Extracting prog: 22m19.612505439s
Minimizing prog: 3h25m29.582772469s
Simplifying prog options: 12m9.971867426s
Extracting C: 5m11.84034497s
Simplifying C: 0s


extracting reproducer from 62 programs
testing a last program of every proc
single: executing 19 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-mkdirat-bpf$PROG_LOAD-inotify_init1-inotify_add_watch-mount$overlay
detailed listing:
executing program 0:
syz_mount_image$ext4(&(0x7f0000000440)='ext4\x00', &(0x7f0000000140)='./file0\x00', 0x200000, &(0x7f0000000200), 0x3, 0x570, &(0x7f0000000680)="$eJzs3V1rHFUYAOB3Nkm/tSmUoiIS6IWV2k2T+FFBsF6KFgt6X5dkGmo23ZLdlCYW2l7YG2+kCCIWxB/gvZfFP+CvKGihSAl64U1kNrPtNtnN52q2zvPAtOfMzObM2TPv2Xd2dtkACmsk+6cU8WLcjK+TiMNt2wYj3ziyst/So+uT2ZLE8vInfySR5Ota+yf5/wfzygsR8cuXESdLa9utLyzOVKrVdC6vjzZmr4zWFxZPXZqtTKfT6eXxiYkzb06Mv/P2Wz3r62vn//ru43sfnPnq+NK3Pz04cieJs3Eo39bejx242V4ZiZH8ORmKs6t2HOtBY/0k2e0DYFsG8jgfimwOOBwDedQD/383ImIZKKhE/ENBtfKA1rV9j66DnxkP31+5AFrb/8GV90ZiX/Pa6MBS8tSVUXa9O9yD9rM2fv797p1siQ3eh7jRg/YAWm7eiojTg4Nr578kn/+273TzzeP1rW6jaK8/sJvuZfnP653yn9Lj/Cc65D8HO8Tudmwc/6UHPWimqyz/e7dj/vt46hoeyGvPNXO+oeTipWp6OiKej4gTMbQ3q693P+fM0v3lbtva879sydpv5YL5cTwY3Pv0Y6YqjcpO+tzu4a2Il57kv0msmf/3NXPd1eOfPR/nN9nGsfTuK922bdz/dr3PgJd/jHi14/g/uaOVrH9/crR5Poy2zoq1/rx97Ndu7W+t/72Xjf+B9fs/nLTfr61vvY0f9v2ddtu23fN/T/Jps7wnX3et0mjMjUXsST5au378yWNb9db+Wf9PHF9//ut0/u+PiM822f/bR2933bUfxn9qS+O/9cL9D7/4vlv7mxv/N5qlE/mazcx/mz3AnTx3AAAAAAAA0G9KEXEoklL5cblUKpdXPt9xNA6UqrV64+TF2vzlqWh+V3Y4hkqtO92H2z4PMZZ/HrZVH19Vn4iIIxHxzcD+Zr08WatO7XbnAQAAAAAAAAAAAAAAAAAAoE8c7PL9/8xvA7t9dMC/zk9+Q3FtGP+9+KUnoC95/Yfi6hL/pgUoAIEOxSX+objEPxSX+IfiEv9QXOIfAAAAAAAAAAAAAAAAAAAAAAAAAAAAeur8uXPZsrz06PpkVp+6ujA/U7t6aiqtz5Rn5yfLk7W5K+XpWm26mpYna7Mb/b1qrXZlbDzmr4020npjtL6weGG2Nn+5ceHSbGU6vZAO/Se9AgAAAAAAAAAAAAAAAAAAgGdLfWFxplKtpnMKXQvvxW4fxucv7+ThSedRTto6uGJbTQz2yzAp9LSwyxMTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALT5JwAA//821zOC")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0xe, 0x6, &(0x7f0000000000)=@framed={{0x5, 0x0, 0x0, 0x0, 0x0, 0x71, 0x11, 0x76}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0x85, 0x0, 0x0, 0xa0}, @exit], {0x95, 0x0, 0x5a5}}, &(0x7f0000000080)='GPL\x00', 0x5, 0x29e, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sk_skb, 0xffffffffffffffff, 0x6, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x70)
r0 = inotify_init1(0x0)
inotify_add_watch(r0, &(0x7f00000000c0)='.\x00', 0xa4000061)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket-socket$unix-ioctl$sock_SIOCGIFINDEX-accept$packet-getsockname$packet-sendmsg$nl_route_sched-sendmsg$nl_route_sched
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) (async)
r1 = socket(0x400000000010, 0x3, 0x0) (async, rerun: 32)
r2 = socket$unix(0x1, 0x5, 0x0) (rerun: 32)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r3=>0x0}) (async)
r4 = accept$packet(0xffffffffffffffff, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f00000000c0)=0x14)
getsockname$packet(r4, &(0x7f0000000180)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r3, {0x0, 0xfff1}, {0xffff, 0xffff}, {0x0, 0xf}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8}}]}, 0x38}}, 0x0) (async)
sendmsg$nl_route_sched(r1, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000780)=@newtfilter={0x54, 0x2c, 0xd27, 0x70bd28, 0x0, {0x0, 0x0, 0x0, r3, {0x0, 0xfff1}, {}, {0x9}}, [@filter_kind_options=@f_basic={{0xa}, {0x24, 0x2, [@TCA_BASIC_EMATCHES={0x20, 0x2, 0x0, 0x1, [@TCA_EMATCH_TREE_HDR={0x8, 0x1, {0x3}}, @TCA_EMATCH_TREE_LIST={0x14, 0x2, 0x0, 0x1, [@TCF_EM_IPSET={0x10, 0x1, 0x0, 0x0, {{0x3, 0x8, 0x2}, {0x300}}}]}]}]}}]}, 0x54}, 0x1, 0x0, 0x0, 0x48c0}, 0x4008000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket-socket$unix-ioctl$sock_SIOCGIFINDEX-accept$packet-getsockname$packet-sendmsg$nl_route_sched-sendmsg$nl_route_sched
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) (async)
r1 = socket(0x400000000010, 0x3, 0x0) (async, rerun: 32)
r2 = socket$unix(0x1, 0x5, 0x0) (rerun: 32)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r3=>0x0}) (async)
r4 = accept$packet(0xffffffffffffffff, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f00000000c0)=0x14)
getsockname$packet(r4, &(0x7f0000000180)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000001c0)=0x14)
sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r3, {0x0, 0xfff1}, {0xffff, 0xffff}, {0x0, 0xf}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8}}]}, 0x38}}, 0x0) (async)
sendmsg$nl_route_sched(r1, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000780)=@newtfilter={0x54, 0x2c, 0xd27, 0x70bd28, 0x0, {0x0, 0x0, 0x0, r3, {0x0, 0xfff1}, {}, {0x9}}, [@filter_kind_options=@f_basic={{0xa}, {0x24, 0x2, [@TCA_BASIC_EMATCHES={0x20, 0x2, 0x0, 0x1, [@TCA_EMATCH_TREE_HDR={0x8, 0x1, {0x3}}, @TCA_EMATCH_TREE_LIST={0x14, 0x2, 0x0, 0x1, [@TCF_EM_IPSET={0x10, 0x1, 0x0, 0x0, {{0x3, 0x8, 0x2}, {0x300}}}]}]}]}}]}, 0x54}, 0x1, 0x0, 0x0, 0x48c0}, 0x4008000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program crashed: KASAN: slab-use-after-free Read in tty_write_room
single: successfully extracted reproducer
found reproducer with 15 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00'})
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
socket$inet6_icmp(0xa, 0x2, 0x3a)
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100), 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(0xffffffffffffffff, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r3, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
ioctl$TIOCSETD(0xffffffffffffffff, 0x5423, &(0x7f0000000040)=0x14)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r3, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000040)=0x14)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r3, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
ioctl$TIOCSETD(0xffffffffffffffff, 0x5423, &(0x7f00000003c0)=0x14)
r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000040)=0x14)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r3, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r1, 0x5423, &(0x7f00000003c0)=0x14)
r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000040)=0x14)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(0xffffffffffffffff, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r3, @ANYRES64, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r0 = socket$kcm(0x2, 0xa, 0x2)
r1 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r1, 0x5423, &(0x7f00000003c0)=0x14)
r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000040)=0x14)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(0xffffffffffffffff, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r3, @ANYRES64=r0, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, 0x0, 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, 0x0)
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, 0x0)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, 0x0)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, 0x0)
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100), 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00'})
sendmsg$can_raw(r5, 0x0, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00'})
sendmsg$can_raw(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, 0x0, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={0x0}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, 0x0)
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, 0x0)
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, 0x0, 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r4 = socket$can_raw(0x1d, 0x3, 0x1)
r5 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r6=>0x0})
sendmsg$can_raw(r4, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r6}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB, @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$kcm-openat$ttyS3-ioctl$TIOCSETD-openat$ptmx-ioctl$TIOCSETD-syz_init_net_socket$bt_hci-socket$can_raw-socket$inet6_icmp-ioctl$ifreq_SIOCGIFINDEX_vcan-sendmsg$can_raw-ioctl$sock_inet_SIOCGIFDSTADDR-ioctl$SIOCSIFHWADDR-write$tun
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r1 = socket$kcm(0x2, 0xa, 0x2)
r2 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r2, 0x5423, &(0x7f00000003c0)=0x14)
r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000040)=0x14)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$can_raw(0x1d, 0x3, 0x1)
r6 = socket$inet6_icmp(0xa, 0x2, 0x3a)
ioctl$ifreq_SIOCGIFINDEX_vcan(r6, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', <r7=>0x0})
sendmsg$can_raw(r5, &(0x7f0000000000)={&(0x7f0000000100)={0x1d, r7}, 0x10, &(0x7f0000000140)={&(0x7f0000000180)=@can={{0x0, 0x0, 0x1}, 0x0, 0x0, 0x4}, 0x10}, 0x2, 0x0, 0x0, 0xc8c4}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f0000000040)={'macvtap0\x00', {0x2, 0x0, @initdev}})
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000180)={'syzkaller1\x00'})
write$tun(r0, &(0x7f0000000080)=ANY=[@ANYBLOB="1c0088a8", @ANYRES16=r4, @ANYRES64=r1, @ANYBLOB='J'], 0xfdef)

program did not crash
reproducing took 4h5m11.007529369s
repro crashed as (corrupted=false):
ieee802154 phy0 wpan0: encryption failed: -22
ieee802154 phy1 wpan1: encryption failed: -22
==================================================================
BUG: KASAN: slab-use-after-free in tty_write_room+0x3c/0x8c drivers/tty/tty_ioctl.c:68
Read of size 8 at addr ffff0000ebb6e020 by task aoe_tx0/2392

CPU: 0 UID: 0 PID: 2392 Comm: aoe_tx0 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x254 mm/kasan/report.c:408
 print_report+0x68/0x84 mm/kasan/report.c:521
 kasan_report+0xb0/0x110 mm/kasan/report.c:634
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 tty_write_room+0x3c/0x8c drivers/tty/tty_ioctl.c:68
 handle_tx+0x128/0x5fc drivers/net/caif/caif_serial.c:212
 caif_xmit+0x108/0x150 drivers/net/caif/caif_serial.c:268
 __netdev_start_xmit include/linux/netdevice.h:5204 [inline]
 netdev_start_xmit include/linux/netdevice.h:5213 [inline]
 xmit_one net/core/dev.c:3776 [inline]
 dev_hard_start_xmit+0x2b0/0x8ac net/core/dev.c:3792
 __dev_queue_xmit+0x15a4/0x31f0 net/core/dev.c:4629
 dev_queue_xmit include/linux/netdevice.h:3350 [inline]
 tx+0x9c/0x1cc drivers/block/aoe/aoenet.c:62
 kthread+0x164/0x354 drivers/block/aoe/aoecmd.c:1237
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

Allocated by task 12121:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x2a4/0x3fc mm/slub.c:4358
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 alloc_tty_struct+0xb8/0x654 drivers/tty/tty_io.c:3115
 tty_init_dev+0x60/0x3e8 drivers/tty/tty_io.c:1409
 ptmx_open+0x100/0x2d4 drivers/tty/pty.c:824
 chrdev_open+0x1b0/0x4b0 fs/char_dev.c:414
 do_dentry_open+0xb7c/0x1544 fs/open.c:956
 vfs_open+0x44/0x2d4 fs/open.c:1086
 do_open fs/namei.c:3880 [inline]
 path_openat+0x2424/0x2c40 fs/namei.c:4039
 do_filp_open+0x18c/0x36c fs/namei.c:4066
 do_sys_openat2+0x11c/0x1b4 fs/open.c:1429
 do_sys_open fs/open.c:1444 [inline]
 __do_sys_openat fs/open.c:1460 [inline]
 __se_sys_openat fs/open.c:1455 [inline]
 __arm64_sys_openat+0x120/0x158 fs/open.c:1455
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Freed by task 11:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2380 [inline]
 slab_free mm/slub.c:4642 [inline]
 kfree+0x17c/0x474 mm/slub.c:4841
 free_tty_struct drivers/tty/tty_io.c:174 [inline]
 release_one_tty+0x224/0x240 drivers/tty/tty_io.c:1542
 process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3400
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:548
 insert_work+0x54/0x2cc kernel/workqueue.c:2183
 __queue_work+0xdd8/0x1230 kernel/workqueue.c:2341
 queue_work_on+0xdc/0x18c kernel/workqueue.c:2392
 queue_work include/linux/workqueue.h:662 [inline]
 schedule_work include/linux/workqueue.h:723 [inline]
 queue_release_one_tty drivers/tty/tty_io.c:1553 [inline]
 kref_put include/linux/kref.h:65 [inline]
 tty_kref_put+0x144/0x1b8 drivers/tty/tty_io.c:1566
 release_tty+0x3e8/0x4a4 drivers/tty/tty_io.c:1602
 tty_release_struct+0xb4/0xd4 drivers/tty/tty_io.c:1701
 tty_release+0xa0c/0x1208 drivers/tty/tty_io.c:1861
 __fput+0x340/0x75c fs/file_table.c:465
 ____fput+0x20/0x58 fs/file_table.c:493
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x16c/0x1ec arch/arm64/kernel/entry-common.c:151
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xb4/0x17c arch/arm64/kernel/entry-common.c:768
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000ebb6e000
 which belongs to the cache kmalloc-cg-2k of size 2048
The buggy address is located 32 bytes inside of
 freed 2048-byte region [ffff0000ebb6e000, ffff0000ebb6e800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12bb68
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff0000d4724001
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c000b3c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000000f5000000 ffff0000d4724001
head: 05ffc00000000040 ffff0000c000b3c0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000000f5000000 ffff0000d4724001
head: 05ffc00000000003 fffffdffc3aeda01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000ebb6df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000ebb6df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000ebb6e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff0000ebb6e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000ebb6e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
ieee802154 phy0 wpan0: encryption failed: -22
ieee802154 phy1 wpan1: encryption failed: -22
==================================================================
BUG: KASAN: slab-use-after-free in tty_write_room+0x3c/0x8c drivers/tty/tty_ioctl.c:68
Read of size 8 at addr ffff0000ebb6e020 by task aoe_tx0/2392

CPU: 0 UID: 0 PID: 2392 Comm: aoe_tx0 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x254 mm/kasan/report.c:408
 print_report+0x68/0x84 mm/kasan/report.c:521
 kasan_report+0xb0/0x110 mm/kasan/report.c:634
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 tty_write_room+0x3c/0x8c drivers/tty/tty_ioctl.c:68
 handle_tx+0x128/0x5fc drivers/net/caif/caif_serial.c:212
 caif_xmit+0x108/0x150 drivers/net/caif/caif_serial.c:268
 __netdev_start_xmit include/linux/netdevice.h:5204 [inline]
 netdev_start_xmit include/linux/netdevice.h:5213 [inline]
 xmit_one net/core/dev.c:3776 [inline]
 dev_hard_start_xmit+0x2b0/0x8ac net/core/dev.c:3792
 __dev_queue_xmit+0x15a4/0x31f0 net/core/dev.c:4629
 dev_queue_xmit include/linux/netdevice.h:3350 [inline]
 tx+0x9c/0x1cc drivers/block/aoe/aoenet.c:62
 kthread+0x164/0x354 drivers/block/aoe/aoecmd.c:1237
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

Allocated by task 12121:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x2a4/0x3fc mm/slub.c:4358
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 alloc_tty_struct+0xb8/0x654 drivers/tty/tty_io.c:3115
 tty_init_dev+0x60/0x3e8 drivers/tty/tty_io.c:1409
 ptmx_open+0x100/0x2d4 drivers/tty/pty.c:824
 chrdev_open+0x1b0/0x4b0 fs/char_dev.c:414
 do_dentry_open+0xb7c/0x1544 fs/open.c:956
 vfs_open+0x44/0x2d4 fs/open.c:1086
 do_open fs/namei.c:3880 [inline]
 path_openat+0x2424/0x2c40 fs/namei.c:4039
 do_filp_open+0x18c/0x36c fs/namei.c:4066
 do_sys_openat2+0x11c/0x1b4 fs/open.c:1429
 do_sys_open fs/open.c:1444 [inline]
 __do_sys_openat fs/open.c:1460 [inline]
 __se_sys_openat fs/open.c:1455 [inline]
 __arm64_sys_openat+0x120/0x158 fs/open.c:1455
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Freed by task 11:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2380 [inline]
 slab_free mm/slub.c:4642 [inline]
 kfree+0x17c/0x474 mm/slub.c:4841
 free_tty_struct drivers/tty/tty_io.c:174 [inline]
 release_one_tty+0x224/0x240 drivers/tty/tty_io.c:1542
 process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3400
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:548
 insert_work+0x54/0x2cc kernel/workqueue.c:2183
 __queue_work+0xdd8/0x1230 kernel/workqueue.c:2341
 queue_work_on+0xdc/0x18c kernel/workqueue.c:2392
 queue_work include/linux/workqueue.h:662 [inline]
 schedule_work include/linux/workqueue.h:723 [inline]
 queue_release_one_tty drivers/tty/tty_io.c:1553 [inline]
 kref_put include/linux/kref.h:65 [inline]
 tty_kref_put+0x144/0x1b8 drivers/tty/tty_io.c:1566
 release_tty+0x3e8/0x4a4 drivers/tty/tty_io.c:1602
 tty_release_struct+0xb4/0xd4 drivers/tty/tty_io.c:1701
 tty_release+0xa0c/0x1208 drivers/tty/tty_io.c:1861
 __fput+0x340/0x75c fs/file_table.c:465
 ____fput+0x20/0x58 fs/file_table.c:493
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x16c/0x1ec arch/arm64/kernel/entry-common.c:151
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0xb4/0x17c arch/arm64/kernel/entry-common.c:768
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000ebb6e000
 which belongs to the cache kmalloc-cg-2k of size 2048
The buggy address is located 32 bytes inside of
 freed 2048-byte region [ffff0000ebb6e000, ffff0000ebb6e800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12bb68
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff0000d4724001
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c000b3c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000000f5000000 ffff0000d4724001
head: 05ffc00000000040 ffff0000c000b3c0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000000f5000000 ffff0000d4724001
head: 05ffc00000000003 fffffdffc3aeda01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000ebb6df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000ebb6df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000ebb6e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff0000ebb6e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000ebb6e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================