Extracting prog: 3m7.429537268s
Minimizing prog: 17m19.552926991s
Simplifying prog options: 0s
Extracting C: 38.216667026s
Simplifying C: 2m39.596497786s


extracting reproducer from 72 programs
testing a last program of every proc
single: executing 22 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-close_range-socketpair$unix-syz_usb_connect$midi-flistxattr-syz_mount_image$ext4
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xc)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000440)={<r0=>0xffffffffffffffff})
syz_usb_connect$midi(0x0, 0x4f, &(0x7f0000000200)=ANY=[@ANYBLOB="12010003000000404104484240000102030109023d00010105800409040000030103000009050f03000202060b05250101b409050e03ff0303520805"], &(0x7f0000000800)={0x0, 0x0, 0x0, 0x0})
flistxattr(r0, &(0x7f0000000340)=""/58, 0x3a)
syz_mount_image$ext4(&(0x7f0000000140)='ext3\x00', &(0x7f0000000040)='./file1\x00', 0x1018e58, &(0x7f0000000080)={[{@init_itable}, {@block_validity}, {@oldalloc}, {@dax_always}, {@oldalloc}, {@nodiscard}, {@bsdgroups}]}, 0x1, 0x624, &(0x7f0000000180)="$eJzs3c9rVNceAPDvnUlionkv+ng8nuE9XuAtFB7GxCe17abRLupCqFAXpXRhMIkNjj8wEaoVVOiihRZK6VaKm/4D3Rf33ZVC213XBVuKpYVWMuXeuRMnyR0TozOTeD8fmJlzz70z53zneLzn3pszN4DSGkufKhF7I5ZOJxEjLeuGo7FyLN/u/s/Xz6SPJOr1135KIsnzmtsv5a+70qckYjAivjoW8bfq2nIXrl47N12rN9yIOLh4/tLBhavXDsyfnz47e3b2wuSh5w8fmXhh8vDkU4lzV/56/MSr//rw3beem/u6diCJqTjV/85MrIpjE+pJQeZYjMVSHmJrfl9EHEkTBd/LdrOhEHZ0vh5sTjX/99gfEf+IkahmSw0jMf9BTysHdFS9GlEHSirR/6GkmuOA5rH9xo6DT3V4VNI99442DoDWxt/XODcSg9mx0c77ScuRUePcxu6nUH5axoPro7fTR6w4D/Hbcuv0PYVy2rl5KyL+WRR/ktVtdxZpGn8lKi3vS+s0EREDefrlTRTdTLSeO3nC8zCPX4nHiL+1HdLvYip/TfOPbbL8sVXL3Y4fgHK6ezTfkWd744f7v3Ts0Rz/RMH4Z7hg37UZvd7/tR//Nff3g9k58sqqcVg6ZjlZ/JH9qzO+f//4x+3Kbx3/PbieZPVojgW74d6tiNFV8b+XDfSS5fZPCto/3eT01MbKeOWbH4+3W7cy/tHb3Y6/fidiX+Hxz8NRaZp6xPXJg3PztdmJxnNhGV98+eZn7crvdfxp++9sE39L+1dWvy/9Ti5tsIzPT945P9Bm3fC68Vd+GEgax5vNz3h7enHx8mTEQHIi36Ql/9Cj69LcpvkZafz7/1vc/1f8+7+18nOGWg9g1nHp9XP3263bTPu3XExeqm+wDu2k8c+s3/5r+n+a99EGy/j1jSv/breuIP6IPP6hJwkMAAAAAAAASqiSXYNNKuPL6UplfLwxX/bvsbNSu7iw+L+5i1cuzETsz/4esr/SvNI90lhO0uXJ/O9hm8uHVi3/PyL2RMQn1aFsefzMxdpMr4MHAAAAAAAAAAAAAAAAAACALWJXPv+/eZ/qX6qN+f9ASXTyBnPA1qb/Q3ll/X/NLZ6AMrD/h/LS/6G89H8oL/0fykv/h/LS/6G89H8oL/0fAAAAAJ5Je/5z97skIm6+OJQ9UlP5umpPawZ0Wn9BXv1GDyoCdJ19PJTX8qV/0/+hdIrG/2v8nv84YOerA/RAUpSZDQ7qj+78dwvfCQAAAAAAAAAAAAB0wL69a+f/D+TrNjQ3ANi2TPuD8nqC+f9+OgC2OT/9D+XlGB9Ybxb/YLsV5v8DAAAAAAAAAAAAQNcMZ4+kMp7PBR6OSmV8POIvEbE7+pO5+drsRET8NSK+rfbvSJcne11pAAAAAAAAAAAAAAAAAAAAeMYsXL12brpWm73cmvhjTc6znWjeBbULZb0Uj/muSLr/tQxFRM8bpWOJvpacJOJm2vJbomKXF2JrVCNL9Pg/JgAAAAAAAAAAAAAAAAAAKKGWucfFRj/tco0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoPse3v+/c4lexwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbE9/BgAA//+QzUJb")

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$exfat-socket$nl_route-syz_open_dev$tty1-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-sched_setaffinity-fsopen-gettid-socket$nl_route-syz_open_dev$tty1-ioctl$VT_RESIZEX-sendmsg$nl_netfilter-socket$nl_xfrm-sendmsg$nl_xfrm-ioctl$TIOCL_SETSEL-sendmsg$nl_route-openat$cgroup_ro-write$binfmt_script-mmap-ioctl$TIOCSTI-madvise
detailed listing:
executing program 0:
syz_mount_image$exfat(&(0x7f0000002bc0), &(0x7f0000000080)='./file0\x00', 0x0, &(0x7f00000001c0)={[{@uid={'uid', 0x3d, 0xee00}}, {@dmask={'dmask', 0x3d, 0x564}}, {@errors_remount}, {@codepage={'codepage', 0x3d, 'euc-jp'}}, {@gid}, {@namecase}, {@fmask={'fmask', 0x3d, 0xf9}}, {@namecase}, {@umask={'umask', 0x3d, 0x75}}, {@sys_tz}, {}, {@time_offset={'time_offset', 0x3d, 0x56}}, {@time_offset={'time_offset', 0x3d, 0x6}}, {@errors_continue}]}, 0x1, 0x153d, &(0x7f0000002c00)="$eJzs3AucTVX7OPDnWWvtMSbpNMllWGs9m5NcFkmSS5JckiRJkoSEJMkrCYkht6QhCck9uQwhuUxMGvf7/ZKQJE2ShOSWrP9nYv7q9fZ7336/t/ze3zzfz2d/znrO2mvtZ+91ztlr73Nmvu00uHrDGlXqExH8hoQ/Bi88JAJALAD0B4BrACAAgDLxZeIz6rNLTPyDvbI/1UPJVzoDdiXx+GdtPP5ZG49/1sbjn7Xx+GdtPP5ZG49/1sbjz1hWtmlavmt5ybrL797//6Pw10Ei3///j8Dn//9D0kuM/nJNies7A8T8q014/P/z4f+gLY///1nBv7ISj3/WxuOfVcVe6QTY/wL8/s8Ksv1uDY9/1sbjz1hW9ut7wbFw5e9H/9ULRP7M70B8jwtH+crv5+/uP2OMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wx9hc47S9RAJBZvtJ5McYYY4wxxhhj7N/HZ7vSGTDGGGOMMcYYY+zPhyBAgoIAYiAbxEJ2iAMBEJNZfy3Ew3WQC66H3JAH8kI+SID8UAA0GLBAEEJBKARRuAEKw41QBIpCMSgODkpASbgJSsHNUBpugTJwK5SF26AclIcKUBFuh0pwB1SGO6EK3AVVoRpUhxpwN9SEe6AW3Au14T6oA/dDXXgA6sGDUB8eggbwMDSER6ARPAqN4TFoAk2h2X+r/YvQDV6C7tADEqEn9IKXoTf0gb7QD/rDKzAAXoWB8BokwSAYDK/DEHgDhsKbMAyGi8yjMgpGwxgYC+NgPEyAd2AivAuTYDJMgamQDNNgOrwHM2AmzIL3YTZ8AHNgLsyD+ZACH8ICWAip8BEsgo8hDRbDElgKy2A5rICVsApWwxpYC+tgPWyAjbAJNsMW2ArbYDvsgE9gJ3wKu2A37IHPYC98/gfbn/q79p0REFCgQIUKYzAGYzEW4zAOc2AOzIk5MYIRjMd4zIW5MDfmxryYFxMwAQtgATRokJCwIBbEKEaxMBbGIlgEi2ExdOiwJJbEUngzlsbSWAbLYFksi+WwPJbHilgRK2ElrIyVsQpWwapYFatjdbwb78aeWAtrYW2sjXWwTubtKayP9bEBNsCG2BAbYSNsjI2xCTbBZtgMm2NzbIEtsBW2wtbYGttgG2yLbbEdtsP22B47YAfsiB2xE3bCztgFu6S/mA3wJXwJe2BV0RN7YS/sjUnZ+mI/7Iev4AB8FV/F1zAJB+FgfB1fxzdwKJ7EYeeH4wgcgZXE2zgKRyOJsTgOx+EEnIATcSJOwsk4GadiMk7D6TgdZ+BMnInv42z8AD/AuTgX52MKpuACXIipmIqL8BSm4WJcgktxGS7HZbgSV+FKXINrcQ2ux/W4ETfiZtyMW3Erbsft+AkqAPwUd+NuTMK9uBf34T7cj/vxAB7AdEzHg3gQD+EhPIyH8QgewaN4DI/jMTyBJ/AknsLTeBrP4lk8h88nfN3gk6Krk0BkUEKJGBEjYkWsiBNxIofIIXKKnCIiIiJexItcIpfILXKLvCKvSBAJooAoIIwwgkSY8UkhoiIqCovCoogoIoqJYsIJJ0qKkqKUKCVKi9KijLhVlBW3iXKivGjpKoqKopJo5SqLO0UVUUVUFdVEdVFD1BA1RU1RS9QStUVtUUfUEXXFA6Ke6Il98SGRMTINxSBsJAZjY/GYkBffi83FUGwhWopW4kkxHIdhG9HctRXPiHZiFLYXfxOj8TnRUYzFTuIF0Vl0EV3Fi6KbaOG6ix5iEvYUvcRU7C36iL6in5iB1cT7ODt7dfGaSBKDxGDxupiPb4ih4ioxTAwXI8RbYqR4W4wSo8UYMVaME+PFBPGOmCjeFZPEZDFFTBXJYpqYLt4TM8RMMUu8L2aLD8QcMVfME/NFivhQLBALRar4SCwSH4s0sVgsEUvFMrFcrBArxSqxWqwRa8U6sV5sEBvFJrFZbBFbxTaxXewQn4id4lOxS+wWe8RnYq/4XOwTX4j94ktxQHwl0sXX4qD4RhwS34rD4jtxRHwvjopj4rj4QZwQP4qT4pQ4Lc6Is+IncU78LM4LL0CiFFJKJQMZI7PJWJldxsmrZA4ZZH7+y3h5ncwlr5e5ZR6ZV+aTCTK/LCC1NNJKkqEsKAvJqLxBFpY3yiKyqCwmi0snS8iS8iZZSt4sS8tbZBl5qywrb5PlZHlZQVaUt8tK8g4JkQvbqCqryeqyhrxbJsI9spa8V9aW98k68n5ZVz4g68kHZX35kGwgH5YN5SOykXxUNpaPySayqWwmH5fN5ROyhWwpW8knZWv5lGwjn5Zt5TOynfQXXyLPyY7yedlJviA7yy6yq/xZnpdedpc9JPQE2Uu+LHvLPrKv7Cf7y1fkAPmqHChfk0lykBwsX5dD5BtyqHxTDpPD5Qj5lhwp35aj5Gg5Ro6V4+R4OUG+IyfKd+UkOVlOkVNlspwm+17saZaU/7T9O/+g/cBftr5RbpKb5Ra5VW6T2+UO+YncKXfKXXKX3CP3yL1yr9wn98n9cr88IA/IdJkuD8qD8pA8JA/Lw/KIPCKPymPyjPxBnpA/ypPylDwlz8iz8qw8d/EYgEIllFRKBSpGZVOxKruKU1epHOpqlVNdoyLqWhWvrlO51PUqt8qj8qp8KkHlVwWUVkZZRSpUBVUhFVU34MUXjCqmiiunSqiS6qY/0l4VVjeqIqrob9pn5pf4O/k1U81Uc9VctVAtVCvVSrVWrVUb1Ua1VW1VO9VOtVftVQfVQXVUHVUn1Ul1Vp1VV9VVdVPdVHfVXSWqRNVLvax6qz6qr+qn+qtXMs7xaqAaqJJUkhqsBqshaogaqoaqYWqYGqFGqJFqpBqlRqkxaowap8apCWqCmqgmqklqkpqipqhklaymq+lqhpqhZqlZaraareaoOWqemqdSVIpaoBaoVJWqFqlFKk0tVovVUrVULVfL1Uq1Uq1Wq9VatVatV+tVmtqkNqktaovaprapHWqH2ql2ql1ql9qj9qi9aq/ap/ap/Wq/OqAOqHSVrg6qg+qQOqQOq8PqiDqijqqj6rg6rk6oE+qkOqlOq9PqrDqrzqlz6rw6nzHtC0QgAhWoICaICWKD2CAuiAtyBDmCnEHOIBJEgvggPsgVXB/kDvIEeYN8QUKQPygQ6MAENsicEEWDG4LCwY1BkaBoUCwoHrigRFAyuCkoFdwclA5uCcoEtwZlg9uCckH5oEJQMbg9qBTcEVQO7gyqBHcFVYNqQfWgRnB3UDO4J6gV3BvUDu4L6gT3B3WDB4J6wYNB/eChoEHwcNAweCRoFDwaNA4eC5oETYNm/9b+vT+Z5wnXXffQibqn7qVf1r11H91X99P99St6gH5VD9Sv6SQ9SA/Wr+sh+g09VL+ph+nheoR+S4/Ub+tRerQeo8fqcXq8nqDf0RP1u3qSnqyn6Kk6WU/T0/V7eoaeqWfp9/Vs/YGeo+fqeXq+TtEf6gV6oU7VH+lF+mOdphfrJXqpXqaX6xV6pV6lV+s1eq1ep9frDXqj3qQ36y16q96mt+sd+hO9U3+qd+ndeo/+TO/Vn+t9+gu9X3+pD+ivdLr+Wh/U3+hD+lt9WH+nj+jv9VF9TJfWP+gT+kd9Up/Sp/UZfVb/pM/pn/V57TMm9xmnd6OMMjEmxsSaWBNn4kwOk8PkNDlNxERMvIk3uUwuk9vkNnlNXpNgEkwBU8BkIEOmoClooiZqCpvCpogpYoqZYsYZZ0qakqaUKWVKm9KmjCljypqyppwpZyqYCuZ2c7u5w9xh7jR3mrvMXaaaqWZqmBqmpqlpaplaprapbeqYOqauqWvqmXqmvqlvGpgGpqFpaBqZRqaxaWyamCammWlmmpvmpoVpYVqZVqa1aW3amDamrWlr2pl2pr1pbzqYDqaj6Wg6mU6ms+lsupquppvpZrqb7ibRJJpeppfpbXqbvqav6W/6mwFmgBloBpokk2QGm8FmiBlihpqhZpgZbkZkTFTN22aUGW3GmLFmnBlnJpgJZqKZaCaZSWaKmWKSTbKZbqabGWaGmWVmmdlmtplj5ph5Zp5JMSlmgVlgUk2qWWQWmTSTZpaYJWaZWWZWmBVmlVll1pg1Zh2sMxvMBrPJbDJbzBazzWwzO8wOs9PsNLvMLrPH7DF7zV6zz+wz+81+c8AcMOkm3Rw0B80hc8gcNofNEXPEHDVHzXFz3JwwJ8xJc9KcNqfNWZPn4vnSm1ib3cbZq2wOe7XNaa+xfx/ntflsgs1vC1htc9s8v4mNtbaILWqL2eLW2RK2pL3psricLW8r2Ir2dlvJ3mErXxbXtPfYWvZeW9veZ2vYu38T17H327r2EVsPEcA+ZhvYprahfcQ2so/axvYx28Q2ta3tU7aNfdq2tc/YdvbZy+IFdqFdZVfbNXat3WV329P2jD1kv7Vn7U+2u+1h+9tX7AD7qh1oX7NJdtBl8Qj7lh1p37aj7Gg7xo69LJ5ip9pkO81Ot+/ZGXbmZXGK/dDOtql2jp1r59n5v8QZOaXaj+wi+7FNswEssUvtMrvcrrAr/3+uS+16u8FutDvtp3aL3Wq32e12R+ZE2O62e+xndq/93B6039j99kt7wB626fbrX+KM/Ttsv7NH7Pf2qD1mj9sf7An7o7rYuq8AsD/Yn+156y0QEpAkRQHFUDaKpewUR1dRDrqactI1FKFrKZ6uo1x0PeWmPJSX8lEC5acCpMmQJaKQClIhitINlJleMSpOjkpQSbqJStHNVJpuoTJ0K5Wl26gclacKVJFup0p0B1WmO6kK3UVVqRpVpxp0N9Wke6gW3Uu16T6qQ/dTXXqA6tGDVJ8eogb0MDWkR6gRPUqN6TFqQk2pGT1OzekJakEtqRU9Sa3pKWpDT1Nbeoba0bPUnv5GHeg56kjPUyd6gTpTF+pKL1I3eom6Uw9KpJ7Ui16m3tSH+lI/6k+v0AB6lQbSa5REg2gwvU5D6A0aSm/SMBpOI+gtGklv0ygaTWNoLI2j8TSB3qGJ9C5Nosk0haZSMk2j6fQezaCZNIvep9n0Ac2huTSP5lMKfUgLaCGl0ke0iD6mNFpMS2gpLaPltIJW0ipaTWtoLa2j9bSBNtIm2kxbaCtto+20gz6hnfQp7aLdtIc+o730Oe2jL2g/fUkH6CtKp6/pIH1Dh+hbOkzf+R70PR2lY3ScfqAT9COdpFN0ms7QWfqJztHPdJ48QYihCGWowiCMCbOFsWH2MC68KswRXh3mDK8JI+G1YXx4XZgrvD7MHeYJ84b5woQwf1gg1KEJbUhhGBYMC4XR8IawcHhjWCQsGhYLi4cuLBGWDG8KS4U3h6XDW8Iy4a1h2fC2sFxYPnzkvorh7WGl8I6wcnhnWCW8K6waVgurhzXCu8Oa4T1hrfDesHZ4X1g6vD+sGz4Q1gsfDOuHD4UNwofDhuEjma/jsEnYNGwWPh42D58IW4Qtw1bhVWHr8KmwTfh02DZ8JmwXPvtL/f0LM+ufvKw+MewZ9gpfDl8Ovb9XzovOj6ZEP4wuiC6MpkY/ii6KfhxNiy6OLokujS6LLo+uiK6Mroqujq6Jro2ui66PbohujHpfIxs4dMJJp1zgYlw2F+uyuzh3lcvhrnY53TUu4q518e46l8td73K7PC6vy+cSXH5XwGlnnHXkQlfQFXJRd4Mr7G50RVxRV8wVd86VcCVdU9fMNXPN3ROuhWvpWrkn3ZPuKfeUe9o97Z5x7dyzrr37m+vgnnMd3fPuefeC6+y6uK7uRdfNjc954WAlul6ul+vteru+rq/r7/q7AW6AG+gGuiSX5Aa7wW6IG+KGuqFumBvmRrgRbqQb6Ua5UW6MG+PGuXFugpvgJrqJbpKb5Ka4KS7ZJbvpbrqb4Wa4SjMvbGWOm+PmuXkuxaW4BS5jzpjqFrlFLs2luSVuiVvmlrkVboVb5Va5NW6NW+fWuQ1ug9vkNrktbovb5ra5HW6H2+l2ul3+mgudur1un9vn9rv97oD7yqW7r91B94075L51h9137oj73h11x9xx94M74X50J90pd9qdcWfdT+6c+9mdd96Ni4yPTIi8E5kYeTcyKTI5MiUyNZIcmRaZHnkvMiMyMzIr8n5kduSDyJzI3Mi8yPxISuTDyILIwkhq5KPIosjHkbTI4siSyNLIssjyiPf5t4S+oC/ko/4GX9jf6Iv4or6YL+6dL+FL+pt8qQt5p3l/qy/rb/PlfHlfwT/qG/vHfBPf1Dfzj/vm/gnfwrf0rfyTvrV/yrfxT/u2/hnfzj/r2/u/+Q7+Od/RP+87+Rd8Z9/Fd/Uv+m7+Jd/d9/CJvqfv5V/2vX0f39f38/39K36Af9UP9K/5JD/ID/av+yH+DT/Uv+mH+eF+RMxbfmTmJTKM9eP8eD/Bv+Mn+nf9JD/ZT/FTfbKf5qf79/wMP9PP8u/72f4DP8fP9fP8fJ/iP/QL/EKf6j/yi/zHPs0vzrw96lf4lX6VX+3X+LV+nV/vN/iNfpPf7Lf4rX6b3+53+E/8Tv+p3+V3+z3+M7/Xf+73+S/8fv+lP+C/8un+a3/Qf+MP+W/9Yf+dP+K/90f9MX/c/+BP+B/9SX/Kn/Zn/Fn/kz/nf/bn+W/WGGOMMcb+JeMvFcVvay7czu/5D9qIX63cCwCu3pov/df1GTPKdbkvlPuIhNiMx2d6dHooc6laNTEx8eK6aRKCQnMBMr8JyvDLTw8uxouhFTwFbaEllPqH+fcRXc7SP+k/eitAXGZiAJCRUBz8ff9fAGDiZfvbRzz+5IgFZcPT8f9F/3MBihS61CY7XIoXQ6tfrktbQunfyT9P83+Sf/YvxwG0+FWbHHApvpR/SXgCnoW2v1mTMcYYY4wxxhi7oI+o0CHz+jPzF5//6Po8QV1qkw0uxf/s+pwxxhhjjDHGGGNX3nNduj79eNu2LTv88ULl/1arf7nQCP6snrNwIYDfX8d7gMxnFAD8D7cFkFGQf+UObv5LtpV08a3z91XLzvj/6vD+pxWu8AcTY4wxxhhj7N/u0qT/t8+rK5UQY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDGWBf0V/07sSu8jY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxdqX9vwAAAP//i7b0GQ==")
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r2 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r2, 0x8, &(0x7f0000000240)=0x2)
fsopen(&(0x7f0000000280)='ceph\x00', 0x0)
gettid()
socket$nl_route(0x10, 0x3, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$VT_RESIZEX(r1, 0x560a, &(0x7f00000006c0)={0x4, 0x0, 0x0, 0x0, 0x132, 0x3})
sendmsg$nl_netfilter(0xffffffffffffffff, 0x0, 0x55fdb4595c3d8036)
r5 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r5, &(0x7f00000000c0)={0x0, 0xa00, &(0x7f0000000080)={&(0x7f0000000040)=ANY=[@ANYBLOB="1c0000001c000100000000000030000100000000000000"], 0x1c}}, 0x0)
ioctl$TIOCL_SETSEL(r1, 0x541c, &(0x7f0000001900)={0x2, {0xc, 0x119, 0x8, 0xfe, 0x5, 0xf}})
sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000480)=ANY=[@ANYBLOB="3c0000861000010800000000000000000052f60044dda1c8b655461263b31eb408adb36f1632f642dc7fd2e744ed2ab2bea59745b2a3a01194be5def1bd2f2c7e10d101fd142ba9ab58de9b009c8a988086ef755d278729a1423e035a4cf77a7", @ANYRES32=0x0, @ANYBLOB="312000000000000014002b8008000100", @ANYRES32, @ANYBLOB="080003000200000008001b0000000000"], 0x3c}, 0x1, 0x0, 0x0, 0x20048054}, 0x0)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000840)='memory.events.local\x00', 0x275a, 0x0)
write$binfmt_script(r6, &(0x7f0000000040), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000007, 0x28011, r6, 0x0)
ioctl$TIOCSTI(0xffffffffffffffff, 0x5412, &(0x7f0000000180)=0x4)
madvise(&(0x7f0000000000/0x3000)=nil, 0x7fffffffffffffff, 0x2)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): unshare-bpf$MAP_CREATE-bpf$MAP_GET_NEXT_KEY-bpf$MAP_CREATE-bpf$MAP_CREATE-bpf$MAP_UPDATE_ELEM_TAIL_CALL-creat-socket$nl_route-mmap$binder-syz_open_procfs-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syz_usb_connect-syz_usb_ep_write$ath9k_ep1-syz_clone-futex-syz_usb_ep_write$ath9k_ep1-mmap-socket$nl_route
detailed listing:
executing program 0:
unshare(0x20000400)
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="0a0000000b0000000100000002"], 0x50)
bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000180)={r0, &(0x7f0000000080), &(0x7f0000000000)=""/10, 0x2}, 0x20)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000540)=@base={0x11, 0x4, 0x4, 0x9}, 0x50)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="0d00000004000000040000000010000001000000", @ANYRES32=r1, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32, @ANYBLOB="00000000000000000000000000005800000000e6ef00000000000100"], 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000300)={{r2}, &(0x7f00000002c0), &(0x7f0000000400)=r2}, 0x20)
creat(&(0x7f00000004c0)='./bus\x00', 0x75)
socket$nl_route(0x10, 0x3, 0x0)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1, 0x11, 0xffffffffffffffff, 0x0)
syz_open_procfs(0x0, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r3 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r3, 0x2, &(0x7f0000000200)=0x6)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x20800000000, 0xb, &(0x7f0000006680))
r4 = syz_usb_connect(0x5, 0x36, &(0x7f0000000200)=ANY=[@ANYBLOB="1201000092ecc620ac0500773aeb010203010902240001000020000904c40102fffd0180090502021002020000090582020002"], 0x0)
syz_usb_ep_write$ath9k_ep1(r4, 0x82, 0x0, 0x0)
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
futex(0x0, 0x5, 0x1, 0x0, 0x0, 0x5000001)
syz_usb_ep_write$ath9k_ep1(r4, 0x82, 0x4, &(0x7f0000000340)=ANY=[])
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socket$nl_route(0x10, 0x3, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL-syz_mount_image$ext4-syz_open_procfs-syz_open_procfs-fchdir-exit-newfstatat-openat$ppp-openat$ppp
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x14045, &(0x7f0000000040)={[{@journal_async_commit}, {@errors_remount}, {@data_journal}, {@noload}, {@grpjquota}]}, 0x1, 0x447, &(0x7f0000000d40)="$eJzs3MuPU9UfAPDvvZ0OP36ArQQfPNRRNBIfM8yASKIbjSYuNDHRBS7rzECQwhhmTIQQHY3BpSFxb1ya+Be40o1RVyZudW9IiGEDsqq57e1Mp7SdmUIp2s8nuXDOfeScb8897Tn3TBvAyJrI/kkitkfE7xFRamTXnjDR+O/61Quzf1+9MJtErfbWX0n9vGtXL8w2T21et62ZKUeknyWxt0O5i+fOn6pUq/Nn8/zU0un3pxbPnX/25OnKifkT82dmjh49fGj6+SMzz92WOLO4ru35aGHf7tfeufTG7LFL7/78bdKMvy2OTUm7HpnoddkTtVpfxd2tdrSkk7HV5DqX1UoDqxEbUYiIrLmK9f5fikKsNl4pXv10qJUDBmq89+HlGvAflo3mgVHU/KDP5r/N7Q4MO+4aV15qTICyuK/nW+PI2MrUvtg2v72dJiLi2PKNr7ItbuU5BADABn2fjX+eiSjeNP5L4/6W8+7J11DKEXFvROyMiCMRsSsi7ouon/tARDy4yfLbF0luHv+kl/sKbIOy8d+L+drW2vHfysJOuZDndtTjLybHT1bnD+avyYEobsny0z3K+OGV377odqx1/JdtWfnNsWBej8tjW9ZeM1dZqtxKzK2ufBKxZ6xT/MnKSkASEbsjYk+fZZx86pt93Y6tH/9g1b6OeLLR/svRFn9T0nt9cup/UZ0/ONW8K272y68X3+xW/rDjz9o/Yrlj++fKSet67eLmy7j4x+dd5zT93v/jydtr9n1YWVo6Ox0xnrzeqHTr/pm282ZWz8/iP7C/c//fGauvxN6IyG7ihyLi4Yh4JK/7oxHxWETs7xH/Ty8//l7/8Q9WFv9cRNzInwes3/6rifFo39MhEZVq4dSP360ptLyZ+LP2P1xPHcj3bOT9b916vZD2eTcDAADAv08aEdsjSSdX0mk6Odn4G/5d8f+0urC49PTxhQ/OzDW+I1COYtp80lVqeR46nU/rm/mZtvyh/Lnxl4Wt9fzk7EJ1btjBw4jb1qX/Z/4sDLt2wMCNDbsCwNDo/zC69H8YXfo/jK4O/X/rMOoB3Hn1/t/2U00fD6kuwJ3V9vlv2Q9GiPk/jC79H0aX/g8jaXFr9PiS/KgmaqXwsqz3ww7pXVENiQElhv3OBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcHv8EwAA//9iFOQI")
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00') (async)
r5 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00')
fchdir(r5)
exit(0x200020000ffff)
newfstatat(0xffffffffffffff9c, &(0x7f0000000280)='.\x00', &(0x7f0000000100), 0x6000)
openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0x8a140, 0x0) (async)
openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0x8a140, 0x0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
single: successfully extracted reproducer
found reproducer with 22 syscalls
minimizing guilty program
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL-syz_mount_image$ext4-syz_open_procfs-syz_open_procfs-fchdir-exit-newfstatat-openat$ppp
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x14045, &(0x7f0000000040)={[{@journal_async_commit}, {@errors_remount}, {@data_journal}, {@noload}, {@grpjquota}]}, 0x1, 0x447, &(0x7f0000000d40)="$eJzs3MuPU9UfAPDvvZ0OP36ArQQfPNRRNBIfM8yASKIbjSYuNDHRBS7rzECQwhhmTIQQHY3BpSFxb1ya+Be40o1RVyZudW9IiGEDsqq57e1Mp7SdmUIp2s8nuXDOfeScb8897Tn3TBvAyJrI/kkitkfE7xFRamTXnjDR+O/61Quzf1+9MJtErfbWX0n9vGtXL8w2T21et62ZKUeknyWxt0O5i+fOn6pUq/Nn8/zU0un3pxbPnX/25OnKifkT82dmjh49fGj6+SMzz92WOLO4ru35aGHf7tfeufTG7LFL7/78bdKMvy2OTUm7HpnoddkTtVpfxd2tdrSkk7HV5DqX1UoDqxEbUYiIrLmK9f5fikKsNl4pXv10qJUDBmq89+HlGvAflo3mgVHU/KDP5r/N7Q4MO+4aV15qTICyuK/nW+PI2MrUvtg2v72dJiLi2PKNr7ItbuU5BADABn2fjX+eiSjeNP5L4/6W8+7J11DKEXFvROyMiCMRsSsi7ouon/tARDy4yfLbF0luHv+kl/sKbIOy8d+L+drW2vHfysJOuZDndtTjLybHT1bnD+avyYEobsny0z3K+OGV377odqx1/JdtWfnNsWBej8tjW9ZeM1dZqtxKzK2ufBKxZ6xT/MnKSkASEbsjYk+fZZx86pt93Y6tH/9g1b6OeLLR/svRFn9T0nt9cup/UZ0/ONW8K272y68X3+xW/rDjz9o/Yrlj++fKSet67eLmy7j4x+dd5zT93v/jydtr9n1YWVo6Ox0xnrzeqHTr/pm282ZWz8/iP7C/c//fGauvxN6IyG7ihyLi4Yh4JK/7oxHxWETs7xH/Ty8//l7/8Q9WFv9cRNzInwes3/6rifFo39MhEZVq4dSP360ptLyZ+LP2P1xPHcj3bOT9b916vZD2eTcDAADAv08aEdsjSSdX0mk6Odn4G/5d8f+0urC49PTxhQ/OzDW+I1COYtp80lVqeR46nU/rm/mZtvyh/Lnxl4Wt9fzk7EJ1btjBw4jb1qX/Z/4sDLt2wMCNDbsCwNDo/zC69H8YXfo/jK4O/X/rMOoB3Hn1/t/2U00fD6kuwJ3V9vlv2Q9GiPk/jC79H0aX/g8jaXFr9PiS/KgmaqXwsqz3ww7pXVENiQElhv3OBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcHv8EwAA//9iFOQI")
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00') (async)
r5 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00')
fchdir(r5)
exit(0x200020000ffff)
newfstatat(0xffffffffffffff9c, &(0x7f0000000280)='.\x00', &(0x7f0000000100), 0x6000)
openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0x8a140, 0x0) (async)

program crashed: KASAN: use-after-free Read in l2tp_tunnel_del_work
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL-syz_mount_image$ext4-syz_open_procfs-syz_open_procfs-fchdir-exit-newfstatat
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x14045, &(0x7f0000000040)={[{@journal_async_commit}, {@errors_remount}, {@data_journal}, {@noload}, {@grpjquota}]}, 0x1, 0x447, &(0x7f0000000d40)="$eJzs3MuPU9UfAPDvvZ0OP36ArQQfPNRRNBIfM8yASKIbjSYuNDHRBS7rzECQwhhmTIQQHY3BpSFxb1ya+Be40o1RVyZudW9IiGEDsqq57e1Mp7SdmUIp2s8nuXDOfeScb8897Tn3TBvAyJrI/kkitkfE7xFRamTXnjDR+O/61Quzf1+9MJtErfbWX0n9vGtXL8w2T21et62ZKUeknyWxt0O5i+fOn6pUq/Nn8/zU0un3pxbPnX/25OnKifkT82dmjh49fGj6+SMzz92WOLO4ru35aGHf7tfeufTG7LFL7/78bdKMvy2OTUm7HpnoddkTtVpfxd2tdrSkk7HV5DqX1UoDqxEbUYiIrLmK9f5fikKsNl4pXv10qJUDBmq89+HlGvAflo3mgVHU/KDP5r/N7Q4MO+4aV15qTICyuK/nW+PI2MrUvtg2v72dJiLi2PKNr7ItbuU5BADABn2fjX+eiSjeNP5L4/6W8+7J11DKEXFvROyMiCMRsSsi7ouon/tARDy4yfLbF0luHv+kl/sKbIOy8d+L+drW2vHfysJOuZDndtTjLybHT1bnD+avyYEobsny0z3K+OGV377odqx1/JdtWfnNsWBej8tjW9ZeM1dZqtxKzK2ufBKxZ6xT/MnKSkASEbsjYk+fZZx86pt93Y6tH/9g1b6OeLLR/svRFn9T0nt9cup/UZ0/ONW8K272y68X3+xW/rDjz9o/Yrlj++fKSet67eLmy7j4x+dd5zT93v/jydtr9n1YWVo6Ox0xnrzeqHTr/pm282ZWz8/iP7C/c//fGauvxN6IyG7ihyLi4Yh4JK/7oxHxWETs7xH/Ty8//l7/8Q9WFv9cRNzInwes3/6rifFo39MhEZVq4dSP360ptLyZ+LP2P1xPHcj3bOT9b916vZD2eTcDAADAv08aEdsjSSdX0mk6Odn4G/5d8f+0urC49PTxhQ/OzDW+I1COYtp80lVqeR46nU/rm/mZtvyh/Lnxl4Wt9fzk7EJ1btjBw4jb1qX/Z/4sDLt2wMCNDbsCwNDo/zC69H8YXfo/jK4O/X/rMOoB3Hn1/t/2U00fD6kuwJ3V9vlv2Q9GiPk/jC79H0aX/g8jaXFr9PiS/KgmaqXwsqz3ww7pXVENiQElhv3OBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcHv8EwAA//9iFOQI")
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00') (async)
r5 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00')
fchdir(r5)
exit(0x200020000ffff)
newfstatat(0xffffffffffffff9c, &(0x7f0000000280)='.\x00', &(0x7f0000000100), 0x6000)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL-syz_mount_image$ext4-syz_open_procfs-syz_open_procfs-fchdir-exit
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x14045, &(0x7f0000000040)={[{@journal_async_commit}, {@errors_remount}, {@data_journal}, {@noload}, {@grpjquota}]}, 0x1, 0x447, &(0x7f0000000d40)="$eJzs3MuPU9UfAPDvvZ0OP36ArQQfPNRRNBIfM8yASKIbjSYuNDHRBS7rzECQwhhmTIQQHY3BpSFxb1ya+Be40o1RVyZudW9IiGEDsqq57e1Mp7SdmUIp2s8nuXDOfeScb8897Tn3TBvAyJrI/kkitkfE7xFRamTXnjDR+O/61Quzf1+9MJtErfbWX0n9vGtXL8w2T21et62ZKUeknyWxt0O5i+fOn6pUq/Nn8/zU0un3pxbPnX/25OnKifkT82dmjh49fGj6+SMzz92WOLO4ru35aGHf7tfeufTG7LFL7/78bdKMvy2OTUm7HpnoddkTtVpfxd2tdrSkk7HV5DqX1UoDqxEbUYiIrLmK9f5fikKsNl4pXv10qJUDBmq89+HlGvAflo3mgVHU/KDP5r/N7Q4MO+4aV15qTICyuK/nW+PI2MrUvtg2v72dJiLi2PKNr7ItbuU5BADABn2fjX+eiSjeNP5L4/6W8+7J11DKEXFvROyMiCMRsSsi7ouon/tARDy4yfLbF0luHv+kl/sKbIOy8d+L+drW2vHfysJOuZDndtTjLybHT1bnD+avyYEobsny0z3K+OGV377odqx1/JdtWfnNsWBej8tjW9ZeM1dZqtxKzK2ufBKxZ6xT/MnKSkASEbsjYk+fZZx86pt93Y6tH/9g1b6OeLLR/svRFn9T0nt9cup/UZ0/ONW8K272y68X3+xW/rDjz9o/Yrlj++fKSet67eLmy7j4x+dd5zT93v/jydtr9n1YWVo6Ox0xnrzeqHTr/pm282ZWz8/iP7C/c//fGauvxN6IyG7ihyLi4Yh4JK/7oxHxWETs7xH/Ty8//l7/8Q9WFv9cRNzInwes3/6rifFo39MhEZVq4dSP360ptLyZ+LP2P1xPHcj3bOT9b916vZD2eTcDAADAv08aEdsjSSdX0mk6Odn4G/5d8f+0urC49PTxhQ/OzDW+I1COYtp80lVqeR46nU/rm/mZtvyh/Lnxl4Wt9fzk7EJ1btjBw4jb1qX/Z/4sDLt2wMCNDbsCwNDo/zC69H8YXfo/jK4O/X/rMOoB3Hn1/t/2U00fD6kuwJ3V9vlv2Q9GiPk/jC79H0aX/g8jaXFr9PiS/KgmaqXwsqz3ww7pXVENiQElhv3OBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcHv8EwAA//9iFOQI")
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00') (async)
r5 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00')
fchdir(r5)
exit(0x200020000ffff)

program crashed: KASAN: use-after-free Read in l2tp_tunnel_del_work
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL-syz_mount_image$ext4-syz_open_procfs-syz_open_procfs-fchdir
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x14045, &(0x7f0000000040)={[{@journal_async_commit}, {@errors_remount}, {@data_journal}, {@noload}, {@grpjquota}]}, 0x1, 0x447, &(0x7f0000000d40)="$eJzs3MuPU9UfAPDvvZ0OP36ArQQfPNRRNBIfM8yASKIbjSYuNDHRBS7rzECQwhhmTIQQHY3BpSFxb1ya+Be40o1RVyZudW9IiGEDsqq57e1Mp7SdmUIp2s8nuXDOfeScb8897Tn3TBvAyJrI/kkitkfE7xFRamTXnjDR+O/61Quzf1+9MJtErfbWX0n9vGtXL8w2T21et62ZKUeknyWxt0O5i+fOn6pUq/Nn8/zU0un3pxbPnX/25OnKifkT82dmjh49fGj6+SMzz92WOLO4ru35aGHf7tfeufTG7LFL7/78bdKMvy2OTUm7HpnoddkTtVpfxd2tdrSkk7HV5DqX1UoDqxEbUYiIrLmK9f5fikKsNl4pXv10qJUDBmq89+HlGvAflo3mgVHU/KDP5r/N7Q4MO+4aV15qTICyuK/nW+PI2MrUvtg2v72dJiLi2PKNr7ItbuU5BADABn2fjX+eiSjeNP5L4/6W8+7J11DKEXFvROyMiCMRsSsi7ouon/tARDy4yfLbF0luHv+kl/sKbIOy8d+L+drW2vHfysJOuZDndtTjLybHT1bnD+avyYEobsny0z3K+OGV377odqx1/JdtWfnNsWBej8tjW9ZeM1dZqtxKzK2ufBKxZ6xT/MnKSkASEbsjYk+fZZx86pt93Y6tH/9g1b6OeLLR/svRFn9T0nt9cup/UZ0/ONW8K272y68X3+xW/rDjz9o/Yrlj++fKSet67eLmy7j4x+dd5zT93v/jydtr9n1YWVo6Ox0xnrzeqHTr/pm282ZWz8/iP7C/c//fGauvxN6IyG7ihyLi4Yh4JK/7oxHxWETs7xH/Ty8//l7/8Q9WFv9cRNzInwes3/6rifFo39MhEZVq4dSP360ptLyZ+LP2P1xPHcj3bOT9b916vZD2eTcDAADAv08aEdsjSSdX0mk6Odn4G/5d8f+0urC49PTxhQ/OzDW+I1COYtp80lVqeR46nU/rm/mZtvyh/Lnxl4Wt9fzk7EJ1btjBw4jb1qX/Z/4sDLt2wMCNDbsCwNDo/zC69H8YXfo/jK4O/X/rMOoB3Hn1/t/2U00fD6kuwJ3V9vlv2Q9GiPk/jC79H0aX/g8jaXFr9PiS/KgmaqXwsqz3ww7pXVENiQElhv3OBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcHv8EwAA//9iFOQI")
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00') (async)
r5 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00')
fchdir(r5)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL-syz_mount_image$ext4-syz_open_procfs-syz_open_procfs
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x14045, &(0x7f0000000040)={[{@journal_async_commit}, {@errors_remount}, {@data_journal}, {@noload}, {@grpjquota}]}, 0x1, 0x447, &(0x7f0000000d40)="$eJzs3MuPU9UfAPDvvZ0OP36ArQQfPNRRNBIfM8yASKIbjSYuNDHRBS7rzECQwhhmTIQQHY3BpSFxb1ya+Be40o1RVyZudW9IiGEDsqq57e1Mp7SdmUIp2s8nuXDOfeScb8897Tn3TBvAyJrI/kkitkfE7xFRamTXnjDR+O/61Quzf1+9MJtErfbWX0n9vGtXL8w2T21et62ZKUeknyWxt0O5i+fOn6pUq/Nn8/zU0un3pxbPnX/25OnKifkT82dmjh49fGj6+SMzz92WOLO4ru35aGHf7tfeufTG7LFL7/78bdKMvy2OTUm7HpnoddkTtVpfxd2tdrSkk7HV5DqX1UoDqxEbUYiIrLmK9f5fikKsNl4pXv10qJUDBmq89+HlGvAflo3mgVHU/KDP5r/N7Q4MO+4aV15qTICyuK/nW+PI2MrUvtg2v72dJiLi2PKNr7ItbuU5BADABn2fjX+eiSjeNP5L4/6W8+7J11DKEXFvROyMiCMRsSsi7ouon/tARDy4yfLbF0luHv+kl/sKbIOy8d+L+drW2vHfysJOuZDndtTjLybHT1bnD+avyYEobsny0z3K+OGV377odqx1/JdtWfnNsWBej8tjW9ZeM1dZqtxKzK2ufBKxZ6xT/MnKSkASEbsjYk+fZZx86pt93Y6tH/9g1b6OeLLR/svRFn9T0nt9cup/UZ0/ONW8K272y68X3+xW/rDjz9o/Yrlj++fKSet67eLmy7j4x+dd5zT93v/jydtr9n1YWVo6Ox0xnrzeqHTr/pm282ZWz8/iP7C/c//fGauvxN6IyG7ihyLi4Yh4JK/7oxHxWETs7xH/Ty8//l7/8Q9WFv9cRNzInwes3/6rifFo39MhEZVq4dSP360ptLyZ+LP2P1xPHcj3bOT9b916vZD2eTcDAADAv08aEdsjSSdX0mk6Odn4G/5d8f+0urC49PTxhQ/OzDW+I1COYtp80lVqeR46nU/rm/mZtvyh/Lnxl4Wt9fzk7EJ1btjBw4jb1qX/Z/4sDLt2wMCNDbsCwNDo/zC69H8YXfo/jK4O/X/rMOoB3Hn1/t/2U00fD6kuwJ3V9vlv2Q9GiPk/jC79H0aX/g8jaXFr9PiS/KgmaqXwsqz3ww7pXVENiQElhv3OBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcHv8EwAA//9iFOQI")
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00') (async)
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00')

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL-syz_mount_image$ext4-syz_open_procfs
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x14045, &(0x7f0000000040)={[{@journal_async_commit}, {@errors_remount}, {@data_journal}, {@noload}, {@grpjquota}]}, 0x1, 0x447, &(0x7f0000000d40)="$eJzs3MuPU9UfAPDvvZ0OP36ArQQfPNRRNBIfM8yASKIbjSYuNDHRBS7rzECQwhhmTIQQHY3BpSFxb1ya+Be40o1RVyZudW9IiGEDsqq57e1Mp7SdmUIp2s8nuXDOfeScb8897Tn3TBvAyJrI/kkitkfE7xFRamTXnjDR+O/61Quzf1+9MJtErfbWX0n9vGtXL8w2T21et62ZKUeknyWxt0O5i+fOn6pUq/Nn8/zU0un3pxbPnX/25OnKifkT82dmjh49fGj6+SMzz92WOLO4ru35aGHf7tfeufTG7LFL7/78bdKMvy2OTUm7HpnoddkTtVpfxd2tdrSkk7HV5DqX1UoDqxEbUYiIrLmK9f5fikKsNl4pXv10qJUDBmq89+HlGvAflo3mgVHU/KDP5r/N7Q4MO+4aV15qTICyuK/nW+PI2MrUvtg2v72dJiLi2PKNr7ItbuU5BADABn2fjX+eiSjeNP5L4/6W8+7J11DKEXFvROyMiCMRsSsi7ouon/tARDy4yfLbF0luHv+kl/sKbIOy8d+L+drW2vHfysJOuZDndtTjLybHT1bnD+avyYEobsny0z3K+OGV377odqx1/JdtWfnNsWBej8tjW9ZeM1dZqtxKzK2ufBKxZ6xT/MnKSkASEbsjYk+fZZx86pt93Y6tH/9g1b6OeLLR/svRFn9T0nt9cup/UZ0/ONW8K272y68X3+xW/rDjz9o/Yrlj++fKSet67eLmy7j4x+dd5zT93v/jydtr9n1YWVo6Ox0xnrzeqHTr/pm282ZWz8/iP7C/c//fGauvxN6IyG7ihyLi4Yh4JK/7oxHxWETs7xH/Ty8//l7/8Q9WFv9cRNzInwes3/6rifFo39MhEZVq4dSP360ptLyZ+LP2P1xPHcj3bOT9b916vZD2eTcDAADAv08aEdsjSSdX0mk6Odn4G/5d8f+0urC49PTxhQ/OzDW+I1COYtp80lVqeR46nU/rm/mZtvyh/Lnxl4Wt9fzk7EJ1btjBw4jb1qX/Z/4sDLt2wMCNDbsCwNDo/zC69H8YXfo/jK4O/X/rMOoB3Hn1/t/2U00fD6kuwJ3V9vlv2Q9GiPk/jC79H0aX/g8jaXFr9PiS/KgmaqXwsqz3ww7pXVENiQElhv3OBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcHv8EwAA//9iFOQI")
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='ns\x00') (async)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL-syz_mount_image$ext4
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x14045, &(0x7f0000000040)={[{@journal_async_commit}, {@errors_remount}, {@data_journal}, {@noload}, {@grpjquota}]}, 0x1, 0x447, &(0x7f0000000d40)="$eJzs3MuPU9UfAPDvvZ0OP36ArQQfPNRRNBIfM8yASKIbjSYuNDHRBS7rzECQwhhmTIQQHY3BpSFxb1ya+Be40o1RVyZudW9IiGEDsqq57e1Mp7SdmUIp2s8nuXDOfeScb8897Tn3TBvAyJrI/kkitkfE7xFRamTXnjDR+O/61Quzf1+9MJtErfbWX0n9vGtXL8w2T21et62ZKUeknyWxt0O5i+fOn6pUq/Nn8/zU0un3pxbPnX/25OnKifkT82dmjh49fGj6+SMzz92WOLO4ru35aGHf7tfeufTG7LFL7/78bdKMvy2OTUm7HpnoddkTtVpfxd2tdrSkk7HV5DqX1UoDqxEbUYiIrLmK9f5fikKsNl4pXv10qJUDBmq89+HlGvAflo3mgVHU/KDP5r/N7Q4MO+4aV15qTICyuK/nW+PI2MrUvtg2v72dJiLi2PKNr7ItbuU5BADABn2fjX+eiSjeNP5L4/6W8+7J11DKEXFvROyMiCMRsSsi7ouon/tARDy4yfLbF0luHv+kl/sKbIOy8d+L+drW2vHfysJOuZDndtTjLybHT1bnD+avyYEobsny0z3K+OGV377odqx1/JdtWfnNsWBej8tjW9ZeM1dZqtxKzK2ufBKxZ6xT/MnKSkASEbsjYk+fZZx86pt93Y6tH/9g1b6OeLLR/svRFn9T0nt9cup/UZ0/ONW8K272y68X3+xW/rDjz9o/Yrlj++fKSet67eLmy7j4x+dd5zT93v/jydtr9n1YWVo6Ox0xnrzeqHTr/pm282ZWz8/iP7C/c//fGauvxN6IyG7ihyLi4Yh4JK/7oxHxWETs7xH/Ty8//l7/8Q9WFv9cRNzInwes3/6rifFo39MhEZVq4dSP360ptLyZ+LP2P1xPHcj3bOT9b916vZD2eTcDAADAv08aEdsjSSdX0mk6Odn4G/5d8f+0urC49PTxhQ/OzDW+I1COYtp80lVqeR46nU/rm/mZtvyh/Lnxl4Wt9fzk7EJ1btjBw4jb1qX/Z/4sDLt2wMCNDbsCwNDo/zC69H8YXfo/jK4O/X/rMOoB3Hn1/t/2U00fD6kuwJ3V9vlv2Q9GiPk/jC79H0aX/g8jaXFr9PiS/KgmaqXwsqz3ww7pXVENiQElhv3OBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcHv8EwAA//9iFOQI")

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET-ioctl$AUTOFS_IOC_FAIL
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)
ioctl$AUTOFS_IOC_FAIL(r0, 0x9361, 0xfffffffffffffffc)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$ETHTOOL_MSG_LINKMODES_SET
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', <r4=>0x0})
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r0, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000240)={&(0x7f00000026c0)={0xe4, r3, 0x400, 0x70bd30, 0x25dfdbff, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x80, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_batadv\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'lo\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'batadv_slave_0\x00'}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'veth1_to_bond\x00'}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_DUPLEX={0x5}, @ETHTOOL_A_LINKMODES_SPEED={0x8, 0x5, 0x37}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0x6}, @ETHTOOL_A_LINKMODES_HEADER={0x30, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'ip6gretap0\x00'}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r4}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x2}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}]}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x5}]}, 0xe4}, 0x1, 0x0, 0x0, 0x4000000}, 0xc0)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'})

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-syz_genetlink_get_family_id$ethtool
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
syz_genetlink_get_family_id$ethtool(&(0x7f0000000140), r0)

program did not crash
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-getsockname-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
getsockname(r1, 0x0, &(0x7f0000000180))
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockname-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
getsockname(r1, 0x0, &(0x7f0000000180)) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-socket$inet_udp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program did not crash
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$pppl2tp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program did not crash
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-readv-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
readv(r0, &(0x7f0000000500)=[{&(0x7f00000002c0)=""/210, 0xd2}, {&(0x7f00000003c0)=""/34, 0x22}, {&(0x7f0000000400)=""/83, 0x53}, {&(0x7f0000000480)}, {&(0x7f00000004c0)=""/63, 0x3f}], 0x5)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(0xffffffffffffffff, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program did not crash
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-read$FUSE-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
read$FUSE(r0, &(0x7f00000005c0)={0x2020}, 0x2020)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_procfs-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00')
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32) (async)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'})

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, 0x0, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00'})

program did not crash
testing program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
extracting C reproducer
testing compiled C program (duration=35.358295201s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
program crashed: KASAN: use-after-free Write in pppol2tp_release
simplifying C reproducer
testing compiled C program (duration=35.358295201s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=35.358295201s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=35.358295201s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing compiled C program (duration=35.358295201s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing compiled C program (duration=35.358295201s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing compiled C program (duration=35.358295201s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
program did not crash
testing program (duration=35.358295201s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
testing program (duration=35.358295201s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
testing program (duration=35.358295201s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-ioctl$ifreq_SIOCGIFINDEX_batadv_hard
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x3, 0x0, 0x0, 0x0, {0xa, 0xfffe, 0xfffffff8, @local}}}, 0x32)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r0, 0x8933, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
reproducing took 25m47.293273712s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1779 [inline]
BUG: KASAN: use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:176 [inline]
BUG: KASAN: use-after-free in mutex_lock+0x86/0x1b0 kernel/locking/mutex.c:295
Write of size 8 at addr ffff88811417c150 by task syz.2.17/373

CPU: 0 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <TASK>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 print_address_description+0x71/0x200 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:420
 kasan_report+0x122/0x150 mm/kasan/report.c:524
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
 atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1779 [inline]
 __mutex_trylock_fast kernel/locking/mutex.c:176 [inline]
 mutex_lock+0x86/0x1b0 kernel/locking/mutex.c:295
 pppol2tp_release+0x178/0x2b0 net/l2tp/l2tp_ppp.c:441
 __sock_release net/socket.c:652 [inline]
 sock_close+0xc9/0x220 net/socket.c:1389
 __fput+0x1fd/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f9e6eb9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffe5c39fc8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffe5c3a0b0 RCX: 00007f9e6eb9ce59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000006e6b R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b32f20000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9e6ee15fac R14: 00007f9e6ee15fa8 R15: 00007f9e6ee15fa0
 </TASK>

Allocated by task 373:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:380 [inline]
 __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 __do_kmalloc_node mm/slab_common.c:938 [inline]
 __kmalloc+0xb4/0x1e0 mm/slab_common.c:951
 kmalloc include/linux/slab.h:568 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 l2tp_session_create+0x38/0xbd0 net/l2tp/l2tp_core.c:1609
 pppol2tp_connect+0xbf5/0x1640 net/l2tp/l2tp_ppp.c:771
 __sys_connect_file net/socket.c:2000 [inline]
 __sys_connect+0x3da/0x460 net/socket.c:2017
 __do_sys_connect net/socket.c:2027 [inline]
 __se_sys_connect net/socket.c:2024 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2024
 x64_sys_call+0x88d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 373:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:242
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:250
 kasan_slab_free include/linux/kasan.h:178 [inline]
 slab_free_hook mm/slub.c:1750 [inline]
 slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
 slab_free mm/slub.c:3712 [inline]
 __kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728
 kfree+0x6f/0xf0 mm/slab_common.c:990
 l2tp_session_free net/l2tp/l2tp_core.c:168 [inline]
 l2tp_session_put+0xaf/0x1a0 net/l2tp/l2tp_core.c:193
 l2tp_session_delete+0x3df/0x4d0 net/l2tp/l2tp_core.c:1582
 pppol2tp_release+0x169/0x2b0 net/l2tp/l2tp_ppp.c:438
 __sock_release net/socket.c:652 [inline]
 sock_close+0xc9/0x220 net/socket.c:1389
 __fput+0x1fd/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff88811417c000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 336 bytes inside of
 512-byte region [ffff88811417c000, ffff88811417c200)

The buggy address belongs to the physical page:
page:ffffea0004505f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11417c
head:ffffea0004505f00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 373, tgid 373 (syz.2.17), ts 28292807571, free_ts 28292751098
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2672
 prep_new_page+0x1c/0x110 mm/page_alloc.c:2679
 get_page_from_freelist+0x2ca9/0x2d20 mm/page_alloc.c:4586
 __alloc_pages+0x1fa/0x610 mm/page_alloc.c:5930
 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
 allocate_slab mm/slub.c:1967 [inline]
 new_slab+0x98/0x3e0 mm/slub.c:2020
 ___slab_alloc+0x70f/0xb70 mm/slub.c:3177
 __slab_alloc+0x5e/0xa0 mm/slub.c:3263
 slab_alloc_node mm/slub.c:3348 [inline]
 __kmem_cache_alloc_node+0x204/0x2d0 mm/slub.c:3423
 kmalloc_trace+0x29/0xb0 mm/slab_common.c:1028
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 l2tp_tunnel_create+0x97/0x430 net/l2tp/l2tp_core.c:1421
 pppol2tp_tunnel_get net/l2tp/l2tp_ppp.c:670 [inline]
 pppol2tp_connect+0x7ef/0x1640 net/l2tp/l2tp_ppp.c:727
 __sys_connect_file net/socket.c:2000 [inline]
 __sys_connect+0x3da/0x460 net/socket.c:2017
 __do_sys_connect net/socket.c:2027 [inline]
 __se_sys_connect net/socket.c:2024 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2024
 x64_sys_call+0x88d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1580 [inline]
 free_pcp_prepare mm/page_alloc.c:1654 [inline]
 free_unref_page_prepare+0x80c/0x820 mm/page_alloc.c:3621
 free_unref_page+0x93/0x530 mm/page_alloc.c:3719
 free_the_page mm/page_alloc.c:863 [inline]
 __free_pages+0x67/0x100 mm/page_alloc.c:6020
 free_pages+0x82/0x90 mm/page_alloc.c:6031
 __stack_depot_save+0x45f/0x490 lib/stackdepot.c:506
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_set_track+0x60/0x70 mm/kasan/common.c:53
 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:380 [inline]
 __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 __do_kmalloc_node mm/slab_common.c:938 [inline]
 __kmalloc_node_track_caller+0xb1/0x1e0 mm/slab_common.c:958
 kmemdup+0x2b/0x60 mm/util.c:134
 kmemdup include/linux/fortify-string.h:585 [inline]
 sidtab_sid2str_get+0x137/0x2c0 security/selinux/ss/sidtab.c:615
 sidtab_entry_to_string security/selinux/ss/services.c:1291 [inline]
 security_sid_to_context_core+0x2ac/0x480 security/selinux/ss/services.c:1384
 security_sid_to_context+0x33/0x40 security/selinux/ss/services.c:1407
 avc_audit_post_callback+0x1db/0x830 security/selinux/avc.c:733
 common_lsm_audit+0x133f/0x1730 security/lsm_audit.c:460
 slow_avc_audit+0x1c4/0x240 security/selinux/avc.c:804

Memory state around the buggy address:
 ffff88811417c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811417c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88811417c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88811417c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811417c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1779 [inline]
BUG: KASAN: use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:176 [inline]
BUG: KASAN: use-after-free in mutex_lock+0x86/0x1b0 kernel/locking/mutex.c:295
Write of size 8 at addr ffff88811417c150 by task syz.2.17/373

CPU: 0 PID: 373 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <TASK>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106
 print_address_description+0x71/0x200 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:420
 kasan_report+0x122/0x150 mm/kasan/report.c:524
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
 atomic_long_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1779 [inline]
 __mutex_trylock_fast kernel/locking/mutex.c:176 [inline]
 mutex_lock+0x86/0x1b0 kernel/locking/mutex.c:295
 pppol2tp_release+0x178/0x2b0 net/l2tp/l2tp_ppp.c:441
 __sock_release net/socket.c:652 [inline]
 sock_close+0xc9/0x220 net/socket.c:1389
 __fput+0x1fd/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f9e6eb9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffe5c39fc8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffe5c3a0b0 RCX: 00007f9e6eb9ce59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000006e6b R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b32f20000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9e6ee15fac R14: 00007f9e6ee15fa8 R15: 00007f9e6ee15fa0
 </TASK>

Allocated by task 373:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:380 [inline]
 __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 __do_kmalloc_node mm/slab_common.c:938 [inline]
 __kmalloc+0xb4/0x1e0 mm/slab_common.c:951
 kmalloc include/linux/slab.h:568 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 l2tp_session_create+0x38/0xbd0 net/l2tp/l2tp_core.c:1609
 pppol2tp_connect+0xbf5/0x1640 net/l2tp/l2tp_ppp.c:771
 __sys_connect_file net/socket.c:2000 [inline]
 __sys_connect+0x3da/0x460 net/socket.c:2017
 __do_sys_connect net/socket.c:2027 [inline]
 __se_sys_connect net/socket.c:2024 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2024
 x64_sys_call+0x88d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 373:
 kasan_save_stack mm/kasan/common.c:46 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:242
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:250
 kasan_slab_free include/linux/kasan.h:178 [inline]
 slab_free_hook mm/slub.c:1750 [inline]
 slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
 slab_free mm/slub.c:3712 [inline]
 __kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728
 kfree+0x6f/0xf0 mm/slab_common.c:990
 l2tp_session_free net/l2tp/l2tp_core.c:168 [inline]
 l2tp_session_put+0xaf/0x1a0 net/l2tp/l2tp_core.c:193
 l2tp_session_delete+0x3df/0x4d0 net/l2tp/l2tp_core.c:1582
 pppol2tp_release+0x169/0x2b0 net/l2tp/l2tp_ppp.c:438
 __sock_release net/socket.c:652 [inline]
 sock_close+0xc9/0x220 net/socket.c:1389
 __fput+0x1fd/0x8f0 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x1e1/0x250 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff88811417c000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 336 bytes inside of
 512-byte region [ffff88811417c000, ffff88811417c200)

The buggy address belongs to the physical page:
page:ffffea0004505f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11417c
head:ffffea0004505f00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 373, tgid 373 (syz.2.17), ts 28292807571, free_ts 28292751098
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2672
 prep_new_page+0x1c/0x110 mm/page_alloc.c:2679
 get_page_from_freelist+0x2ca9/0x2d20 mm/page_alloc.c:4586
 __alloc_pages+0x1fa/0x610 mm/page_alloc.c:5930
 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
 allocate_slab mm/slub.c:1967 [inline]
 new_slab+0x98/0x3e0 mm/slub.c:2020
 ___slab_alloc+0x70f/0xb70 mm/slub.c:3177
 __slab_alloc+0x5e/0xa0 mm/slub.c:3263
 slab_alloc_node mm/slub.c:3348 [inline]
 __kmem_cache_alloc_node+0x204/0x2d0 mm/slub.c:3423
 kmalloc_trace+0x29/0xb0 mm/slab_common.c:1028
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 l2tp_tunnel_create+0x97/0x430 net/l2tp/l2tp_core.c:1421
 pppol2tp_tunnel_get net/l2tp/l2tp_ppp.c:670 [inline]
 pppol2tp_connect+0x7ef/0x1640 net/l2tp/l2tp_ppp.c:727
 __sys_connect_file net/socket.c:2000 [inline]
 __sys_connect+0x3da/0x460 net/socket.c:2017
 __do_sys_connect net/socket.c:2027 [inline]
 __se_sys_connect net/socket.c:2024 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2024
 x64_sys_call+0x88d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1580 [inline]
 free_pcp_prepare mm/page_alloc.c:1654 [inline]
 free_unref_page_prepare+0x80c/0x820 mm/page_alloc.c:3621
 free_unref_page+0x93/0x530 mm/page_alloc.c:3719
 free_the_page mm/page_alloc.c:863 [inline]
 __free_pages+0x67/0x100 mm/page_alloc.c:6020
 free_pages+0x82/0x90 mm/page_alloc.c:6031
 __stack_depot_save+0x45f/0x490 lib/stackdepot.c:506
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_set_track+0x60/0x70 mm/kasan/common.c:53
 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:380 [inline]
 __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:389
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 __do_kmalloc_node mm/slab_common.c:938 [inline]
 __kmalloc_node_track_caller+0xb1/0x1e0 mm/slab_common.c:958
 kmemdup+0x2b/0x60 mm/util.c:134
 kmemdup include/linux/fortify-string.h:585 [inline]
 sidtab_sid2str_get+0x137/0x2c0 security/selinux/ss/sidtab.c:615
 sidtab_entry_to_string security/selinux/ss/services.c:1291 [inline]
 security_sid_to_context_core+0x2ac/0x480 security/selinux/ss/services.c:1384
 security_sid_to_context+0x33/0x40 security/selinux/ss/services.c:1407
 avc_audit_post_callback+0x1db/0x830 security/selinux/avc.c:733
 common_lsm_audit+0x133f/0x1730 security/lsm_audit.c:460
 slow_avc_audit+0x1c4/0x240 security/selinux/avc.c:804

Memory state around the buggy address:
 ffff88811417c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811417c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88811417c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88811417c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811417c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================