 0x0, 0x1, &(0x7f0000000000), 0x4)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='memory.events\x00', 0x26e1, 0x0)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000580)='memory.events\x00', 0x100002, 0x0)
r7 = bpf$MAP_CREATE(0x0, &(0x7f0000000340)=@base={0xa, 0x4, 0x3, 0x8}, 0x48)
close(r7)
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x2, 0x4, 0x6, 0x2005, 0x1000, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x20000}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="180000000000000000000000000000001811", @ANYRES32, @ANYBLOB="0000000000000000b70800000000e7057b8af8ff00000000bfa200000000000007020000f8ffffffb70300000800"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r8 = bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x11, 0x14, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r7, @ANYBLOB="0000000000000000b70800003d"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='scsi_dispatch_cmd_start\x00', r8}, 0x10)
write$cgroup_type(r6, &(0x7f0000000140), 0x9)
setsockopt$netlink_NETLINK_NO_ENOBUFS(r0, 0x10e, 0xc, &(0x7f0000000040)=0x7f, 0x4)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="300000001a00010000", @ANYRES32=0x0, @ANYBLOB="0000008d"], 0x30}}, 0x0)
executing program 3:
r0 = socket$inet6(0xa, 0x400000000001, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
write$binfmt_script(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
ioctl$AUTOFS_IOC_CATATONIC(r1, 0x800443d2, 0x20000000)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$SIOCSIFHWADDR(r2, 0x8914, &(0x7f0000000000)={'veth0_vlan\x00', @remote})
socketpair$nbd(0x1, 0x1, 0x0, 0x0)
bind$inet6(r0, &(0x7f0000fa0fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c)
sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00000001c0)={0xa, 0x4e20, 0x0, @loopback}, 0x1c)
socket$can_raw(0x1d, 0x3, 0x1)
setsockopt$CAN_RAW_FD_FRAMES(0xffffffffffffffff, 0x65, 0x5, &(0x7f0000000040)=0x1, 0x4)
setsockopt$inet6_IPV6_ADDRFORM(r0, 0x29, 0x1, &(0x7f0000000140), 0x4)
executing program 2:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r3=>0x0})
sendmsg$NL80211_CMD_JOIN_MESH(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)={0x30, r1, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_MESH_ID={0xa}, @NL80211_ATTR_SOCKET_OWNER={0x4}, @NL80211_ATTR_CONTROL_PORT_OVER_NL80211={0x4}]}, 0x30}}, 0x0)
executing program 2:
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
bind$netlink(r1, &(0x7f0000000080)={0x10, 0x0, 0x0, 0x1}, 0xc)
r2 = socket$inet6(0xa, 0x80803, 0x87)
setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@private1, @in=@multicast2}, {}, {}, 0x0, 0x0, 0x1}, {{@in6=@mcast2, 0x0, 0x32}, 0x0, @in=@multicast1, 0x0, 0x0, 0x0, 0xff, 0x0, 0x2000}}, 0xe8)
connect$inet6(r2, &(0x7f0000000040)={0xa, 0x0, 0x0, @ipv4={'\x00', '\xff\xff', @remote}}, 0x1c)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_LIST(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=ANY=[@ANYBLOB="1c000000070605000000000000000000000000080500010007ff0000"], 0x1c}}, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$devlink(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_PORT_UNSPLIT(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000004840)={0x3c, r5, 0x731, 0x0, 0x0, {0x38}, [{{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8, 0x73}}}]}, 0x3c}, 0x1, 0x2}, 0x0)
r6 = syz_genetlink_get_family_id$gtp(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r3, 0x89f1, &(0x7f00000001c0)={'ip6tnl0\x00', &(0x7f0000000140)={'ip6_vti0\x00', 0x0, 0x2f, 0x6, 0x2, 0x80000000, 0x42, @dev={0xfe, 0x80, '\x00', 0x2c}, @private2={0xfc, 0x2, '\x00', 0x1}, 0x80, 0x7, 0x2, 0x5}})
sendmsg$GTP_CMD_GETPDP(r4, &(0x7f00000002c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000200)={0x44, r6, 0x100, 0x70bd2c, 0x25dfdbfe, {}, [@GTPA_LINK={0x8}, @GTPA_FLOW={0x6}, @GTPA_NET_NS_FD={0x8}, @GTPA_MS_ADDRESS={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x32}}, @GTPA_MS_ADDRESS={0x8, 0x5, @private=0xa010102}, @GTPA_MS_ADDRESS={0x8, 0x5, @rand_addr=0x64010101}]}, 0x44}, 0x1, 0x0, 0x0, 0x400c0}, 0x20000000)
setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f00000000c0)={0x0, 0x0, 0x30}, 0xc)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
sendto$inet6(r0, &(0x7f0000000180)="1a", 0x1, 0x0, &(0x7f0000000200)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
r7 = socket(0x11, 0x3, 0x0)
r8 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_fanout(r8, 0x107, 0x12, &(0x7f0000000000), 0x8)
setsockopt$packet_fanout(r7, 0x107, 0x12, &(0x7f0000000000), 0x4)
r9 = socket$inet6_sctp(0xa, 0x1, 0x84)
getsockopt$inet_sctp6_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000040)={<r10=>0x0, 0x100}, &(0x7f0000000080)=0x8)
r11 = socket$inet_udp(0x2, 0x2, 0x0)
bind$inet(r11, &(0x7f0000000000)={0x2, 0x0, @local}, 0x10)
sendmmsg$inet(r11, &(0x7f0000000600)=[{{&(0x7f0000000040)={0x2, 0x4e22, @multicast1}, 0x10, 0x0}}, {{0x0, 0x0, &(0x7f00000002c0)=[{&(0x7f0000003740)="b75a28e01f0203d65c249e7f4226f8c2cebebc9ae1def584a2e69409648cf418f7ac75ca95edd01b152d88a4182aa772bd00099d6457bd1fbe2e1150a5e25ce5c5680dd867c022c06eaaef46bb84a057b7d5517534636e1580bbe8f1ccc629191df5e5d266e7c2669016008629277ad81fa1a657fb4f7b07fffc2c227efe844cc770776444a83e07f0c7dac8fe0e1eec02db119493944cbd33391c0abdea7b9c0b20abe23c5f0e7a03af0e02097b66876fd002eccd737e07b1ec7d454a115f878a30c55e0c6d41439b886baf6afcfbb728a3deda73246ae623a639eee05f889b09fcded46b1b7fccb93993f06da67354e4e3d34ec61c3001f0b8c9234228aa6eabf6a80ca36a4ca0581e19a80e611bb71715c190a9b51f35caf2649c4b71fac03585ba57e9e06461f89a43cba5dd7f5f66bd5f123bcc48bc51f560ca23f21b67369e5a5b6da95d55764041ed1b202488ca995df8144d570d581ed360229e3e08c6e2e8a0528ae3a6658722bd956b5a89f0a11e20b9934c9556976fe1e3e2ee454f2930759a2209b92cb19bfe89a5891443b0e6bd494e630aabbee61c94f25138c48b812a9818d24834e68916ec5956e0b99990d597c12a928143a01c054a46cf248d7e1fb9ea8a70163ae9d434cb7f47b3378c0659ba5915295fd948e70bf0c07755b184b4f2543e9362d4faff88c86a805467b50a5032362e5e608d3ff2cc6640be56e9ff13001647821febad678ec24e300278a224218b1c5beb550fa01d794579df6fdaba64611f0ccc6848d143e8097bf71d5180d4a28b2c4ae9e1c8ecd82c5865cf00ccffc76a2b7bef216bffddb15876160f11b11f5c3097fc9b9fcddbe2f37a7cfa1723b332f69d16871b600cc6827cca7f470f868df991874a89845135656cb30e8aae62c3df3c880b8b54ac4659c794cd5842c7e73d0241e1e68b4e7d50894d7e6c0ed1b49b05a1a0354a080d1500b58e062d52031dd756dd157373d69f6cf7bd5927baa882cac9447f236571cae47a6e34f2896d425c68d3b91847b82a9bd1af98c24add0428d75606f8f39b89e9451801b08778b06c91e47a24d38a2c36a41419ca36e53d606908a6793b3743ab245c7e1ab202c5c86afd0dee19f2148f0fe5e367bd14870b56520a58451d2453529345a1880758fbadc8d06c4de4e7506338d04d8edb1e1cb890551cd1bbffa72bec31cdef80344ebe17cbd9abd35a641a815bb1093d76d9a65db757e5f1a4842431194deea69692e88781db959281da66aae3a80721d0c53664cae9ea0e9478a7805747005724aa607b27f28a4aa1b4343d2baeb808292b1d61056e55e8db489d9ad57a66f087fb2840de3e11ebf6b6524071ad93da25da6dc1379e6315f4bf268a09ef7e521863aeab33c5738ea1407f9d78ee1e3b0941e60e5cce5bf79ee8e51f12a36e08c320bdc9a73ebd7e1cb4815deb4ae46e02c758eb3a5bde6d1b02cd653eab4c7a855a65b44e759dc9b662650fe7ef31eceb99fc357c54a1517f1ae9c93ff9911cedcff26143cacf9bcfa80845e88435eadb52fb36903aeda14c9c5ab46b067bec3cac5caa5cbb5d9011e8a73eec471572a020fb25a68d28dcd6d2073ea3e6ce6529cce9467b319d5ed0135fdf967b6cfb72ffdab9ca6ae5118a9f2be67f8533336bb9a6fe51a21643746478737f1eb22bd214cbcb7a04a4e3c0b8c346ee4a0be9a025c7bd2ee05149625743b5be88ad5d8d9d8343a0eb049467c035994ff83a8d6bad25f74689d3c981a8ceb1396bb35d8fa06f3900df0ccc55360dd8df40d65c3d4b22cc99ab4cac80eb66522ee457090e65c0f313b04cd27ed242888a3e4d024658a46e5fae327dd912bf278df954ce444f9ee5d7b4e768ad31d19901715d7349546db64dc30dccec50c9818c89d69545c426f95a3666598414c009f570fce6576d37755b64c519d7f0b1747fa2ecb94da5b5022497f2a03c354525599f4ada3a0a1d0813c0803c6be5b8eaa660fa5570801ef49fc14fc1b122a7a4801e82c4f720c7ab26174ecc61eed8fb340d6152502449fb1b225d16ea9f50aa416f9ee679902b96a526d8fe", 0x5c1}], 0x1}}], 0x2, 0x240080a0)
setsockopt$inet_mtu(r11, 0x0, 0xa, &(0x7f0000000100)=0x2, 0x3)
sendmmsg$inet(r11, &(0x7f00000036c0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x12)
getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r9, 0x84, 0x6c, &(0x7f0000000100)={r10, 0x8, "f3ec90f8773e04c2"}, &(0x7f0000000140)=0x10)
executing program 4:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @any, 0x4}, 0xe)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed, 0x7ff}, 0xe)
setsockopt$bt_BT_SECURITY(r0, 0x112, 0x4, &(0x7f0000000000)={0x2}, 0x2)
executing program 3:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000080)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_DISCONNECT(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r2, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_REASON_CODE={0x6, 0x36, 0x13}]}, 0x24}}, 0x0)
executing program 1:
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1c}, 0x48)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f00000000c0)={r2, 0x0, 0x20}, &(0x7f0000000100)=0x18)
executing program 3:
r0 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r1=>0x0})
bind$packet(r0, &(0x7f00000000c0)={0x11, 0x0, r1, 0x1, 0x0, 0x6, @random="e4bb98e2876d"}, 0x14)
getsockname$packet(r0, &(0x7f0000000080)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0xe, 0x4, 0x8, 0x8}, 0x48)
bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f00000001c0)={r3, &(0x7f0000000000)="de", 0x0}, 0x20)
r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x48)
bpf$MAP_GET_NEXT_KEY(0x4, 0x0, 0x0)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000180)={r4, &(0x7f00000000c0), &(0x7f0000000000)=""/10, 0x2}, 0x20)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000080)={'pim6reg1\x00', 0xe511})
close(r5)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000002c40)={0x8, 0x17, &(0x7f00000007c0)=@ringbuf={{}, {{0x18, 0x1, 0x1, 0x0, r6}, {}, {}, {0x85, 0x0, 0x0, 0x5}}, {{0x6, 0x0, 0xb}, {0x65, 0x0, 0xc}}, [@printk={@lld, {0x3, 0x3, 0x3, 0xa, 0x9}, {0x5, 0x1, 0x2, 0xa, 0x9}, {0x7, 0x0, 0x3, 0x9}, {}, {}, {0x15}}], {{0x5, 0x1, 0x3, 0x3}, {0x5, 0x0, 0xb, 0x3}, {0x85, 0x0, 0x0, 0x76}}}, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
socket$xdp(0x2c, 0x3, 0x0)
sendmsg$kcm(r0, &(0x7f0000000280)={&(0x7f0000000200)=@un=@file={0x1, './file0\x00'}, 0x80, &(0x7f0000001780), 0x0, &(0x7f0000000100)=ANY=[], 0x20}, 0x4008040)
bind$packet(r0, &(0x7f0000000040)={0x11, 0x9, r2, 0x1, 0xff, 0x6, @local}, 0x14)
executing program 1:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$TIPC_NL_MON_SET(r0, &(0x7f0000000080)={&(0x7f0000000000), 0xc, &(0x7f0000000040)={&(0x7f0000000240)={0x84, r1, 0x813, 0x0, 0x0, {}, [@TIPC_NLA_MON={0x3c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}]}, @TIPC_NLA_MON={0x34, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD, @TIPC_NLA_MON_REF, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}]}]}, 0x84}}, 0x0)
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)
executing program 3:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x5, &(0x7f0000000000)=@framed={{0x18, 0x2}, [@call={0x85, 0x0, 0x0, 0x17}, @call={0x85, 0x0, 0x0, 0x7}]}, &(0x7f0000000ac0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000340)={r0, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x48)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0xb, 0x7, 0x10001, 0x9, 0x1}, 0x48)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000080)={r1, &(0x7f0000000080), &(0x7f0000000200)=""/166}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000000)={{r1, <r2=>0xffffffffffffffff}, &(0x7f0000000580), &(0x7f00000005c0)}, 0x20)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xd, &(0x7f00000002c0)=@framed={{}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r2}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}, @call={0x85, 0x0, 0x0, 0x23}]}, &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='kfree\x00', r3}, 0x10)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000880)={0xffffffffffffffff, 0x0, 0x0, 0x0, &(0x7f0000000600), 0x0, 0x8c2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x50)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000740)={r1, &(0x7f0000000340), &(0x7f00000000c0)=""/109}, 0x20)
executing program 3:
socket$nl_route(0x10, 0x3, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x0, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180100001c0000000000000000000000850000006d00000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000002c0)=ANY=[], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000980)='sys_exit\x00', r0}, 0x10)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000001c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
sendmsg$unix(r1, &(0x7f0000000ac0)={0x0, 0x0, &(0x7f0000000a40)=[{&(0x7f0000000540)="8b", 0x1}], 0x1}, 0x0)
recvmsg(r1, &(0x7f0000000500)={0x0, 0x0, 0x0}, 0x0)
close(r2)
r3 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'macvlan0\x00'})
bind$vsock_stream(0xffffffffffffffff, 0x0, 0x0)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(&(0x7f0000000500), 0xffffffffffffffff)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$TIPC_NL_BEARER_ENABLE(r4, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000000c0)={0x28, r5, 0x1, 0x0, 0x0, {0x5}, [@TIPC_NLA_BEARER={0x14, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x4, 0x1, @udp='udp:syz0\x00'}]}]}, 0x28}}, 0x0)
executing program 2:
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000000)={&(0x7f00000000c0)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@struct={0x0, 0x0, 0x0, 0x13, 0x0, 0x2}]}}, &(0x7f0000000640)=""/214, 0x26, 0xd6, 0x9}, 0x20)
executing program 1:
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000007c0)={0x0, 0x0, 0x0}, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={<r0=>0xffffffffffffffff})
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0x12, 0x24, 0x4, 0x2}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000780)={{r1, <r2=>0xffffffffffffffff}, &(0x7f0000000700), &(0x7f0000000740)=r0}, 0x20)
bpf$MAP_DELETE_ELEM(0x4, &(0x7f0000000800)={r2, &(0x7f00000007c0)}, 0x20)
executing program 0:
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
setsockopt$inet6_opts(r0, 0x29, 0x4d, &(0x7f0000000200)=ANY=[@ANYRESOCT], 0x8)
r1 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
connect$inet6(r1, &(0x7f0000000100)={0xa, 0x0, 0x0, @mcast2, 0x7}, 0x1c)
recvmsg(r0, &(0x7f0000000340)={0x0, 0x0, 0x0}, 0x0)
sendto$inet6(r1, &(0x7f0000000300), 0x5aa, 0x0, 0x0, 0xfffffffffffffdfd)
executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$IPT_SO_SET_REPLACE(r0, 0x8001000000000000, 0x40, &(0x7f0000000000)=@raw={'raw\x00', 0x8, 0x3, 0x2b0, 0x0, 0x11, 0x148, 0xf8, 0x0, 0x218, 0x2a8, 0x2a8, 0x218, 0x2a8, 0x3, 0x0, {[{{@uncond, 0x0, 0x98, 0xf8, 0x0, {}, [@inet=@rpfilter={{0x28}}]}, @common=@SET={0x60, 'SET\x00', 0x0, {{0xffffffffffffffff}, {0xffffffffffffffff, [0x4, 0x3, 0x1, 0x2, 0x5]}}}}, {{@ip={@multicast2, @empty, 0x0, 0x0, 'veth0_to_bond\x00', 'geneve0\x00'}, 0x0, 0xc0, 0x120, 0x0, {}, [@common=@ttl={{0x28}}, @inet=@rpfilter={{0x28}}]}, @common=@SET={0x60}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x310)
executing program 2:
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1c}, 0x48)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f00000000c0)={r2, 0x0, 0x20}, &(0x7f0000000100)=0x18)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000840)=@base={0xb, 0x5, 0x2, 0x4, 0x5}, 0x48)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000001100)={{r0, <r1=>0xffffffffffffffff}, &(0x7f0000001080), &(0x7f00000010c0)='%pI4   \x00'}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000380)={{r1, <r2=>0xffffffffffffffff}, &(0x7f00000002c0), &(0x7f0000000300)}, 0x20)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[@ANYRES32=r2, @ANYBLOB="0000000000000000b7080000060000007b0af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0, r3}, 0x10)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_TIMEOUT_DEFAULT_SET(r4, &(0x7f0000000140)={&(0x7f0000000000), 0xc, &(0x7f0000000100)={&(0x7f0000000040)=ANY=[@ANYBLOB="9000000003080102000000000000000040000000060002400000000006000240000000000900010073797a310000000005000300010000003c000480000000000000000608000140000000000800024000000000080001400000000008000240000000000800014000000000"], 0x90}}, 0x0)
executing program 3:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x0, 0x12, &(0x7f0000000080)=@framed={{0x18, 0x5}, [@func, @map_fd, @generic, @initr0, @exit, @printk={@llu, {0x2, 0x3, 0x3, 0xa, 0x0}, {0x7, 0x1, 0xc, 0x1, 0x5}, {0x7, 0x0, 0x0, 0x1, 0x0, 0x0, 0xfffffe00}, {}, {}, {0x85, 0x0, 0x0, 0x2d}}]}, 0x0}, 0x90)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x1, 0x803, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x6, &(0x7f0000000140)={&(0x7f00000013c0)=@newlink={0x64, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x88a9fde5}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x18, 0x2, 0x0, 0x1, [@IFLA_VLAN_FLAGS={0xc, 0x2, {0x1c, 0x1f}}, @IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r2}, @IFLA_MASTER={0x8, 0xa, r2}, @IFLA_ADDRESS={0xa, 0x1, @dev}]}, 0x64}}, 0x0)
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_PKTINFO(r1, 0x10e, 0x3, &(0x7f0000000040)=0xa1, 0x4)
writev(0xffffffffffffffff, &(0x7f0000000000)=[{&(0x7f0000000080)="390000001300090468fe0700000000000000ff3f08000000480100100000000019002b000a0001000500000000000072080003000500000000", 0x39}], 0x1)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'virt_wifi0\x00', <r2=>0x0})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r3=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x4, &(0x7f0000000740)={&(0x7f0000000080)=@newlink={0x40, 0x10, 0x705, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @hsr={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_HSR_SLAVE2={0x8, 0x2, r2}, @IFLA_HSR_SLAVE1={0x8, 0x1, r3}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)
executing program 2:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 5 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE-bpf$MAP_UPDATE_BATCH-bpf$MAP_DELETE_ELEM
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-sendmsg$nl_route
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$nl_route-socket-getsockname$packet-sendmsg$nl_route
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x0, 0x12, &(0x7f0000000080)=@framed={{0x18, 0x5}, [@func, @map_fd, @generic, @initr0, @exit, @printk={@llu, {0x2, 0x3, 0x3, 0xa, 0x0}, {0x7, 0x1, 0xc, 0x1, 0x5}, {0x7, 0x0, 0x0, 0x1, 0x0, 0x0, 0xfffffe00}, {}, {}, {0x85, 0x0, 0x0, 0x2d}}]}, 0x0}, 0x90)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x1, 0x803, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x6, &(0x7f0000000140)={&(0x7f00000013c0)=@newlink={0x64, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x88a9fde5}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x18, 0x2, 0x0, 0x1, [@IFLA_VLAN_FLAGS={0xc, 0x2, {0x1c, 0x1f}}, @IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r2}, @IFLA_MASTER={0x8, 0xa, r2}, @IFLA_ADDRESS={0xa, 0x1, @dev}]}, 0x64}}, 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bind$bt_l2cap-connect$bt_l2cap-setsockopt$bt_BT_SECURITY
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @any, 0x4}, 0xe)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed, 0x7ff}, 0xe)
setsockopt$bt_BT_SECURITY(r0, 0x112, 0x4, &(0x7f0000000000)={0x2}, 0x2)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 1m40s
testing program (duration=1m47s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 10, 17, 7, 28, 14, 5, 30, 4, 5, 5, 17, 3, 2, 3, 1, 9, 16, 1, 5, 6, 2, 5, 7, 5, 7, 2, 11, 1, 3]
detailed listing:
executing program 4:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000100)={0x26, 'skcipher\x00', 0x0, 0x0, 'cts(cbc(serpent))\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, 0x0, 0x0)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmmsg$alg(r1, &(0x7f0000003540)=[{0x0, 0x0, &(0x7f0000001400)=[{&(0x7f0000000180)="31ab732abda06e22281b2f0df75394f0", 0x10}], 0x1, &(0x7f0000001480)=[@op={0x18, 0x117, 0x3, 0x1}], 0x18}], 0x1, 0x0)
recvmmsg(r1, &(0x7f0000000040)=[{{0x0, 0x0, &(0x7f0000001680)=[{&(0x7f0000003980)=""/4103, 0x1007}], 0x1}}], 0x1, 0x60, 0x0)
executing program 4:
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff)
socket$nl_generic(0x10, 0x3, 0x10)
r0 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff)
r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x11, 0x8, &(0x7f0000003900)=ANY=[@ANYRES8=r0], &(0x7f0000000380)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x2c, '\x00', 0x0, 0x23, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000540)='rcu_utilization\x00', r1}, 0x10)
openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0)
r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000380), 0xffffffffffffffff)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$IPVS_CMD_FLUSH(r3, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000100)=ANY=[@ANYBLOB="c4000000", @ANYRES16=r2, @ANYBLOB="01000000000000000000010000002c000280060002004e2000000800090010000000060002004e210000080007000101000006000f000700000008000400ff7fffff1400028008000600020000000800090008000000080004000200000060000180080009005600000007000600666f00000c0007002000000002000000080008000100000008000b00736970000600010002000000080005"], 0xc4}}, 0x0)
executing program 4:
r0 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r1=>0x0})
bind$packet(r0, &(0x7f00000000c0)={0x11, 0x0, r1, 0x1, 0x0, 0x6, @random="e4bb98e2876d"}, 0x14)
getsockname$packet(r0, &(0x7f0000000080)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0xe, 0x4, 0x8, 0x8}, 0x48)
bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f00000001c0)={r3, &(0x7f0000000000)="de", 0x0}, 0x20)
r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x48)
bpf$MAP_GET_NEXT_KEY(0x4, 0x0, 0x0)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000180)={r4, &(0x7f00000000c0), &(0x7f0000000000)=""/10, 0x2}, 0x20)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000080)={'pim6reg1\x00', 0xe511})
close(r5)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000002c40)={0x8, 0x17, &(0x7f00000007c0)=@ringbuf={{}, {{0x18, 0x1, 0x1, 0x0, r6}, {}, {}, {0x85, 0x0, 0x0, 0x5}}, {{0x6, 0x0, 0xb}, {0x65, 0x0, 0xc}}, [@printk={@lld, {0x3, 0x3, 0x3, 0xa, 0x9}, {0x5, 0x1, 0x2, 0xa, 0x9}, {0x7, 0x0, 0x3, 0x9}, {}, {}, {0x15}}], {{0x5, 0x1, 0x3, 0x3}, {0x5, 0x0, 0xb, 0x3}, {0x85, 0x0, 0x0, 0x76}}}, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
socket$xdp(0x2c, 0x3, 0x0)
sendmsg$kcm(r0, &(0x7f0000000280)={&(0x7f0000000200)=@un=@file={0x1, './file0\x00'}, 0x80, &(0x7f0000001780), 0x0, &(0x7f0000000100)=ANY=[], 0x20}, 0x4008040)
bind$packet(r0, &(0x7f0000000040)={0x11, 0x9, r2, 0x1, 0xff, 0x6, @local}, 0x14)
executing program 4:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
shutdown(r0, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x10, &(0x7f0000000380)=[@in={0x2, 0x0, @private=0xa010101}]}, &(0x7f0000000180)=0x10)
r1 = socket$inet(0x2, 0x80001, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f00000002c0)={r2, @in6={{0xa, 0x0, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x304}, 0x9c)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000001580)={r2, @in={{0x2, 0x0, @empty}}}, &(0x7f0000000540)=0x9c)
executing program 4:
r0 = socket$nl_route(0x10, 0x3, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000040)={0x0, 0x1c, &(0x7f00000020c0)=[@in6={0xa, 0x0, 0x0, @remote, 0x34}]}, &(0x7f0000002100)=0x10)
socket$nl_netfilter(0x10, 0x3, 0xc)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000180)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0}, 0x48)
r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x11, 0xf, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014001100b7030000000000008500000083000000bf0900000000000055090100000000009500000000000000bf91000000000000b7020000000000008500000085000000b70000000000000095"], &(0x7f0000001dc0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000080)='sched_switch\x00', r2}, 0x2d)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='memory.events\x00', 0x26e1, 0x0)
close(r3)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000002c0)='memory.events\x00', 0x7a05, 0x1700)
ioctl$FS_IOC_SETFLAGS(r4, 0x40086602, &(0x7f0000000140))
pwritev(r4, &(0x7f00000004c0)=[{0x0}, {0x0}, {&(0x7f0000000200)="db", 0xfffff000}], 0x3, 0x8040000, 0x0)
pwritev(r3, 0x0, 0x0, 0x4000000, 0x0)
write$binfmt_elf64(r3, &(0x7f00000007c0)=ANY=[], 0x2a8)
r5 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
socket$tipc(0x1e, 0x5, 0x0)
setsockopt$WPAN_SECURITY(r5, 0x0, 0x1, &(0x7f0000000000), 0x4)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='memory.events\x00', 0x26e1, 0x0)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000580)='memory.events\x00', 0x100002, 0x0)
r7 = bpf$MAP_CREATE(0x0, &(0x7f0000000340)=@base={0xa, 0x4, 0x3, 0x8}, 0x48)
close(r7)
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x2, 0x4, 0x6, 0x2005, 0x1000, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x20000}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="180000000000000000000000000000001811", @ANYRES32, @ANYBLOB="0000000000000000b70800000000e7057b8af8ff00000000bfa200000000000007020000f8ffffffb70300000800"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r8 = bpf$PROG_LOAD(0x5, &(0x7f0000000280)={0x11, 0x14, &(0x7f0000000400)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r7, @ANYBLOB="0000000000000000b70800003d"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='scsi_dispatch_cmd_start\x00', r8}, 0x10)
write$cgroup_type(r6, &(0x7f0000000140), 0x9)
setsockopt$netlink_NETLINK_NO_ENOBUFS(r0, 0x10e, 0xc, &(0x7f0000000040)=0x7f, 0x4)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="300000001a00010000", @ANYRES32=0x0, @ANYBLOB="0000008d"], 0x30}}, 0x0)
executing program 3:
r0 = socket$inet6(0xa, 0x400000000001, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
write$binfmt_script(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
ioctl$AUTOFS_IOC_CATATONIC(r1, 0x800443d2, 0x20000000)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$SIOCSIFHWADDR(r2, 0x8914, &(0x7f0000000000)={'veth0_vlan\x00', @remote})
socketpair$nbd(0x1, 0x1, 0x0, 0x0)
bind$inet6(r0, &(0x7f0000fa0fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c)
sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00000001c0)={0xa, 0x4e20, 0x0, @loopback}, 0x1c)
socket$can_raw(0x1d, 0x3, 0x1)
setsockopt$CAN_RAW_FD_FRAMES(0xffffffffffffffff, 0x65, 0x5, &(0x7f0000000040)=0x1, 0x4)
setsockopt$inet6_IPV6_ADDRFORM(r0, 0x29, 0x1, &(0x7f0000000140), 0x4)
executing program 2:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r3=>0x0})
sendmsg$NL80211_CMD_JOIN_MESH(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)={0x30, r1, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_MESH_ID={0xa}, @NL80211_ATTR_SOCKET_OWNER={0x4}, @NL80211_ATTR_CONTROL_PORT_OVER_NL80211={0x4}]}, 0x30}}, 0x0)
executing program 2:
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
bind$netlink(r1, &(0x7f0000000080)={0x10, 0x0, 0x0, 0x1}, 0xc)
r2 = socket$inet6(0xa, 0x80803, 0x87)
setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@private1, @in=@multicast2}, {}, {}, 0x0, 0x0, 0x1}, {{@in6=@mcast2, 0x0, 0x32}, 0x0, @in=@multicast1, 0x0, 0x0, 0x0, 0xff, 0x0, 0x2000}}, 0xe8)
connect$inet6(r2, &(0x7f0000000040)={0xa, 0x0, 0x0, @ipv4={'\x00', '\xff\xff', @remote}}, 0x1c)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_LIST(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=ANY=[@ANYBLOB="1c000000070605000000000000000000000000080500010007ff0000"], 0x1c}}, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$devlink(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_PORT_UNSPLIT(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000004840)={0x3c, r5, 0x731, 0x0, 0x0, {0x38}, [{{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8, 0x73}}}]}, 0x3c}, 0x1, 0x2}, 0x0)
r6 = syz_genetlink_get_family_id$gtp(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r3, 0x89f1, &(0x7f00000001c0)={'ip6tnl0\x00', &(0x7f0000000140)={'ip6_vti0\x00', 0x0, 0x2f, 0x6, 0x2, 0x80000000, 0x42, @dev={0xfe, 0x80, '\x00', 0x2c}, @private2={0xfc, 0x2, '\x00', 0x1}, 0x80, 0x7, 0x2, 0x5}})
sendmsg$GTP_CMD_GETPDP(r4, &(0x7f00000002c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000200)={0x44, r6, 0x100, 0x70bd2c, 0x25dfdbfe, {}, [@GTPA_LINK={0x8}, @GTPA_FLOW={0x6}, @GTPA_NET_NS_FD={0x8}, @GTPA_MS_ADDRESS={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x32}}, @GTPA_MS_ADDRESS={0x8, 0x5, @private=0xa010102}, @GTPA_MS_ADDRESS={0x8, 0x5, @rand_addr=0x64010101}]}, 0x44}, 0x1, 0x0, 0x0, 0x400c0}, 0x20000000)
setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f00000000c0)={0x0, 0x0, 0x30}, 0xc)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
sendto$inet6(r0, &(0x7f0000000180)="1a", 0x1, 0x0, &(0x7f0000000200)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
r7 = socket(0x11, 0x3, 0x0)
r8 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_fanout(r8, 0x107, 0x12, &(0x7f0000000000), 0x8)
setsockopt$packet_fanout(r7, 0x107, 0x12, &(0x7f0000000000), 0x4)
r9 = socket$inet6_sctp(0xa, 0x1, 0x84)
getsockopt$inet_sctp6_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000040)={<r10=>0x0, 0x100}, &(0x7f0000000080)=0x8)
r11 = socket$inet_udp(0x2, 0x2, 0x0)
bind$inet(r11, &(0x7f0000000000)={0x2, 0x0, @local}, 0x10)
sendmmsg$inet(r11, &(0x7f0000000600)=[{{&(0x7f0000000040)={0x2, 0x4e22, @multicast1}, 0x10, 0x0}}, {{0x0, 0x0, &(0x7f00000002c0)=[{&(0x7f0000003740)="b75a28e01f0203d65c249e7f4226f8c2cebebc9ae1def584a2e69409648cf418f7ac75ca95edd01b152d88a4182aa772bd00099d6457bd1fbe2e1150a5e25ce5c5680dd867c022c06eaaef46bb84a057b7d5517534636e1580bbe8f1ccc629191df5e5d266e7c2669016008629277ad81fa1a657fb4f7b07fffc2c227efe844cc770776444a83e07f0c7dac8fe0e1eec02db119493944cbd33391c0abdea7b9c0b20abe23c5f0e7a03af0e02097b66876fd002eccd737e07b1ec7d454a115f878a30c55e0c6d41439b886baf6afcfbb728a3deda73246ae623a639eee05f889b09fcded46b1b7fccb93993f06da67354e4e3d34ec61c3001f0b8c9234228aa6eabf6a80ca36a4ca0581e19a80e611bb71715c190a9b51f35caf2649c4b71fac03585ba57e9e06461f89a43cba5dd7f5f66bd5f123bcc48bc51f560ca23f21b67369e5a5b6da95d55764041ed1b202488ca995df8144d570d581ed360229e3e08c6e2e8a0528ae3a6658722bd956b5a89f0a11e20b9934c9556976fe1e3e2ee454f2930759a2209b92cb19bfe89a5891443b0e6bd494e630aabbee61c94f25138c48b812a9818d24834e68916ec5956e0b99990d597c12a928143a01c054a46cf248d7e1fb9ea8a70163ae9d434cb7f47b3378c0659ba5915295fd948e70bf0c07755b184b4f2543e9362d4faff88c86a805467b50a5032362e5e608d3ff2cc6640be56e9ff13001647821febad678ec24e300278a224218b1c5beb550fa01d794579df6fdaba64611f0ccc6848d143e8097bf71d5180d4a28b2c4ae9e1c8ecd82c5865cf00ccffc76a2b7bef216bffddb15876160f11b11f5c3097fc9b9fcddbe2f37a7cfa1723b332f69d16871b600cc6827cca7f470f868df991874a89845135656cb30e8aae62c3df3c880b8b54ac4659c794cd5842c7e73d0241e1e68b4e7d50894d7e6c0ed1b49b05a1a0354a080d1500b58e062d52031dd756dd157373d69f6cf7bd5927baa882cac9447f236571cae47a6e34f2896d425c68d3b91847b82a9bd1af98c24add0428d75606f8f39b89e9451801b08778b06c91e47a24d38a2c36a41419ca36e53d606908a6793b3743ab245c7e1ab202c5c86afd0dee19f2148f0fe5e367bd14870b56520a58451d2453529345a1880758fbadc8d06c4de4e7506338d04d8edb1e1cb890551cd1bbffa72bec31cdef80344ebe17cbd9abd35a641a815bb1093d76d9a65db757e5f1a4842431194deea69692e88781db959281da66aae3a80721d0c53664cae9ea0e9478a7805747005724aa607b27f28a4aa1b4343d2baeb808292b1d61056e55e8db489d9ad57a66f087fb2840de3e11ebf6b6524071ad93da25da6dc1379e6315f4bf268a09ef7e521863aeab33c5738ea1407f9d78ee1e3b0941e60e5cce5bf79ee8e51f12a36e08c320bdc9a73ebd7e1cb4815deb4ae46e02c758eb3a5bde6d1b02cd653eab4c7a855a65b44e759dc9b662650fe7ef31eceb99fc357c54a1517f1ae9c93ff9911cedcff26143cacf9bcfa80845e88435eadb52fb36903aeda14c9c5ab46b067bec3cac5caa5cbb5d9011e8a73eec471572a020fb25a68d28dcd6d2073ea3e6ce6529cce9467b319d5ed0135fdf967b6cfb72ffdab9ca6ae5118a9f2be67f8533336bb9a6fe51a21643746478737f1eb22bd214cbcb7a04a4e3c0b8c346ee4a0be9a025c7bd2ee05149625743b5be88ad5d8d9d8343a0eb049467c035994ff83a8d6bad25f74689d3c981a8ceb1396bb35d8fa06f3900df0ccc55360dd8df40d65c3d4b22cc99ab4cac80eb66522ee457090e65c0f313b04cd27ed242888a3e4d024658a46e5fae327dd912bf278df954ce444f9ee5d7b4e768ad31d19901715d7349546db64dc30dccec50c9818c89d69545c426f95a3666598414c009f570fce6576d37755b64c519d7f0b1747fa2ecb94da5b5022497f2a03c354525599f4ada3a0a1d0813c0803c6be5b8eaa660fa5570801ef49fc14fc1b122a7a4801e82c4f720c7ab26174ecc61eed8fb340d6152502449fb1b225d16ea9f50aa416f9ee679902b96a526d8fe", 0x5c1}], 0x1}}], 0x2, 0x240080a0)
setsockopt$inet_mtu(r11, 0x0, 0xa, &(0x7f0000000100)=0x2, 0x3)
sendmmsg$inet(r11, &(0x7f00000036c0)=[{{0x0, 0x0, 0x0}}], 0x1, 0x12)
getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r9, 0x84, 0x6c, &(0x7f0000000100)={r10, 0x8, "f3ec90f8773e04c2"}, &(0x7f0000000140)=0x10)
executing program 4:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000000040)={0x1f, 0x0, @any, 0x4}, 0xe)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed, 0x7ff}, 0xe)
setsockopt$bt_BT_SECURITY(r0, 0x112, 0x4, &(0x7f0000000000)={0x2}, 0x2)
executing program 3:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000080)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_DISCONNECT(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r2, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_REASON_CODE={0x6, 0x36, 0x13}]}, 0x24}}, 0x0)
executing program 1:
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1c}, 0x48)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f00000000c0)={r2, 0x0, 0x20}, &(0x7f0000000100)=0x18)
executing program 3:
r0 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r1=>0x0})
bind$packet(r0, &(0x7f00000000c0)={0x11, 0x0, r1, 0x1, 0x0, 0x6, @random="e4bb98e2876d"}, 0x14)
getsockname$packet(r0, &(0x7f0000000080)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0xe, 0x4, 0x8, 0x8}, 0x48)
bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f00000001c0)={r3, &(0x7f0000000000)="de", 0x0}, 0x20)
r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x48)
bpf$MAP_GET_NEXT_KEY(0x4, 0x0, 0x0)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000180)={r4, &(0x7f00000000c0), &(0x7f0000000000)=""/10, 0x2}, 0x20)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000080)={'pim6reg1\x00', 0xe511})
close(r5)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000002c40)={0x8, 0x17, &(0x7f00000007c0)=@ringbuf={{}, {{0x18, 0x1, 0x1, 0x0, r6}, {}, {}, {0x85, 0x0, 0x0, 0x5}}, {{0x6, 0x0, 0xb}, {0x65, 0x0, 0xc}}, [@printk={@lld, {0x3, 0x3, 0x3, 0xa, 0x9}, {0x5, 0x1, 0x2, 0xa, 0x9}, {0x7, 0x0, 0x3, 0x9}, {}, {}, {0x15}}], {{0x5, 0x1, 0x3, 0x3}, {0x5, 0x0, 0xb, 0x3}, {0x85, 0x0, 0x0, 0x76}}}, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
socket$xdp(0x2c, 0x3, 0x0)
sendmsg$kcm(r0, &(0x7f0000000280)={&(0x7f0000000200)=@un=@file={0x1, './file0\x00'}, 0x80, &(0x7f0000001780), 0x0, &(0x7f0000000100)=ANY=[], 0x20}, 0x4008040)
bind$packet(r0, &(0x7f0000000040)={0x11, 0x9, r2, 0x1, 0xff, 0x6, @local}, 0x14)
executing program 1:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$TIPC_NL_MON_SET(r0, &(0x7f0000000080)={&(0x7f0000000000), 0xc, &(0x7f0000000040)={&(0x7f0000000240)={0x84, r1, 0x813, 0x0, 0x0, {}, [@TIPC_NLA_MON={0x3c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}]}, @TIPC_NLA_MON={0x34, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD, @TIPC_NLA_MON_REF, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}]}]}, 0x84}}, 0x0)
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)
executing program 3:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x5, &(0x7f0000000000)=@framed={{0x18, 0x2}, [@call={0x85, 0x0, 0x0, 0x17}, @call={0x85, 0x0, 0x0, 0x7}]}, &(0x7f0000000ac0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000340)={r0, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x48)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0xb, 0x7, 0x10001, 0x9, 0x1}, 0x48)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000080)={r1, &(0x7f0000000080), &(0x7f0000000200)=""/166}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000000)={{r1, <r2=>0xffffffffffffffff}, &(0x7f0000000580), &(0x7f00000005c0)}, 0x20)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xd, &(0x7f00000002c0)=@framed={{}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r2}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}, @call={0x85, 0x0, 0x0, 0x23}]}, &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='kfree\x00', r3}, 0x10)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000880)={0xffffffffffffffff, 0x0, 0x0, 0x0, &(0x7f0000000600), 0x0, 0x8c2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x50)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000740)={r1, &(0x7f0000000340), &(0x7f00000000c0)=""/109}, 0x20)
executing program 3:
socket$nl_route(0x10, 0x3, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x0, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180100001c0000000000000000000000850000006d00000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000002c0)=ANY=[], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000980)='sys_exit\x00', r0}, 0x10)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000001c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
sendmsg$unix(r1, &(0x7f0000000ac0)={0x0, 0x0, &(0x7f0000000a40)=[{&(0x7f0000000540)="8b", 0x1}], 0x1}, 0x0)
recvmsg(r1, &(0x7f0000000500)={0x0, 0x0, 0x0}, 0x0)
close(r2)
r3 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'macvlan0\x00'})
bind$vsock_stream(0xffffffffffffffff, 0x0, 0x0)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(&(0x7f0000000500), 0xffffffffffffffff)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$TIPC_NL_BEARER_ENABLE(r4, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000000c0)={0x28, r5, 0x1, 0x0, 0x0, {0x5}, [@TIPC_NLA_BEARER={0x14, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x4, 0x1, @udp='udp:syz0\x00'}]}]}, 0x28}}, 0x0)
executing program 2:
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000000)={&(0x7f00000000c0)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@struct={0x0, 0x0, 0x0, 0x13, 0x0, 0x2}]}}, &(0x7f0000000640)=""/214, 0x26, 0xd6, 0x9}, 0x20)
executing program 1:
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000007c0)={0x0, 0x0, 0x0}, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={<r0=>0xffffffffffffffff})
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0x12, 0x24, 0x4, 0x2}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000780)={{r1, <r2=>0xffffffffffffffff}, &(0x7f0000000700), &(0x7f0000000740)=r0}, 0x20)
bpf$MAP_DELETE_ELEM(0x4, &(0x7f0000000800)={r2, &(0x7f00000007c0)}, 0x20)
executing program 0:
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
setsockopt$inet6_opts(r0, 0x29, 0x4d, &(0x7f0000000200)=ANY=[@ANYRESOCT], 0x8)
r1 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
connect$inet6(r1, &(0x7f0000000100)={0xa, 0x0, 0x0, @mcast2, 0x7}, 0x1c)
recvmsg(r0, &(0x7f0000000340)={0x0, 0x0, 0x0}, 0x0)
sendto$inet6(r1, &(0x7f0000000300), 0x5aa, 0x0, 0x0, 0xfffffffffffffdfd)
executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$IPT_SO_SET_REPLACE(r0, 0x8001000000000000, 0x40, &(0x7f0000000000)=@raw={'raw\x00', 0x8, 0x3, 0x2b0, 0x0, 0x11, 0x148, 0xf8, 0x0, 0x218, 0x2a8, 0x2a8, 0x218, 0x2a8, 0x3, 0x0, {[{{@uncond, 0x0, 0x98, 0xf8, 0x0, {}, [@inet=@rpfilter={{0x28}}]}, @common=@SET={0x60, 'SET\x00', 0x0, {{0xffffffffffffffff}, {0xffffffffffffffff, [0x4, 0x3, 0x1, 0x2, 0x5]}}}}, {{@ip={@multicast2, @empty, 0x0, 0x0, 'veth0_to_bond\x00', 'geneve0\x00'}, 0x0, 0xc0, 0x120, 0x0, {}, [@common=@ttl={{0x28}}, @inet=@rpfilter={{0x28}}]}, @common=@SET={0x60}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x310)
executing program 2:
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1c}, 0x48)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f00000000c0)={r2, 0x0, 0x20}, &(0x7f0000000100)=0x18)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000840)=@base={0xb, 0x5, 0x2, 0x4, 0x5}, 0x48)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000001100)={{r0, <r1=>0xffffffffffffffff}, &(0x7f0000001080), &(0x7f00000010c0)='%pI4   \x00'}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000380)={{r1, <r2=>0xffffffffffffffff}, &(0x7f00000002c0), &(0x7f0000000300)}, 0x20)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[@ANYRES32=r2, @ANYBLOB="0000000000000000b7080000060000007b0af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0, r3}, 0x10)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_TIMEOUT_DEFAULT_SET(r4, &(0x7f0000000140)={&(0x7f0000000000), 0xc, &(0x7f0000000100)={&(0x7f0000000040)=ANY=[@ANYBLOB="9000000003080102000000000000000040000000060002400000000006000240000000000900010073797a310000000005000300010000003c000480000000000000000608000140000000000800024000000000080001400000000008000240000000000800014000000000"], 0x90}}, 0x0)
executing program 3:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x0, 0x12, &(0x7f0000000080)=@framed={{0x18, 0x5}, [@func, @map_fd, @generic, @initr0, @exit, @printk={@llu, {0x2, 0x3, 0x3, 0xa, 0x0}, {0x7, 0x1, 0xc, 0x1, 0x5}, {0x7, 0x0, 0x0, 0x1, 0x0, 0x0, 0xfffffe00}, {}, {}, {0x85, 0x0, 0x0, 0x2d}}]}, 0x0}, 0x90)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x1, 0x803, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x6, &(0x7f0000000140)={&(0x7f00000013c0)=@newlink={0x64, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x88a9fde5}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x18, 0x2, 0x0, 0x1, [@IFLA_VLAN_FLAGS={0xc, 0x2, {0x1c, 0x1f}}, @IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r2}, @IFLA_MASTER={0x8, 0xa, r2}, @IFLA_ADDRESS={0xa, 0x1, @dev}]}, 0x64}}, 0x0)
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_PKTINFO(r1, 0x10e, 0x3, &(0x7f0000000040)=0xa1, 0x4)
writev(0xffffffffffffffff, &(0x7f0000000000)=[{&(0x7f0000000080)="390000001300090468fe0700000000000000ff3f08000000480100100000000019002b000a0001000500000000000072080003000500000000", 0x39}], 0x1)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'virt_wifi0\x00', <r2=>0x0})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r3=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x4, &(0x7f0000000740)={&(0x7f0000000080)=@newlink={0x40, 0x10, 0x705, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @hsr={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_HSR_SLAVE2={0x8, 0x2, r2}, @IFLA_HSR_SLAVE1={0x8, 0x1, r3}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)
executing program 2:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
bisect: bisecting 30 programs
bisect: split chunks (needed=false): <30>
bisect: split chunk #0 of len 30 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=1m45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 17, 3, 2, 3, 1, 9, 16, 1, 5, 6, 2, 5, 7, 5, 7, 2, 11, 1, 3]
detailed listing:
executing program 1:
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1c}, 0x48)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f00000000c0)={r2, 0x0, 0x20}, &(0x7f0000000100)=0x18)
executing program 3:
r0 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r1=>0x0})
bind$packet(r0, &(0x7f00000000c0)={0x11, 0x0, r1, 0x1, 0x0, 0x6, @random="e4bb98e2876d"}, 0x14)
getsockname$packet(r0, &(0x7f0000000080)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
r3 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0xe, 0x4, 0x8, 0x8}, 0x48)
bpf$MAP_LOOKUP_ELEM(0x1, &(0x7f00000001c0)={r3, &(0x7f0000000000)="de", 0x0}, 0x20)
r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x48)
bpf$MAP_GET_NEXT_KEY(0x4, 0x0, 0x0)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000180)={r4, &(0x7f00000000c0), &(0x7f0000000000)=""/10, 0x2}, 0x20)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000080)={'pim6reg1\x00', 0xe511})
close(r5)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000002c40)={0x8, 0x17, &(0x7f00000007c0)=@ringbuf={{}, {{0x18, 0x1, 0x1, 0x0, r6}, {}, {}, {0x85, 0x0, 0x0, 0x5}}, {{0x6, 0x0, 0xb}, {0x65, 0x0, 0xc}}, [@printk={@lld, {0x3, 0x3, 0x3, 0xa, 0x9}, {0x5, 0x1, 0x2, 0xa, 0x9}, {0x7, 0x0, 0x3, 0x9}, {}, {}, {0x15}}], {{0x5, 0x1, 0x3, 0x3}, {0x5, 0x0, 0xb, 0x3}, {0x85, 0x0, 0x0, 0x76}}}, &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
socket$xdp(0x2c, 0x3, 0x0)
sendmsg$kcm(r0, &(0x7f0000000280)={&(0x7f0000000200)=@un=@file={0x1, './file0\x00'}, 0x80, &(0x7f0000001780), 0x0, &(0x7f0000000100)=ANY=[], 0x20}, 0x4008040)
bind$packet(r0, &(0x7f0000000040)={0x11, 0x9, r2, 0x1, 0xff, 0x6, @local}, 0x14)
executing program 1:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$TIPC_NL_MON_SET(r0, &(0x7f0000000080)={&(0x7f0000000000), 0xc, &(0x7f0000000040)={&(0x7f0000000240)={0x84, r1, 0x813, 0x0, 0x0, {}, [@TIPC_NLA_MON={0x3c, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}]}, @TIPC_NLA_MON={0x34, 0x9, 0x0, 0x1, [@TIPC_NLA_MON_REF={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}, @TIPC_NLA_MON_ACTIVATION_THRESHOLD, @TIPC_NLA_MON_REF, @TIPC_NLA_MON_ACTIVATION_THRESHOLD={0x8}]}]}, 0x84}}, 0x0)
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)
executing program 3:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x5, &(0x7f0000000000)=@framed={{0x18, 0x2}, [@call={0x85, 0x0, 0x0, 0x17}, @call={0x85, 0x0, 0x0, 0x7}]}, &(0x7f0000000ac0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000340)={r0, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x48)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0xb, 0x7, 0x10001, 0x9, 0x1}, 0x48)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000080)={r1, &(0x7f0000000080), &(0x7f0000000200)=""/166}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000000)={{r1, <r2=>0xffffffffffffffff}, &(0x7f0000000580), &(0x7f00000005c0)}, 0x20)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xd, &(0x7f00000002c0)=@framed={{}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r2}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}, @call={0x85, 0x0, 0x0, 0x23}]}, &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='kfree\x00', r3}, 0x10)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000880)={0xffffffffffffffff, 0x0, 0x0, 0x0, &(0x7f0000000600), 0x0, 0x8c2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2}, 0x50)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000740)={r1, &(0x7f0000000340), &(0x7f00000000c0)=""/109}, 0x20)
executing program 3:
socket$nl_route(0x10, 0x3, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x0, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180100001c0000000000000000000000850000006d00000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x4, &(0x7f00000002c0)=ANY=[], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000980)='sys_exit\x00', r0}, 0x10)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000001c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
sendmsg$unix(r1, &(0x7f0000000ac0)={0x0, 0x0, &(0x7f0000000a40)=[{&(0x7f0000000540)="8b", 0x1}], 0x1}, 0x0)
recvmsg(r1, &(0x7f0000000500)={0x0, 0x0, 0x0}, 0x0)
close(r2)
r3 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'macvlan0\x00'})
bind$vsock_stream(0xffffffffffffffff, 0x0, 0x0)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(&(0x7f0000000500), 0xffffffffffffffff)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$TIPC_NL_BEARER_ENABLE(r4, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000000c0)={0x28, r5, 0x1, 0x0, 0x0, {0x5}, [@TIPC_NLA_BEARER={0x14, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_NAME={0x4, 0x1, @udp='udp:syz0\x00'}]}]}, 0x28}}, 0x0)
executing program 2:
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000000)={&(0x7f00000000c0)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@struct={0x0, 0x0, 0x0, 0x13, 0x0, 0x2}]}}, &(0x7f0000000640)=""/214, 0x26, 0xd6, 0x9}, 0x20)
executing program 1:
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000007c0)={0x0, 0x0, 0x0}, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={<r0=>0xffffffffffffffff})
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0x12, 0x24, 0x4, 0x2}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000780)={{r1, <r2=>0xffffffffffffffff}, &(0x7f0000000700), &(0x7f0000000740)=r0}, 0x20)
bpf$MAP_DELETE_ELEM(0x4, &(0x7f0000000800)={r2, &(0x7f00000007c0)}, 0x20)
executing program 0:
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
setsockopt$inet6_opts(r0, 0x29, 0x4d, &(0x7f0000000200)=ANY=[@ANYRESOCT], 0x8)
r1 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
connect$inet6(r1, &(0x7f0000000100)={0xa, 0x0, 0x0, @mcast2, 0x7}, 0x1c)
recvmsg(r0, &(0x7f0000000340)={0x0, 0x0, 0x0}, 0x0)
sendto$inet6(r1, &(0x7f0000000300), 0x5aa, 0x0, 0x0, 0xfffffffffffffdfd)
executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$IPT_SO_SET_REPLACE(r0, 0x8001000000000000, 0x40, &(0x7f0000000000)=@raw={'raw\x00', 0x8, 0x3, 0x2b0, 0x0, 0x11, 0x148, 0xf8, 0x0, 0x218, 0x2a8, 0x2a8, 0x218, 0x2a8, 0x3, 0x0, {[{{@uncond, 0x0, 0x98, 0xf8, 0x0, {}, [@inet=@rpfilter={{0x28}}]}, @common=@SET={0x60, 'SET\x00', 0x0, {{0xffffffffffffffff}, {0xffffffffffffffff, [0x4, 0x3, 0x1, 0x2, 0x5]}}}}, {{@ip={@multicast2, @empty, 0x0, 0x0, 'veth0_to_bond\x00', 'geneve0\x00'}, 0x0, 0xc0, 0x120, 0x0, {}, [@common=@ttl={{0x28}}, @inet=@rpfilter={{0x28}}]}, @common=@SET={0x60}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x310)
executing program 2:
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1c}, 0x48)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f00000000c0)={r2, 0x0, 0x20}, &(0x7f0000000100)=0x18)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000840)=@base={0xb, 0x5, 0x2, 0x4, 0x5}, 0x48)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000001100)={{r0, <r1=>0xffffffffffffffff}, &(0x7f0000001080), &(0x7f00000010c0)='%pI4   \x00'}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000380)={{r1, <r2=>0xffffffffffffffff}, &(0x7f00000002c0), &(0x7f0000000300)}, 0x20)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[@ANYRES32=r2, @ANYBLOB="0000000000000000b7080000060000007b0af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0, r3}, 0x10)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_TIMEOUT_DEFAULT_SET(r4, &(0x7f0000000140)={&(0x7f0000000000), 0xc, &(0x7f0000000100)={&(0x7f0000000040)=ANY=[@ANYBLOB="9000000003080102000000000000000040000000060002400000000006000240000000000900010073797a310000000005000300010000003c000480000000000000000608000140000000000800024000000000080001400000000008000240000000000800014000000000"], 0x90}}, 0x0)
executing program 3:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x0, 0x12, &(0x7f0000000080)=@framed={{0x18, 0x5}, [@func, @map_fd, @generic, @initr0, @exit, @printk={@llu, {0x2, 0x3, 0x3, 0xa, 0x0}, {0x7, 0x1, 0xc, 0x1, 0x5}, {0x7, 0x0, 0x0, 0x1, 0x0, 0x0, 0xfffffe00}, {}, {}, {0x85, 0x0, 0x0, 0x2d}}]}, 0x0}, 0x90)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x1, 0x803, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x6, &(0x7f0000000140)={&(0x7f00000013c0)=@newlink={0x64, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x88a9fde5}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x18, 0x2, 0x0, 0x1, [@IFLA_VLAN_FLAGS={0xc, 0x2, {0x1c, 0x1f}}, @IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r2}, @IFLA_MASTER={0x8, 0xa, r2}, @IFLA_ADDRESS={0xa, 0x1, @dev}]}, 0x64}}, 0x0)
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_PKTINFO(r1, 0x10e, 0x3, &(0x7f0000000040)=0xa1, 0x4)
writev(0xffffffffffffffff, &(0x7f0000000000)=[{&(0x7f0000000080)="390000001300090468fe0700000000000000ff3f08000000480100100000000019002b000a0001000500000000000072080003000500000000", 0x39}], 0x1)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'virt_wifi0\x00', <r2=>0x0})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r3=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x4, &(0x7f0000000740)={&(0x7f0000000080)=@newlink={0x40, 0x10, 0x705, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @hsr={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_HSR_SLAVE2={0x8, 0x2, r2}, @IFLA_HSR_SLAVE1={0x8, 0x1, r3}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)
executing program 2:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)

program crashed: KASAN: slab-use-after-free Read in l2tp_tunnel_del_work
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/3
testing program (duration=1m42s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 2, 5, 7, 5, 7, 2, 11, 1, 3]
detailed listing:
executing program 0:
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
setsockopt$inet6_opts(r0, 0x29, 0x4d, &(0x7f0000000200)=ANY=[@ANYRESOCT], 0x8)
r1 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
connect$inet6(r1, &(0x7f0000000100)={0xa, 0x0, 0x0, @mcast2, 0x7}, 0x1c)
recvmsg(r0, &(0x7f0000000340)={0x0, 0x0, 0x0}, 0x0)
sendto$inet6(r1, &(0x7f0000000300), 0x5aa, 0x0, 0x0, 0xfffffffffffffdfd)
executing program 1:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$IPT_SO_SET_REPLACE(r0, 0x8001000000000000, 0x40, &(0x7f0000000000)=@raw={'raw\x00', 0x8, 0x3, 0x2b0, 0x0, 0x11, 0x148, 0xf8, 0x0, 0x218, 0x2a8, 0x2a8, 0x218, 0x2a8, 0x3, 0x0, {[{{@uncond, 0x0, 0x98, 0xf8, 0x0, {}, [@inet=@rpfilter={{0x28}}]}, @common=@SET={0x60, 'SET\x00', 0x0, {{0xffffffffffffffff}, {0xffffffffffffffff, [0x4, 0x3, 0x1, 0x2, 0x5]}}}}, {{@ip={@multicast2, @empty, 0x0, 0x0, 'veth0_to_bond\x00', 'geneve0\x00'}, 0x0, 0xc0, 0x120, 0x0, {}, [@common=@ttl={{0x28}}, @inet=@rpfilter={{0x28}}]}, @common=@SET={0x60}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x310)
executing program 2:
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1c}, 0x48)
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x8)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f00000000c0)={r2, 0x0, 0x20}, &(0x7f0000000100)=0x18)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000840)=@base={0xb, 0x5, 0x2, 0x4, 0x5}, 0x48)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000001100)={{r0, <r1=>0xffffffffffffffff}, &(0x7f0000001080), &(0x7f00000010c0)='%pI4   \x00'}, 0x20)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000380)={{r1, <r2=>0xffffffffffffffff}, &(0x7f00000002c0), &(0x7f0000000300)}, 0x20)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[@ANYRES32=r2, @ANYBLOB="0000000000000000b7080000060000007b0af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000300"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={0x0, r3}, 0x10)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_TIMEOUT_DEFAULT_SET(r4, &(0x7f0000000140)={&(0x7f0000000000), 0xc, &(0x7f0000000100)={&(0x7f0000000040)=ANY=[@ANYBLOB="9000000003080102000000000000000040000000060002400000000006000240000000000900010073797a310000000005000300010000003c000480000000000000000608000140000000000800024000000000080001400000000008000240000000000800014000000000"], 0x90}}, 0x0)
executing program 3:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x0, 0x12, &(0x7f0000000080)=@framed={{0x18, 0x5}, [@func, @map_fd, @generic, @initr0, @exit, @printk={@llu, {0x2, 0x3, 0x3, 0xa, 0x0}, {0x7, 0x1, 0xc, 0x1, 0x5}, {0x7, 0x0, 0x0, 0x1, 0x0, 0x0, 0xfffffe00}, {}, {}, {0x85, 0x0, 0x0, 0x2d}}]}, 0x0}, 0x90)
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x1, 0x803, 0x0)
getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x6, &(0x7f0000000140)={&(0x7f00000013c0)=@newlink={0x64, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x88a9fde5}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x18, 0x2, 0x0, 0x1, [@IFLA_VLAN_FLAGS={0xc, 0x2, {0x1c, 0x1f}}, @IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r2}, @IFLA_MASTER={0x8, 0xa, r2}, @IFLA_ADDRESS={0xa, 0x1, @dev}]}, 0x64}}, 0x0)
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_PKTINFO(r1, 0x10e, 0x3, &(0x7f0000000040)=0xa1, 0x4)
writev(0xffffffffffffffff, &(0x7f0000000000)=[{&(0x7f0000000080)="390000001300090468fe0700000000000000ff3f08000000480100100000000019002b000a0001000500000000000072080003000500000000", 0x39}], 0x1)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'virt_wifi0\x00', <r2=>0x0})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r3=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x4, &(0x7f0000000740)={&(0x7f0000000080)=@newlink={0x40, 0x10, 0x705, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @hsr={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_HSR_SLAVE2={0x8, 0x2, r2}, @IFLA_HSR_SLAVE1={0x8, 0x1, r3}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)
executing program 2:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
bisect: the chunk can be dropped
bisect: testing without sub-chunk 3/3
bisect: split chunks (needed=true): <10>
bisect: split chunk #0 of len 10 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [7, 2, 11, 1, 3]
detailed listing:
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_PKTINFO(r1, 0x10e, 0x3, &(0x7f0000000040)=0xa1, 0x4)
writev(0xffffffffffffffff, &(0x7f0000000000)=[{&(0x7f0000000080)="390000001300090468fe0700000000000000ff3f08000000480100100000000019002b000a0001000500000000000072080003000500000000", 0x39}], 0x1)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'virt_wifi0\x00', <r2=>0x0})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r3=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x4, &(0x7f0000000740)={&(0x7f0000000080)=@newlink={0x40, 0x10, 0x705, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @hsr={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_HSR_SLAVE2={0x8, 0x2, r2}, @IFLA_HSR_SLAVE1={0x8, 0x1, r3}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)
executing program 2:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <5>
bisect: split chunk #0 of len 5 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 3]
detailed listing:
executing program 2:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x34}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000140)=@base={0xa, 0x6, 0xcd, 0xe8}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000002300)={0x0, 0x0, &(0x7f0000000240), &(0x7f0000002380), 0x806, r0}, 0x38)
bpf$MAP_DELETE_ELEM(0x2, &(0x7f0000000800)={r0, &(0x7f0000000a00), 0x20000000, 0x2}, 0x20)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [7, 2, 11]
detailed listing:
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_PKTINFO(r1, 0x10e, 0x3, &(0x7f0000000040)=0xa1, 0x4)
writev(0xffffffffffffffff, &(0x7f0000000000)=[{&(0x7f0000000080)="390000001300090468fe0700000000000000ff3f08000000480100100000000019002b000a0001000500000000000072080003000500000000", 0x39}], 0x1)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'virt_wifi0\x00', <r2=>0x0})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r3=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000000)={0x0, 0x4, &(0x7f0000000740)={&(0x7f0000000080)=@newlink={0x40, 0x10, 0x705, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @hsr={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_HSR_SLAVE2={0x8, 0x2, r2}, @IFLA_HSR_SLAVE1={0x8, 0x1, r3}]}}}]}, 0x40}}, 0x0)
executing program 1:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000480)=@newlink={0x40, 0x10, 0x403, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @gre={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_GRE_IFLAGS={0x6, 0x2, 0xc7e}, @IFLA_GRE_OFLAGS={0x6}]}}}]}, 0x40}}, 0x0)
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <3>
bisect: split chunk #0 of len 3 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockopt$bt_BT_SECURITY
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)

program crashed: KASAN: slab-use-after-free Read in l2tp_tunnel_del_work
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunks (needed=true): <1>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 1 programs left: 

executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)


bisect: trying to concatenate
bisect: concatenate 1 entries
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockopt$bt_BT_SECURITY
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
bisect: concatenation succeeded
found reproducer with 11 syscalls
minimizing guilty program
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
socket$pppl2tp(0x18, 0x1, 0x1)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, 0x0, 0x0)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
simplifying guilty program options
testing program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
testing program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
reproducing took 54m28.806550394s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
BUG: KASAN: slab-use-after-free in l2tp_session_delete+0x28/0x9e0 net/l2tp/l2tp_core.c:1639
Write of size 8 at addr ffff88807c175808 by task kworker/u8:9/2811

CPU: 0 PID: 2811 Comm: kworker/u8:9 Not tainted 6.10.0-rc4-syzkaller-00836-gb0d3969d2b4d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: l2tp l2tp_tunnel_del_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
 l2tp_session_delete+0x28/0x9e0 net/l2tp/l2tp_core.c:1639
 l2tp_tunnel_closeall net/l2tp/l2tp_core.c:1302 [inline]
 l2tp_tunnel_del_work+0x1cb/0x330 net/l2tp/l2tp_core.c:1334
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5264:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x1f9/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 l2tp_session_create+0x3b/0xc20 net/l2tp/l2tp_core.c:1675
 pppol2tp_connect+0xca3/0x17a0 net/l2tp/l2tp_ppp.c:782
 __sys_connect_file net/socket.c:2049 [inline]
 __sys_connect+0x2df/0x310 net/socket.c:2066
 __do_sys_connect net/socket.c:2076 [inline]
 __se_sys_connect net/socket.c:2073 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2073
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 2811:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4437 [inline]
 kfree+0x149/0x360 mm/slub.c:4558
 __sk_destruct+0x58/0x5f0 net/core/sock.c:2191
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 pppol2tp_release+0x24b/0x350 net/l2tp/l2tp_ppp.c:457
 __sock_release net/socket.c:659 [inline]
 sock_close+0xbc/0x240 net/socket.c:1421
 __fput+0x406/0x8b0 fs/file_table.c:422
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807c175800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 8 bytes inside of
 freed 1024-byte region [ffff88807c175800, ffff88807c175c00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c170
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015041dc0 ffffea0001f5f400 0000000000000002
raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015041dc0 ffffea0001f5f400 0000000000000002
head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea0001f05c01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4952, tgid 4952 (sshd), ts 57494575783, free_ts 57494370820
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x2e43/0x2f00 mm/page_alloc.c:3420
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4678
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2265
 allocate_slab+0x5a/0x2f0 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3989 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_noprof+0x257/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 tomoyo_init_log+0x1b3e/0x2050 security/tomoyo/audit.c:275
 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x1384/0x1cf0 security/tomoyo/domain.c:878
 tomoyo_bprm_check_security+0x115/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x65/0x90 security/security.c:1191
 search_binary_handler fs/exec.c:1785 [inline]
 exec_binprm fs/exec.c:1839 [inline]
 bprm_execve+0xa56/0x17c0 fs/exec.c:1891
 do_execveat_common+0x553/0x700 fs/exec.c:1998
page last free pid 4952 tgid 4952 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2583
 discard_slab mm/slub.c:2527 [inline]
 __put_partials+0xeb/0x130 mm/slub.c:2995
 put_cpu_partial+0x17c/0x250 mm/slub.c:3070
 __slab_free+0x2ea/0x3d0 mm/slub.c:4307
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3941 [inline]
 slab_alloc_node mm/slub.c:4001 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_noprof+0x1a3/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 tomoyo_add_entry security/tomoyo/common.c:2023 [inline]
 tomoyo_supervisor+0xe0d/0x11f0 security/tomoyo/common.c:2095
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x1384/0x1cf0 security/tomoyo/domain.c:878
 tomoyo_bprm_check_security+0x115/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x65/0x90 security/security.c:1191
 search_binary_handler fs/exec.c:1785 [inline]
 exec_binprm fs/exec.c:1839 [inline]
 bprm_execve+0xa56/0x17c0 fs/exec.c:1891
 do_execveat_common+0x553/0x700 fs/exec.c:1998
 do_execve fs/exec.c:2072 [inline]
 __do_sys_execve fs/exec.c:2148 [inline]
 __se_sys_execve fs/exec.c:2143 [inline]
 __x64_sys_execve+0x92/0xb0 fs/exec.c:2143

Memory state around the buggy address:
 ffff88807c175700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807c175780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807c175800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88807c175880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807c175900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
BUG: KASAN: slab-use-after-free in l2tp_session_delete+0x28/0x9e0 net/l2tp/l2tp_core.c:1639
Write of size 8 at addr ffff88807c175808 by task kworker/u8:9/2811

CPU: 0 PID: 2811 Comm: kworker/u8:9 Not tainted 6.10.0-rc4-syzkaller-00836-gb0d3969d2b4d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: l2tp l2tp_tunnel_del_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
 l2tp_session_delete+0x28/0x9e0 net/l2tp/l2tp_core.c:1639
 l2tp_tunnel_closeall net/l2tp/l2tp_core.c:1302 [inline]
 l2tp_tunnel_del_work+0x1cb/0x330 net/l2tp/l2tp_core.c:1334
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5264:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x1f9/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 l2tp_session_create+0x3b/0xc20 net/l2tp/l2tp_core.c:1675
 pppol2tp_connect+0xca3/0x17a0 net/l2tp/l2tp_ppp.c:782
 __sys_connect_file net/socket.c:2049 [inline]
 __sys_connect+0x2df/0x310 net/socket.c:2066
 __do_sys_connect net/socket.c:2076 [inline]
 __se_sys_connect net/socket.c:2073 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2073
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 2811:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4437 [inline]
 kfree+0x149/0x360 mm/slub.c:4558
 __sk_destruct+0x58/0x5f0 net/core/sock.c:2191
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 pppol2tp_release+0x24b/0x350 net/l2tp/l2tp_ppp.c:457
 __sock_release net/socket.c:659 [inline]
 sock_close+0xbc/0x240 net/socket.c:1421
 __fput+0x406/0x8b0 fs/file_table.c:422
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807c175800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 8 bytes inside of
 freed 1024-byte region [ffff88807c175800, ffff88807c175c00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c170
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015041dc0 ffffea0001f5f400 0000000000000002
raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015041dc0 ffffea0001f5f400 0000000000000002
head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea0001f05c01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4952, tgid 4952 (sshd), ts 57494575783, free_ts 57494370820
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x2e43/0x2f00 mm/page_alloc.c:3420
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4678
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2265
 allocate_slab+0x5a/0x2f0 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3989 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_noprof+0x257/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 tomoyo_init_log+0x1b3e/0x2050 security/tomoyo/audit.c:275
 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x1384/0x1cf0 security/tomoyo/domain.c:878
 tomoyo_bprm_check_security+0x115/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x65/0x90 security/security.c:1191
 search_binary_handler fs/exec.c:1785 [inline]
 exec_binprm fs/exec.c:1839 [inline]
 bprm_execve+0xa56/0x17c0 fs/exec.c:1891
 do_execveat_common+0x553/0x700 fs/exec.c:1998
page last free pid 4952 tgid 4952 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2583
 discard_slab mm/slub.c:2527 [inline]
 __put_partials+0xeb/0x130 mm/slub.c:2995
 put_cpu_partial+0x17c/0x250 mm/slub.c:3070
 __slab_free+0x2ea/0x3d0 mm/slub.c:4307
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3941 [inline]
 slab_alloc_node mm/slub.c:4001 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_noprof+0x1a3/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 tomoyo_add_entry security/tomoyo/common.c:2023 [inline]
 tomoyo_supervisor+0xe0d/0x11f0 security/tomoyo/common.c:2095
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x1384/0x1cf0 security/tomoyo/domain.c:878
 tomoyo_bprm_check_security+0x115/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x65/0x90 security/security.c:1191
 search_binary_handler fs/exec.c:1785 [inline]
 exec_binprm fs/exec.c:1839 [inline]
 bprm_execve+0xa56/0x17c0 fs/exec.c:1891
 do_execveat_common+0x553/0x700 fs/exec.c:1998
 do_execve fs/exec.c:2072 [inline]
 __do_sys_execve fs/exec.c:2148 [inline]
 __se_sys_execve fs/exec.c:2143 [inline]
 __x64_sys_execve+0x92/0xb0 fs/exec.c:2143

Memory state around the buggy address:
 ffff88807c175700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807c175780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807c175800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88807c175880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807c175900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================