Extracting prog: 7m56.796275061s
Minimizing prog: 23m46.327894943s
Simplifying prog options: 6m29.872584274s
Extracting C: 2m37.173941677s
Simplifying C: 0s


30 programs, 3 VMs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 30 programs
single: executing 5 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): unshare-openat$cgroup_ro-ioctl$FS_IOC_GETFSMAP
detailed listing:
executing program 0:
unshare(0x20000400)
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.controllers\x00', 0x275a, 0x0)
ioctl$FS_IOC_GETFSMAP(r0, 0xc0c0583b, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockopt$bt_BT_SECURITY
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): setsockopt$packet_int-setsockopt$inet6_MCAST_MSFILTER-epoll_create1-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-connect$pppl2tp-epoll_create1-epoll_pwait-epoll_ctl$EPOLL_CTL_ADD-epoll_ctl$EPOLL_CTL_ADD-socket$l2tp6-bind$l2tp6-connect$l2tp6-bpf$MAP_CREATE_TAIL_CALL-setsockopt$packet_rx_ring-socket$nl_route-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$ieee802154-bpf$PROG_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE-sendmsg$IEEE802154_LLSEC_ADD_DEV-socket-write$binfmt_script
detailed listing:
executing program 0:
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, &(0x7f00000010c0), 0x4)
setsockopt$inet6_MCAST_MSFILTER(0xffffffffffffffff, 0x29, 0x18, 0x0, 0x310)
r0 = epoll_create1(0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, 0x0, 0x0)
r3 = epoll_create1(0x0)
epoll_pwait(r3, &(0x7f0000000040)=[{}], 0x1, 0x29a, 0x0, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r2, &(0x7f0000000100)={0x20000014})
epoll_ctl$EPOLL_CTL_ADD(r3, 0x1, r0, &(0x7f0000000000)={0x80000001})
r4 = socket$l2tp6(0xa, 0x2, 0x73)
bind$l2tp6(0xffffffffffffffff, 0x0, 0x0)
connect$l2tp6(r4, &(0x7f0000000000)={0xa, 0x0, 0x0, @remote}, 0x20)
bpf$MAP_CREATE_TAIL_CALL(0x0, 0x0, 0x0)
setsockopt$packet_rx_ring(0xffffffffffffffff, 0x107, 0x5, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r5 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000240), r5)
r7 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000380)=ANY=[@ANYBLOB="1801000000000000000000000000000085000000050000001801000020646c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008008000b703000000009c8c850000006d00000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r7}, 0x10)
bpf$MAP_CREATE(0x300000000000000, &(0x7f0000000100)=@base={0x18, 0x4, 0x41, 0x0, 0x1, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x4002, 0x100001}, 0x48)
sendmsg$IEEE802154_LLSEC_ADD_DEV(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000140)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r6, @ANYRES16], 0x1c}, 0x4, 0x700000000000000}, 0x0)
socket(0x10, 0x803, 0x0)
write$binfmt_script(0xffffffffffffffff, &(0x7f0000000440)={'#! ', './file0', [], 0xa, "6a1c4569c0569ab6a434922455d01a231b3cbe316c1a4ba3230ab965bb484240816c2bc1b11a3adc9eb3e82d1cb12b01b607e69d396133fba338c0d46e8b1d37df2cb06f993cda4b88e14e82ef70"}, 0x59)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_smc-setsockopt$inet_tcp_TCP_CONGESTION-connect$inet
detailed listing:
executing program 0:
r0 = socket$inet_smc(0x2b, 0x1, 0x0)
setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000240)='hybla\x00', 0x6)
connect$inet(r0, &(0x7f0000001200)={0x2, 0x0, @local}, 0x10)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$nbd-bpf$BPF_RAW_TRACEPOINT_OPEN-ioctl$SIOCSIFHWADDR-bpf$BPF_PROG_TEST_RUN-socket$nl_route-socket$netlink-unshare-mmap-unshare-socket$inet6_tcp-setsockopt$IP6T_SO_SET_REPLACE-socket$nl_netfilter-bpf$BPF_MAP_CONST_STR_FREEZE-socketpair$unix-pipe-splice-write$binfmt_misc-socket$kcm-getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS-sendmsg$kcm
detailed listing:
executing program 0:
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000040)={'sit0\x00', @random="4f33e363a4b1"})
bpf$BPF_PROG_TEST_RUN(0x1c, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket$netlink(0x10, 0x3, 0x0)
unshare(0x68060200)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000002, 0x8031, 0xffffffffffffffff, 0x0)
unshare(0x10000900)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000500)=@raw={'raw\x00', 0x3c1, 0x3, 0x378, 0x120, 0x1170, 0x1398, 0x0, 0x1170, 0x2a8, 0x1398, 0x1398, 0x2a8, 0x1398, 0x3, 0x0, {[{{@ipv6={@empty, @mcast1, [], [], 'ip6tnl0\x00', 'veth0_to_hsr\x00', {}, {}, 0x6, 0x0, 0x3}, 0x0, 0xf8, 0x120, 0x0, {}, [@common=@inet=@ecn={{0x28}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@SYNPROXY={0x28}}, {{@uncond, 0x0, 0x160, 0x188, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@srh1={{0x90}, {0x0, 0x0, 0x0, 0x0, 0x0, @private0, @private0, @loopback}}]}, @common=@unspec=@NFQUEUE0={0x28}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x3d8)
socket$nl_netfilter(0x10, 0x3, 0xc)
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f0000000000), 0x4)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000940)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
pipe(&(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
splice(r2, 0x0, r3, 0x0, 0xf3a, 0x0)
write$binfmt_misc(r3, &(0x7f0000000240)=ANY=[], 0xfdef)
r4 = socket$kcm(0x10, 0x2, 0x10)
getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r3, 0x84, 0x1f, &(0x7f0000000280)={0x0, @in={{0x2, 0x4e23, @private=0xa010102}}, 0x5, 0x4}, &(0x7f0000000180)=0x90)
sendmsg$kcm(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f00000000c0)="1400000022000b0fd25a806c8c6f94f90324fc60", 0x14}], 0x1}, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 15s
testing program (duration=22s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 2, 4, 4, 6, 30, 4, 7, 20, 4, 3, 2, 1, 3, 11, 30, 20, 3, 2, 3, 18, 2, 4, 2, 26, 2, 3, 11, 3, 3]
detailed listing:
executing program 1:
sendmsg$ETHTOOL_MSG_LINKMODES_SET(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="4400000010003b1500"/20, @ANYRES32=0x0, @ANYBLOB="000000000002000024001280090001007866726d0000000014000280040003"], 0x44}}, 0x0)
executing program 4:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x3a, 0x0, &(0x7f0000004e00))
executing program 4:
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000340)={'bridge_slave_0\x00', <r2=>0x0})
sendmsg$nl_route(r0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000380)=@bridge_dellink={0x34, 0x11, 0x5, 0x0, 0x0, {0x7, 0x0, 0x0, r2}, [@IFLA_AF_SPEC={0x14, 0x1a, 0x0, 0x1, [@AF_INET={0x10, 0x4, 0x0, 0x1, {0xc, 0x2, 0x0, 0x1, [{0x8}]}}]}]}, 0x34}}, 0x0)
executing program 1:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000440)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0xfffffd66, &(0x7f0000000200)={&(0x7f0000000240)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101804bc9555e1affd5020000000900010001797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a300000000009000300737975320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_MSG_GETRULE(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000180)=ANY=[@ANYBLOB="14000000070a0101"], 0x14}}, 0x0)
executing program 4:
r0 = socket(0x1e, 0x4, 0x0)
r1 = socket(0x1e, 0x4, 0x0)
setsockopt$packet_tx_ring(r1, 0x10f, 0x87, &(0x7f0000000040)=@req={0x3fc}, 0x10)
setsockopt$packet_tx_ring(r0, 0x10f, 0x87, &(0x7f0000000440)=@req={0x3fc}, 0x10)
sendmmsg(r0, &(0x7f00000030c0)=[{{0x0, 0xa9cc7003, &(0x7f0000000400)=[{&(0x7f00000000c0)="ee", 0x101d0}], 0x1}}], 0x400000000000181, 0x9200000000000000)
recvmmsg(r1, &(0x7f0000004d80)=[{{0x0, 0x0, &(0x7f00000003c0)=[{&(0x7f0000000480)=""/4096, 0x1000}], 0x1}}], 0x1, 0x7ffeecc2, 0x0)
executing program 1:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000003b810000850000006d00000007"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000140)={{r0, <r1=>0xffffffffffffffff}, &(0x7f0000000000), &(0x7f0000000080)='%ps    \x00'}, 0x20)
bpf$MAP_DELETE_ELEM(0x3, &(0x7f00000002c0)={r1, &(0x7f0000000ac0)="a759c7a87c21f185607e7a8f8d46b2231ea3ee39a30ae085ad47024c872bc729dd1887eecd33dfc012b8fc74ad88ab13f1a8d1046d0e4498d637faa460bb459f7447d10517c54c241c04e87d5c511e797a62ebe98579bf8968b8caed1ed5aa1635c88f015144b5cb055f258d19c5004af0c8c6c67498bb33fb177c153dbb6cf43382f7080493c8f8fd75038652d923451a98469b30346007f1cef60c02871e66f5988323721c4aa0a0be4a34cb0c7f7b9aaf4924d74b0e48ca7f7686c9e4b1268d0085500576b46cba69dfd5349add3bde280545a95feeca59810a4e83eaaa601f5fed68dcd3d4d5b20c6225e616db24d06ce3d5a77662a460f1ed8258a57c8de63e1dbe467914f9ffeacaf50e0ccf106930b37e73c253b01b1eb39a94583bfc7ef2dce861d266df63b503508b50fbeb0c41d8ee086f7ca9282a82858a8f7a5c07033cb8d2190eb2b8e6693dcb07cc3cb016bad6a1b9ca737fad14b51561080a5f4dbdb80e8d082175249f91f371133380fa59880d7c136d5f0d0c833d4e0b19dd6838eae1ae9b72d709926898e2423399f4b9e2a550afd10c3b4a61b53cb796cdc827518148690692701805d09fbe85a4c3127f7ce8143daeb6cbcb2b7776d15c36a3b924ed048a7b6e8183ad349c0c9dec9deb463094e0e8ad415a4c0097aa1a674670da9f7f28ce14c61834a100daf6d7d00444d3f8872a26ed0746caafcf211fa91cb4b75384eb4761149da533d3c1a396395af5ef4ca3a79868b4726e474bcd15ea625fbd586b6e1ec7196a0e9e675c4c3ce23d68b25e61e792e0b6b40ed57dc23c06078dcafa3efc02cb3dbc5496354634df6590763e2600404a600b739577be37f7933f2af2fa3da2fcc88427ae4e8761c3ef12b569787027bdbb9af04b08e926bcec3d26255c82b90ce961fcc1ae6da5f8254771aad2aef223dd82b67a6af9d0a7f274ccd5f4b9a7b3d3b631f8b9b2acca40d1d1be5d5e37da7bb6f34e34c464c431b3199cd443e4902bc1669922fc1751e02100a1f884bf3e1928cf8f95f4a27f0f289155ec3394347046b243610376a43aa770f7c421c99f5307f6727afb42208e749846745ab813c646497f6b448067c3001e0462ce2bf94eccc0d447f49cb00e62aab6837dcd0291ad4d6f5112bf4a512a16d976bda1b1c4ca2dfe54c5280fb7131bbfc086cda8bbda847bb9536ab269aceebce8c055a848caa392b4f38caef45f9061091c0f4c197074a349f632fa4a435a48a595d1fa38c402198a37e9332acf756a6dc8fb78b8a7a63224f6f29638966550a7e20c4987456900fe673fbf07d8ff5714107af9ef1933cd35409b897266f47aeaaace08bbde167eb672c13ad36247f55eef51a8eeae36eea7bdd2e0d89f1327a85780339c459fcfd20cdec6ec52f90a34611ca1804dc2c348779af22fe035cda04de9d0eb06137a6ab284be0e4039e10fcaf1695ed8acba85f9772b35cb224f1140852f8998a37f2224696d6c4d7b8d85e57b5f955b6aad71333bcd45ee4a58f7ddc9cd9a3bc8b5b5c1ec5ec979f82ba08ef142b19ec005cf5909fc083f3d41acc8cd98578bfca424d5082106ed97361efc5efadb1c8c4629ed4d819e410338f971d081bb61bc42b9335991b7a2afc9676dae3b08d72c5f65c71a279cdd2dd652ffa8b22cc77c24f560fdf9240290a44daaad4a05dbdc9e463346a5507d172658545ada0563afab8c6c382ec99c58eeb78ca6968de28c64061735b04c89cbbf6685ac0d42dffa3fd7ce79be1efec470a962646a9498064e3c7705040d5dfdcbb82685fa2437c72cbd191f8c67fbb629864800bc861cffcc2d177dc490dfff973f46a56c1f5126e17ee9bda9df4e67f692f5d1b0f1f032c57c3a75498f6cef74114424958865eaffa113b34af6d644378c8b1239144c7e29b82c6626063a71bd4d692e444aa8113a0012799770a085b29b64db93dfa00b68e9a43dcb2124f2fa0449f6adc69cf0d33bc69e5ce349f786b5c674612f08d10e54787eaabbce7c2587081e720636d680248ed6d13ab79cee5d1fa7648db14235775f1367a512bf7965a252f614a86e9091d3e23b05e0de204268a1744b7a06f9a1be66827223e5fe838886df5b8ffc169bef4b607fc2f4398862fe65b4e9121e36c964b254844f6c52b6abebb0fe9905b57c370cdc0db511db332075145705fd6d58a392f25b75a0d45550bc9a9c9bb63eee515027d7d55d8691ef941b5640ce9e50ca9548f375104e13296df690bf04d25b01629c887723d52de6a5e24b2933773c06e22a2ba4e584755cfd4027c7e9dc3cea74673f1b80883ed38c1df7629634783daf6293ef96f32094652b82202e8c5212aa189db177e07fa98c08304962077693e34b2ea1ef647f940e9df7bd86cf41d74724b4f91cb4794bd011c63ca5d92d8bde1077f949b62ab8fff08956670a7f801a553d48dd76c39c2e12a1ef977edf54807c0818d89212e95cd608bcc02dfa501e2522ed4c6b32c48fb687ee62deb516e83dad98463831142a2c300d077f33c388b5e5289c160000b1c68c9cdf39fc22878af4330e65360d25d8c402926aa5876c2e4b492c2d7aebdd9f2701a1ce749f9ed9f3973ce3339e32731595189c170fe8940d631f72b27dbe06fcdefc7cd85f0fc099542f4a5a280addaa77e74c96c96ddee1552a2d8532e21940f4f40159017b5466d75bc72dabf2de43d8e17ff2221dfdca89828cc4d185555d489d68029ba2170811c3bb041532f1f32feb75bac089ba90652d7a76b9a85a1b2176b23668dd8295714686e2be967822013cb753c5fc7f962a94ad91bd97a0fbf13f0c484aa23f47374c266c7063ca02752a5d1c3c38ca748fce9f06741965a7161138aba40ceca247755589a5cac68c0813f0b487509fd99bf666e096a2dc6f658466939b689a745e8e3f69f6155a341d2eb21b3727686914767607ab599fdebda351d128fa901449cdb5b459476d9b3e9c9019d41e60cd2c209ee198521b8534cbe101ca646de379b6d51e9d2ebc9f029378b3e53c1c76aa30626acf3c62e3a8e540ef29bbc8548129807e42cc7fb4f633e353a929532ac45decb7c1c7491e1177324a886b1073dad796b531c71515621bf86a64372a8e2ce7f1a1a9f77d1b26a6277c9deab55e75eaa3d774f9d02105feb39daacf1d9d16fa855a6fdb8ddbb835b5f503288f6f2c1db542f7e919c1297e921ef2633ff1be17ccd0f8799413647ca0f1ff87676b63f44e33151111232de65210f3c9c0e6bffbeea059b6910231e2407c9397c8982351201ee0862b32d67004e7adf0a5e351d451dc9708b64acc9b0d079cb4308141a689606381615c9eea9ea1ef4e1c7e61b5ff7a4410ce5cfd1c51a60212cbf9136551b30cc482298db3ffa5897f4a968090b6d6d064ba597f3b8f9a3b6f30508410677090a8016475128ac75c58071280afa36b5ce1f48055c4a882f1831cea66a8908be935dcdf36ae8f41321c7874924d89147438c4f411def3587925d17fbd764219ac87a2f402733df0e97bcc0a89a270d5b98d39c5160657b518fe36f4f9dd28314d4d1f66bd3827d71300f218f1b9e186c74d47625e92812dc1096c51b47a1ce102ea6dc4feda37617bb917cd99de6b07dc6f2d3299e01cbaed755f322d46deac36d2d8933fe9360678122df22dd1e3deb580821d72e3b84e89ec37dd2f7841c23f610b2b742ab74a406629bf4fe1adfd79c928786dd79543aedbf064f3b63ea4450a9cd76feed0d9f6a1ec66ef7945e755e834e8aef3479a0d24f3a924c0faadeb2a99d8873257c7c1a3d945c6fb1712ca3086be08c6e3b2c2ec6c50df3663fdb3c97c321de6de7da15250480b048929dd05bb11ab18af59a6a000f22b676c274230d7c7888992d895959b7baf20e111560e6a4ad9426366acb2cf4d330921b2a2394230f8f95901de6b28fa52e594eaf8966c30deef82af422473cdf0876f134edd62a97d57fce665eb979838a51cc6d97f05946a2656d44c30188cb73cb5df01ac9132314c7ec78a0b13752db3a04d88c3ae91c8f5df392e08815a10e213dac7cf41ac9c0402aab2c8ddf5f4fb48393cd4756fa8151bb7d1a7d28cb49e14c20e8aec565fc0e7880c6fc2af60e256985ad60dceb9b06a6370bf3a0fb81097256e811b0b58b2daf48ab307457d759c91b5a27465739539f37bf1241bec4f5c7b932b8d25a8a768d200df6ace05dfb0a80e8226794e6e8ce08f6d4c64ad5cb796ee602e48c5aabe39d8f0368183e13e3c8bfd8957021724cd48c5e6208c169172ba5773df5c640abfbeb3c550fdd7757d9396b998f4a17b4b84fa568fa2e3707e1fd575a3de6d31b5ccbb98061b799be34b13d1748771b0750b366a550e7abfc84d7b740807a8164050183aa12f27126f6d3a71a838880197c6c0000c5355e4ed9aa72a6bc9f0ccf23a21217313f269da270f31a03f1d31c3b41e19917010dd4a23a998744adf769771e8746c6b20a5f0323cbd85377b7bd5fe6ba1eff63f8f8d6b33694cb8f0b6e3769eb168e09bee4da6f19f8dee110163e0c29037bdbe38dcf3c1cee98f2bdf7a59a4b174fc994dd644bca4fafd3eea16aef1445d844483f5b2aa5995681e4883827bd43cdef3440d7f2248dd3b0c45cb5dcc995a417d8f296725d5108959dfe570210bad1ba3285ba240167ba64017cdab2b04a58761d5284710c8d67fd31e1d9ed54361932c0c4e83dae620bc8dc7d755ccaec46e87a1de1323da5afd1a49450ba6b21976f08c15d7b7c64e4b6a0fc3f320666daa51dab4a9b06b6aa1928adf03efbb52f2e83fdd8307d8085a4ca00f16adef11fb8305b8b88ab8aff83b0397ae4bb651378cd6b6ca293d039ba1b4c3c789752ca82100a69dc46eeed1b64305e011e1cfa2968c175119c432419729e5ecf8f9c14af375b61de79d3b91f0bcb42bbeb8853306f874b0693176ffabe2b0212c316612115c5c60301303bbe5c6f78670a1a440dbdddeccbf791346d382b842bd8b8c4c7619b38e9a2da1901600d07f651217d0dd0f44cbdb8a48a6c34d5bd7953df7fc781ebc872f66be220f1318ac15f90a843809e3aa6d8a16450bb4ae8aea39f1be4bc3faaeb223abcb7ac7a0c88c4e31a5acc42ddb9d7bdd7221e7920bf2c63e300762466d4a9722b2552ace76b871634520ce6e4b6249600b1dde0fd95a7e5e3663665fb2f9aab7768b016ccbafb40a8b976651cb8afe4020a9b10ece19a1c5ccf65524323e3145abb2e205db012ba554bb916ee10e6ca777d34d09c6e01d3424878427be7b858e230e8963070d6c0db3b4ce9dc54f88dc59c3b370d34550289610511b1d48de7b567642549996989d86b8028e981eb64a7f36bac462275f97e4cf684912360c3103fdb6f957f4256b273bc3bfa42d281bb29279e193109dd0d608ba030699c51a74853da700890a39914a4e62792b2a64fc0d26c109f1737e4e082ebc8e0302f2358d8f372a5e2718e40358431df7905eb71146246c62e68fae34d52b52b0ad0437510758b4169fe2e25963048783c63e63c923d5f97b5df8c41a48157e1339c8332a3a7ce41dbc128b43b1e93a981966453d635739797322922c757975a5e4fc5a6aeebdb5803317b5590c2cdbf88c7cb0bb75d525416fd5f62e6f3a1e4d780e3a01b251f98233101c6364082f9784dfdbc31ea011f61e6790b96c87287efe8118"}, 0x20)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
syz_init_net_socket$bt_l2cap(0x1f, 0x0, 0x0)
r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$ieee802154(&(0x7f00000002c0), r3)
sendmsg$IEEE802154_LLSEC_LIST_DEV(r3, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000300)={0x14, r4, 0x701}, 0x14}}, 0x0)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r6, 0x8933, &(0x7f0000000740)={'wlan1\x00', <r8=>0x0})
r9 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$NL80211_CMD_REGISTER_FRAME(r9, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000380)={0x24, r7, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_FRAME_MATCH={0x5, 0x5b, "16"}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_REGISTER_FRAME(r6, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000780)={0x24, r7, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_FRAME_MATCH={0x5, 0x5b, "f3"}]}, 0x24}}, 0x0)
r10 = syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000002c0)={'wlan0\x00', <r11=>0x0})
socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000240)={<r12=>0xffffffffffffffff})
recvmsg(r12, &(0x7f0000000b00)={0x0, 0x0, &(0x7f0000000180)=[{&(0x7f0000000000)=""/60, 0x3c}], 0x1}, 0x40fd)
sendmsg$NL80211_CMD_FRAME(r5, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000640)={&(0x7f0000000500)={0x48, r10, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r11}, @void}}, [@NL80211_ATTR_FRAME={0x2a, 0x33, @action={{{}, {}, @broadcast}, @ext_ch_sw={0x4, 0x4, {{}, @val={0x76, 0x6}}}}}]}, 0x48}}, 0x0)
r13 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000180), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r14=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r2, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r13, @ANYBLOB="050000130000000000000600000008000300", @ANYRES32=r14, @ANYBLOB="0800050009"], 0x24}}, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
syz_80211_join_ibss(&(0x7f0000000140)='wlan1\x00', 0x0, 0x0, 0x0)
r15 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000240)='cpuacct.usage_percpu\x00', 0x275a, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x10, r15, 0xfffffffffffff000)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000880)={&(0x7f0000000a80)='kfree\x00', r0}, 0x10)
r16 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r16, &(0x7f00000000c0)={0x0, 0xec, &(0x7f0000000100)={&(0x7f0000000540)=ANY=[@ANYBLOB="14000000100001000b000000000000000000000a20000000000a03000000000000000000010000000900010073797a300000000044000000090a010400000000000000000100000008000a40000000000900020073797a32000000000900010073797a3000000000080005400000001f08000340000000045c0000000c0a01020000000000000000010000000900020073797a32000000000900010073797a3000000000300003802c00008028000180230001"], 0xe8}}, 0x0)
executing program 1:
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f00000001c0), r1)
sendmsg$NLBL_UNLABEL_C_STATICREMOVEDEF(r0, &(0x7f0000000080)={0x0, 0xe, &(0x7f0000000040)={&(0x7f0000000200)={0x78, r2, 0x5, 0x0, 0x0, {0x4, 0x74, 0x600}, [@NLBL_UNLABEL_A_SECCTX={0x2c, 0x7, 'system_u:object_r:udev_helper_exec_t:s0\x00'}, @NLBL_UNLABEL_A_IPV4MASK={0x8, 0x4}, @NLBL_UNLABEL_A_IPV4ADDR={0x8, 0x2}, @NLBL_UNLABEL_A_IFACE={0x14, 0x6, 'bond0\x00'}, @NLBL_UNLABEL_A_IPV6MASK={0x8, 0x3, @mcast2={0xff, 0x7, '\x00', 0xa}}]}, 0x78}, 0x1, 0xffffffff00000003}, 0x0)
executing program 1:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x0, 0x0)
bind$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @any, 0x0, 0x2}, 0xe)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
socket(0x0, 0x0, 0x0)
ioctl$BTRFS_IOC_SNAP_DESTROY_V2(0xffffffffffffffff, 0x5000943f, &(0x7f0000002400)={{}, 0x0, 0x0, @inherit={0x70, &(0x7f0000000180)={0x0, 0x5, 0x0, 0x0, {}, [0x0, 0x0, 0x0, 0x0, 0x200000008000004]}}, @subvolid})
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)=ANY=[@ANYBLOB="2c0000003b0007010000000000000000027c00000400000014000180060006008847000008001c"], 0x2c}}, 0x0)
executing program 1:
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={0x0}, 0x10)
ioctl$SIOCSIFHWADDR(r0, 0x8914, &(0x7f0000000040)={'sit0\x00', @random="4f33e363a4b1"})
bpf$BPF_PROG_TEST_RUN(0x1c, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
socket$netlink(0x10, 0x3, 0x0)
unshare(0x68060200)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000002, 0x8031, 0xffffffffffffffff, 0x0)
unshare(0x10000900)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000500)=@raw={'raw\x00', 0x3c1, 0x3, 0x378, 0x120, 0x1170, 0x1398, 0x0, 0x1170, 0x2a8, 0x1398, 0x1398, 0x2a8, 0x1398, 0x3, 0x0, {[{{@ipv6={@empty, @mcast1, [], [], 'ip6tnl0\x00', 'veth0_to_hsr\x00', {}, {}, 0x6, 0x0, 0x3}, 0x0, 0xf8, 0x120, 0x0, {}, [@common=@inet=@ecn={{0x28}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@SYNPROXY={0x28}}, {{@uncond, 0x0, 0x160, 0x188, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@srh1={{0x90}, {0x0, 0x0, 0x0, 0x0, 0x0, @private0, @private0, @loopback}}]}, @common=@unspec=@NFQUEUE0={0x28}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x3d8)
socket$nl_netfilter(0x10, 0x3, 0xc)
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f0000000000), 0x4)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000940)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
pipe(&(0x7f0000000080)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
splice(r2, 0x0, r3, 0x0, 0xf3a, 0x0)
write$binfmt_misc(r3, &(0x7f0000000240)=ANY=[], 0xfdef)
r4 = socket$kcm(0x10, 0x2, 0x10)
getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r3, 0x84, 0x1f, &(0x7f0000000280)={0x0, @in={{0x2, 0x4e23, @private=0xa010102}}, 0x5, 0x4}, &(0x7f0000000180)=0x90)
sendmsg$kcm(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f00000000c0)="1400000022000b0fd25a806c8c6f94f90324fc60", 0x14}], 0x1}, 0x0)
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f0000000100)={'batadv_slave_0\x00', <r2=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000500)=@newlink={0x24, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, r2}, [@IFLA_VF_PORTS={0x4}]}, 0x24}}, 0x0)
executing program 0:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000740)={0x26, 'hash\x00', 0x0, 0x0, 'crc32\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000140)="2c385aa3", 0x4)
executing program 4:
r0 = socket$nl_crypto(0x10, 0x3, 0x15)
sendmsg$nl_crypto(r0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000280)=ANY=[@ANYBLOB="f8000000130001002abd7000fedbdf2563626328626c6f776669736829"], 0xf8}}, 0x0)
executing program 2:
bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000100)=ANY=[@ANYBLOB="9feb010018000000000000004000000040000000020000000000000000000003000000000300000002000000ff7f0000000000000000000105000000200000000000000000000003000000000200000002"], 0x0, 0x5a}, 0x20)
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000940)={0x0, 0x0, &(0x7f0000000180)=[{&(0x7f0000000000)="d8000000180081064e81f782db44b904021d080006007c09e8fe55a10a0015400100142603600e12080006", 0x2b}], 0x1}, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)=ANY=[@ANYBLOB="2c000000190001000000000000000000021800000000fd000000ed0008000100ac1414000800080004"], 0x2c}}, 0x0)
executing program 4:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)
executing program 2:
ioctl$sock_ipv4_tunnel_SIOCCHGTUNNEL(0xffffffffffffffff, 0x89f3, &(0x7f0000000000)={'ip_vti0\x00', &(0x7f0000000a80)={'gretap0\x00', 0x0, 0x80, 0x0, 0x8b, 0x7f, {{0x4a, 0x4, 0x3, 0x5, 0x128, 0x66, 0x0, 0x2, 0x2f, 0x0, @multicast2, @private=0xa010100, {[@cipso={0x86, 0x59, 0x0, [{0x6, 0x3, 'u'}, {0x0, 0x12, "a902036a4e8b6da83366904a92c5b68d"}, {0x2, 0xd, "da47def6e68ca1a92a4be5"}, {0x2, 0xc, "027cf6a585bd22c3fca3"}, {0x6, 0xa, "639a058dbcac78bf"}, {0x2, 0x12, "30211c710a23dffa9827733857bc85b9"}, {0x0, 0x9, "44e24450741010"}]}, @ssrr={0x89, 0x17, 0x0, [@empty, @broadcast, @initdev={0xac, 0x1e, 0x1, 0x0}, @loopback, @loopback]}, @lsrr={0x83, 0x3, 0x97}, @cipso={0x86, 0x31, 0xfffffffffffffffd, [{0x0, 0x11, "9ed2dad0a46416cb2c23f720507a5a"}, {0x5, 0x9, "de59372f049cc4"}, {0x0, 0x11, "67c5ec33214d76f629b5588d7d124c"}]}, @timestamp_prespec={0x44, 0x44, 0x92, 0x3, 0xe, [{@broadcast, 0x4}, {@multicast2}, {@broadcast, 0x3}, {@local, 0x1}, {@rand_addr=0x64010102, 0x1}, {@rand_addr=0x64010100, 0x4}, {@broadcast, 0x80}, {@initdev={0xac, 0x1e, 0x1, 0x0}, 0x80}]}, @timestamp={0x44, 0x2c, 0x89, 0x0, 0x7, [0x0, 0x9, 0x0, 0x1, 0x9, 0x7ff, 0x0, 0xfffffffe, 0x0, 0x8000]}]}}}}})
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x7a44, 0x1700)
r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000080)={0x11, 0x8, &(0x7f0000000e40)=ANY=[@ANYBLOB="620af8ff0c200021bfa100000000000007010000f8ffffffb702000003000000bd120000000000008500000006000000b70000000000000095000000000000003faf4f1e7f2aa3d9b18ed81c0c869b51ec6c0af4e0e4a9446c7670568982b4e020f698393aa0f3881f9c24aa56f15199fad0093c59d66b5ece9f36c70d0f13905ea23c22624c9f87f9793f50bb546040677b0c5077da80fb982c1e9400e693146cea484a415b76966118b64f751a0f241b072e90080008002d75593a286cecc93e64c227c95aa0b784625704f07a72c234664c0af9360a1f7a5e6b607130c89f18c0c1089d8b853289e01aa27ae8b09e00e79ab20b0b8e1148f49faf2ad0000000000000006fa03c6468972089b302d7bf6023cdcedb5e0125ebbc08dee510cb2364149215108333719acd97cfa107d40224edc5465a932b77e74e802a0d42bc6099ad2300000080006ef6c1ff0900000000000010c63a949e8b7955394ffa82b8e942c89112f4ab87b1bfeda7be586602d985430cea0162ab3fcf4591c926abfb0767192302000000b0eea24492a660583eecb42cbcd3de3a83209da17a0faf60fd6ad9b97aa5fa68480366c9c6fd6fa5043aa3926b81e3b59c95c25a573dc2ed0300000000000000af99431412fd134a996382a1a04d5bb924cfe5f3185418d605ffff9c4d2ec7c32f2095e63c80aff9fa740b5b7632f32030916f89c6dad7603f2ba2a790d62d6faec2fed44da4928b30142ba11de6c5d50b83bae613402216b5054d1e7c13b1355d6f4a8245ffa4997da9c77af4c0eb97fca585ec6bf58351d564beb6d952aab9c70764b0a8a7583c90b3433b809bdb9fbd48bc873495cbff8a326eea31ae4e0f7505ebf6c9d13330ca005ace1a84521f14008c9b476fccbd6c712016219848624b87cec2dbe98223a0eb4fa39f6b5c02e6d6d90756ff57902a8f57000000009700cf0b4b8bc2294133000000000000000000030000000000000000000000000010008bc0d9559711e6e8861c46495ba585a4b2d02edc3e28dd271c896249ed85b980680b00002b435ac15fc0288d9b2a169cdcacc413038dafb7a2c8cb482bac0ac502d9ba96ffffff7f0000100000006da21b40216e14ba2d6ad5656bfff17addaedab25b30002abbba7fa725f38400be7c1f001b2cd317902f19e385be9e48dccff729433282830689da6b53b263339863297771429d120000003341bf4abacac95900fca0493cf29b33dcc9ffffffffffffffd39fec2271ff01589646efd1cf870cd7bb2366fde41f94290c2a5ff870ce41fd3467decb05cfd9fcb32c8ed1dbd9d10a64c1083d5e71b5565b1768ee58969c41595229df17bcad70fb4021428ce970275d13b78100788f11f76161d46ea3ab60fa4d30dc94ef241875f3b4ce0232fcea69c271d7fa29822aea68a660e717a04becff0f719197724f4fce1093b62d7e8c7123d8ec571be54c72d978cf906df0042e36acd37d7f9e119f2c06f815312e0cfe222a06f56dd022c074eb8a322fb0bf47c0a8d154b405c37feaf3dd95f6ef2ae582786105c7df8be5877050c91301bb997316dbf17866fb84d4173731efe895ff2e1c5560926e90109b598502d3e959efc71f665c4d75cf2458e3546c1c776da64fb5abee0acfd235f2f4632c9062ece84c99a061887a20639b41c8c12ee86c50804042b3fb5aac518a75f9e7d7101d5e186c489b3a06fb99e0aa7f23a054de2f4d92d6bd72ee2c9fdc75aaaf1e3e483b4ad05573af40326993947d9a631bcbf3583784acbda216550d7aec6b79e30cbd128f54c2d3335457acf37331766e472391e358c3b377327ac9ecc34f24c9ae153ec60ac0694dc55bff9f5f45f90400000000000000d6b2c5ea1393fdf24285bf16b99c9cc0ad1857216f1a985f369191ae954febb3df464bfe0f7f3ee9afe7befb89d2777399eb3729cffe86e66964ae09bb6d163118e4cbe024fd4500f8ff0700000000cc9d8046c216c1f895778cb25122a2a9f9b444aeadea2a40da8daccf080842a486721737390cbf3a74cb2003016f1514216bdf57d2a40d40b51ab63e96ec8485b3b8a8c9ae3d14f93100c2e0893862eef552fcde2981f48c482bde8a168c3f5db2fea6f26e4a4304e50c349f4f9ecee27defc93871c5f99b355b72d538ba4978ea8e4aa37014191e10096e7e60fc3541a2c905a1a95e9571bf38ae1981c4238ecaee6f75cd0a6881bd1517a8250ddc8674152f94e3a409e2a3bce109b60000000000000000d6d5210d7503000000a87a27602b81f76386f1535bef1497f92186086e29c6bc5a1fad6ec9a31137abf9a404abde7750898b1bd627e873f8703be8672d70d1ab57075228a9f46ed9bd1f08fb8191bbab2dc51de3a61f0868afc4294859323e6c257a45319f18101288d139bd3da20fed05a8fe64680b0a3fc22dd70400000000946912d6c98cd1a9fbe1e7d58c08acaf30235b918a31d2eca55f74a23641f61f2d5b308cf0d031b0c7f0ced69993e9960ff5f76015e6009556237badf4e7965bbe2777e808fcba821aa8e8c5c39609ff854352cb4900000000000000000000000000c1fee30a3f7a85d1b29e58c77685efc0ceb1c8e5729c66418d169fc03aa188546b3ad2a182068e1e3a0e2505bc7f41019645466a53f1c96e0d4b3bc19faa5449209b083dbd334b47f067bbab40743b2a42010082008df75cf43f8ecc8d3726602111b40e761fd21081920382f14d12ca3c3431ee97471c7868dcda7eaa69eb7f7f80572fdd11bb1d0d1280fbc22bf73468788df51710d7d31c632fc5ed1762eb0b428ee751c47d8e894f745a868404a0bf35f0121008b722b1eaa6aedfa1bf2e7ccb2d61d5d7226bbd9ccd628ab84875f2c50ba891cea592b0430a537a395dc73bda367bf12cb7d81691a5fe8c47be395656a297e9df0e71f96756ea5cce7daac4be290159f6bcd75f0dda9de5532e71ae9e48b0ed0254a83100000000f6fbb869604d51a36a54c832e45b2569dc0d90b075225fde44c4e0973171ad47d6b0fdf9743af932cd6db49a47613808bad959710300000000000000832d0a45fa4242e24c7e800003c9e8095e02985f28e678f66422436f949e2ab8f162d7e3f855e378f4a1f40b0c6fb2d4b205a800b6d713acebc5b014e61a543a5a194f9ac18d76b5440e3b1a569e7397f6cafa86966d7ba19e720413267a6ccea9c439671d2c680f2753ca184eeeb843450368acb4383a01d25eb3d1e23e0f2645d1cdfa9fa410632f95a5f622f851c66ee7e30393cd7a4d67ff2a49c4f93c0984b5c2d4523497e4d64f95f08493564a1df87111c9bf3194fef97dcecc467ace45feeb685c5870d05f88a0f463db88d377442e1349acaf766218b54a9d624778e1c4e064c98e494198276eb2df7766411bef0ebb5000000000006065d635b0b7a00ee767221d8af9753387e0cd8d718f54a29df6eba3bd4c440e6e2172e3fcc01b8babb757b5c59217b80d0db3ba582814a604e4ef7a803e9ca7c85b35c9b93a9e0885e238b44ae1c2e64cce3b27083b8246829e64056000302bffff15405bd5f2eba20000000000000000000000000000000000009a9823fd8fbc5aa165099c5ed032b48ea12d8e0588dc52702e4084913a06d468d0928bad76d697e1f85ab030e788d38788ee5b5428d4a971cc97db9fd231088e570735ce129e7e77fc2777692664a1488fd8d6dff4dad618fd54f529d4555c6507009ee69dd1bc55258789b24052137e9637f3efbab71720f88cf573fe0e5239c000be2733c49546f6e8a9175ec6f14dbf72cac91643b2fd99c29eca28a3c2e60d5e5b8795fae16a7c3ea57e728eca35eaf0155a39f97580e079175426c088a0208040982a0000000000000000000000000051ceaaf0159fe61f2eade7603d0a7a56fb09cd119ac06adb6597155ae47846892bb423c024d8cbe9240b71ec6dc2124d3a19e2d714b273d95d1d3aa737cb04a33615ff2a730e51067d5d675d7122361c37c61a43b5afd865b60d4cae891b73220f17d25985a7f76834995e53a93a1c7b9eef267df691ca983a0b15bda7f6c5c1ca7aa50261a3089a1ebf0734c9b07e8951ff023263ad5aed8cfb49b49e128c697724c057d22c5df5aef27ce3db11d5ad5527d149d076e1a87e2df27c0cb8a67ad026bf953e88f10447e125c2c0f1aebee1f3390a9e3ddad4e2a6e0f6e4569fdefa19e870e04acf9493b963f98e23cfc665e4f465fa3f801e1957c399e45f61d3459b1c606204368bb931345af2823c487d2fd99db6ea6e008e7ffa06ca861551189d155bd077a79fe2c7e961352e56824f727d21d41eae78bfec4a2d7a7edbc8ef958c5ea599f7c25bf71c2340558aa12fdd24a88aaad5921aee7dae6a2f3009d9cb43ab4898d0f0aa565431b6abe585d75db04d1c9ba0b9de4ae8b0d3132bc6810cc9a693979f55174a72e1df9fdef35bc470f9e6e591982757f45c52c645d891bf63bb21fb66926ebe1a8525611fc3e8bb8795c36dc2a86b5ab46ff33cc74f61751b2dae92676db85c8d0c721b7ea4544bf51c95c86fcac1f434d09d1ee4928aafe23de66fed972e0dddfb33f64e48701b049239e7f552d816441d11c4c2647c014462344359198d97c4b6e9ed31ca18987b64de079b2bed641e8a92f13ca70844c65cb423d01950b0ebf44bd28e09c05d9ae5dd689fb880fb18d042219f5ac60c3a03b085abf3e8e3efc842a8d328733461f04c99607061c65ed14c61322a5ac2d371a95b8ad867857ed13a4fa4ae033a09673866cd77f4bcdaaa05207166b19a8758d8855400d8c6a7242dc207251e8797eca24ea4f487663e60f2f5e1f1424958fd148f846830e88a42d9a0e06da200481cde8bf475bc3e1fe9c0b4a4a268921738938aa9f3cb3811ac87c54c8ebc8bcfb4613cc3a997ff1579edbd4ade8020e3ad001b072b1a751b588ac4639f35a58e00a50c0270608c7a7f10132b1c25b9ea81232fbef665f6212f875b2a00"/3576], &(0x7f0000000380)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x8, 0x10, &(0x7f0000000000), 0x10}, 0x2e)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000540)='rcu_utilization\x00', r2}, 0x10)
bpf$BPF_LINK_UPDATE(0x1d, &(0x7f0000000040), 0x10)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
write$binfmt_script(r4, &(0x7f0000000100), 0xfecc)
sendfile(r3, r1, 0x0, 0x10000)
ioctl$FS_IOC_SETFLAGS(r1, 0x40086602, &(0x7f0000000000))
r5 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r5, &(0x7f0000000240)={&(0x7f00000003c0)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000200)={&(0x7f0000000580)=ANY=[@ANYRES16=r3, @ANYRES8=r0], 0xd8}, 0x1, 0x0, 0x0, 0x44890}, 0x2000c000)
setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f0000001b80)=@filter={'filter\x00', 0xe, 0x4, 0x388, 0xffffffff, 0x0, 0x1c8, 0x2f0, 0xffffffff, 0xffffffff, 0x3e8, 0x3e8, 0x3e8, 0xffffffff, 0x4, 0x0, {[{{@uncond, 0x0, 0xa8, 0xf0}, @common=@unspec=@IDLETIMER={0x48, 'IDLETIMER\x00', 0x0, {0x0, 'syz0\x00'}}}, {{@ipv6={@local, @private2, [], [], 'team_slave_0\x00', 'vlan0\x00'}, 0x0, 0xa8, 0xd0}, @common=@inet=@SYNPROXY={0x28}}, {{@uncond, 0x0, 0xd0, 0xf8, 0x0, {}, [@common=@eui64={{0x28}}]}, @common=@unspec=@STANDARD={0x28, '\x00', 0x0, 0xfffffffffffffffb}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x3e8)
ioctl$F2FS_IOC_MOVE_RANGE(r0, 0xc020f509, &(0x7f0000000040)={r0, 0x100000001, 0x3, 0x5})
r6 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r6, 0x10e, 0xc, &(0x7f0000000180)={0xffffff}, 0x10)
write(r6, &(0x7f0000000000)="240000001a005f0414f9f407000904000200000001000000000000000800040001000000", 0x24)
writev(r6, &(0x7f0000000d00)=[{&(0x7f0000000440)="57fde3ca7f9a92302ccc21e716ca36f5640a8c10f7b9e8356196f0d9332918dc6081b846a4d668f8cd86fbe22e556f7b8feb9741fed76e5054e0574954cdf1cd51f9d6a4feaed2e220937effb72fcc19af8792644ab6", 0x56}, {&(0x7f0000000700)="60fbea0deebfe89fd34476e54071ef5f5567f0d770d864e862c9a8a60d7109d4611be15a88180bea4c1eb315d795014859b422bff48798e59e3ea4cd2da6278bf8bb1cf5664ccf7e74c3f228811b6ef427b209a0f34b403020e410825dfad147012441e35b9ba2511ea2d76875d07f97bef6c69025f1c8493703d2f1d492c13ce09787f2203341edc2cc7e3287fe6a2b3109fb8f275772f54877c3ff59068704ffb2c949ccccbaf1c047569bb65c54876491200af4154586fce4d9b8d9e55853603ba82baeef46a8465dfeabdd2391550ee8", 0xd2}, {&(0x7f00000004c0)="f2a7505dbd756b060141cfc90f52aceb73c4c4ad0315d06ff576df6f645ba70be34e9065809181dd5295e5e32b1d58875e40bd93d57169d9bfb3044d5eff1604bae1ebd5f767da43c00cec8133ed1c2a7675a32083f526f60983", 0x5a}, {&(0x7f0000000800)="a2d9729557860bce77eab4c40b245f2e32ab4364558542114226fdfc95f986ebbf25b2402b44e877dae599f411b5dd113711d523ac1c4cc245431ab0fd08a7dccdd6006079f0a58a9c514a674fe4275085bed7ec0bdd21dcf655102959ab044524e694e8d9ca00a6d536f5adc2607ab4148b4b2693f577c47df1dd3fc907f3281dfa39bd7e4f58599fd0ad07a717e89e275d975b6eb5dc3974416f484b0afc75dfe15f95400ae6ffabc69f0c79ba216d42a6fcef2790613b4c7330002c130e7e6207cb42e88e7cc24a49a4cd2a520f2149f42791292fe11a62a41c9b3e423b8d92e76461428ca606613a6281", 0xec}, {&(0x7f0000000900)="5e641e9a68d7a3b71c0d68343266063861ce18ddb4dabdd86fad6a1292fc8ba7284d9ec48083166faaa2bb609a047c13be849a9b1ad52de92a730ccea40a06035a4cdb060cc8", 0x46}, {&(0x7f0000000c00)="c3f998aecca6b7256beb34941833b4326083e7e7dea42f33d488f2f5c6c6c024ff5f4473e86a531c7837c878df571d52fddb659386547c4c4648287744746d51c4780e5e2392e012720b52dc4b84bdc0fb81c3cf135bc93008b4822cddb191461c6b4ee08fa58213cf30582783c628d182ec056ea15291007591aba9620cc5d7c0f31c3ac3d60ea9d2d4c707e33dd6e837314de8da116c62df9daff7f1d7d52508a8484faa4de3642f320d71081bd632781f1a87a23f840b57a23a104db5506ab3655032f1c20c26cdc9794173baf248828efa", 0xd3}], 0x6)
pipe(&(0x7f0000000380)={0xffffffffffffffff, <r7=>0xffffffffffffffff})
r8 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$inet_tcp_int(r8, 0x6, 0x10000000013, &(0x7f0000000180)=0x1, 0x4)
shutdown(r8, 0x0)
setsockopt$inet_tcp_int(r8, 0x6, 0x14, &(0x7f00000000c0)=0x100000001, 0x4)
connect$inet(r8, &(0x7f0000000240)={0x2, 0x0, @dev}, 0x10)
r9 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r9, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000280)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x3, 0x0, 0x0, {0x7}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWSET={0x4c, 0x9, 0xa, 0x401, 0x0, 0x0, {0x7}, [@NFTA_SET_ID={0x8}, @NFTA_SET_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_KEY_LEN={0x8, 0x5, 0x1, 0x0, 0x21}, @NFTA_SET_EXPR={0x10, 0x11, 0x0, 0x1, @counter={{0xc}, @void}}]}, @NFT_MSG_NEWSETELEM={0x38, 0xc, 0xa, 0x101, 0x0, 0x0, {0x7}, [@NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_ELEM_LIST_ELEMENTS={0xc, 0x3, 0x0, 0x1, [{0x8, 0x0, 0x0, 0x1, [@NFTA_SET_ELEM_KEY={0x4}]}]}]}], {0x14, 0x10, 0x1, 0x0, 0x0, {0x0, 0x84}}}, 0xcc}}, 0x0)
sendto$inet(r8, &(0x7f0000000200)="e1", 0xfea8, 0x0, 0x0, 0x0)
splice(r8, 0x0, r7, 0x0, 0x19, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000400)={'netpci0\x00'})
executing program 0:
setsockopt$inet_tcp_TLS_TX(0xffffffffffffffff, 0x6, 0x1, &(0x7f00000003c0)=@gcm_128={{}, "3b29d9648e80e905", "86a21e3e39368b237f0e3864667d0bd8", "1b598634", "6eaef0fc24de6e61"}, 0x28)
socket$nl_generic(0x10, 0x3, 0x10)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
socket$inet6_tcp(0xa, 0x1, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
socket$tipc(0x1e, 0x2, 0x0)
socketpair(0x0, 0x0, 0x0, &(0x7f0000000000))
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe(&(0x7f0000000080)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
ioctl$int_in(r2, 0x5452, &(0x7f0000000040)=0x48000)
splice(r0, 0x0, r3, 0x0, 0x7, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r3, 0x400c6615, &(0x7f00000000c0)={0x0, @adiantum, 0x0, @desc2})
close(r2)
ioctl$int_in(r3, 0x541b, 0x0)
writev(r1, &(0x7f0000000100)=[{&(0x7f0000000140)='Y', 0x1}, {&(0x7f00000002c0)="68f541365c6e24f4b7d5c9aa2f9b2c4c52595b25d20630fd08f13268f411acb0c11d69ec1130bed0dd819226c2af8da6dbb3f755b9069c1e0c2cb4a0b2ad06ca0b253b8a72e00ef9944bc9580d631ea0189b570ce789ad89024b28ce02b77a283928600689df24d1ba7c9416b5fa2de38be3e22f5f5fbcd16d452622373bcc9990af422c2e6de6b1feefd1013a54b25b54818eed58480eb329add61bb10f5fa995ddc6d7f6dad5a2c3cbf08bb6ef83184b333e671556508fab9215c5cdf70523505f4d8fe481c95ae9474f0b56410c8b1d119adeaee914773690addd9bdb059fa8c7075b40715349e11c7fcd0830000000", 0xf1}, {&(0x7f00000003c0)="ff94c27bc1f1b6d3354c224bba1b7d981623361e264febad94e6dd45ab3802e4cd2fa54fbd6fa9c29f441969875b5b6dff52d252d3749b3a8645929eb47f0e8b4e8427eaadd73307a786aa36c167052f7d39fd70d3a3660a05502026f48ddc6b4a5e17bb9b2a2783052fbf9347b36d4b6410dfb7a44e3665d1fc020a91ff66b757178cafcd14b8a6a1fa9ece56c6d81b3948a31ab92262270638dec275f6da9689450b588511019848665657f6140bb0cffd61cdb296460e0500000000000000b1d0b1", 0xc3}], 0x3)
ioctl$BTRFS_IOC_BALANCE_PROGRESS(0xffffffffffffffff, 0x84009422, 0x0)
r4 = socket$inet_dccp(0x2, 0x6, 0x0)
getsockopt$inet_mreqsrc(r4, 0x0, 0x53, &(0x7f0000000000)={@dev, @local, @broadcast}, &(0x7f00000000c0)=0x28)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_MSG_GETTABLE(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000480)=ANY=[], 0x58}}, 0x2000c0c4)
executing program 4:
r0 = socket$inet_smc(0x2b, 0x1, 0x0)
setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000240)='hybla\x00', 0x6)
connect$inet(r0, &(0x7f0000001200)={0x2, 0x0, @local}, 0x10)
executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000340)=@mpls_delroute={0x1c, 0x18, 0x9, 0x0, 0x0, {0x1c, 0x14, 0x0, 0x0, 0xfe, 0x0, 0x0, 0x1, 0x2}}, 0x1c}}, 0x0)
executing program 3:
r0 = socket(0x2, 0x3, 0x9)
bind$inet(r0, &(0x7f0000000080)={0x2, 0x0, @local}, 0x10)
sendmmsg$inet(r0, &(0x7f0000004780)=[{{&(0x7f0000000000)={0x2, 0x0, @multicast2}, 0x10, 0x0}}, {{&(0x7f00000031c0)={0x2, 0x0, @multicast2}, 0x10, 0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x18}}], 0x2, 0x0)
executing program 2:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r0, 0x29, 0x40, &(0x7f00000003c0)=@raw={'raw\x00', 0x3c1, 0x3, 0x400, 0x128, 0x111, 0x4b4, 0x128, 0xd4feffff, 0x330, 0x20a, 0x278, 0x330, 0x278, 0x3, 0x0, {[{{@ipv6={@private2, @empty, [], [], 'ipvlan0\x00', 'team_slave_0\x00', {}, {}, 0x6}, 0x0, 0x100, 0x128, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@inet=@tcp={{0x30}}]}, @common=@inet=@TCPMSS={0x28}}, {{@uncond, 0x0, 0x1e0, 0x208, 0x0, {}, [@common=@rt={{0x138}, {0x0, [], 0x0, 0x0, 0x0, [@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @private2, @loopback, @local, @ipv4={'\x00', '\xff\xff', @multicast1}, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @empty, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', @empty, @loopback, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @dev, @ipv4={'\x00', '\xff\xff', @remote}, @loopback, @dev]}}]}, @common=@inet=@SYNPROXY={0x28}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x460)
r1 = bpf$MAP_CREATE(0x100000000000000, &(0x7f0000000140)=@base={0xa, 0x16, 0xb3, 0x7f, 0x0, 0xffffffffffffffff, 0x1}, 0x48)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x13, &(0x7f0000000080)=ANY=[@ANYBLOB="180800aa720085100000fd08000000100000000000000000", @ANYRES32=r1, @ANYBLOB="00000000000000002c00000000000000180000000000000000000000000000009500000000000000a600000000000000180100002020782500000000002020207b12f8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000002d0000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x4, 0xde, &(0x7f0000000340)=""/222, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0xb}, 0x23)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000240)={&(0x7f0000000040)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x0, 0x0, 0x2}}, 0x0, 0x1a}, 0x20)
socket$netlink(0x10, 0x3, 0x10)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
setsockopt$netlink_NETLINK_RX_RING(r2, 0x10e, 0xb, &(0x7f0000000340)={0x2}, 0x10)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000040)={0x1f, 0xffff, 0x3}, 0x1e)
write(r3, &(0x7f0000000080)="0500030001003f", 0x7)
r4 = bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f00000002c0), 0x4)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000100)={{}, &(0x7f00000001c0), &(0x7f0000000280)=r4}, 0x20)
socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000000c0)=ANY=[@ANYBLOB="14"], 0x7c}}, 0x0)
socket$nl_xfrm(0x10, 0x3, 0x6)
r5 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r5, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)=@updpolicy={0xb8, 0x19, 0xd01, 0x0, 0x0, {{@in6=@empty, @in=@private, 0x0, 0x0, 0x0, 0x0, 0x2}, {}, {}, 0x0, 0x0, 0x1}}, 0xb8}}, 0x0)
executing program 0:
r0 = socket$nl_crypto(0x10, 0x3, 0x15)
sendmsg$nl_crypto(r0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000280)=ANY=[@ANYBLOB="f8000000130001002abd7000fedbdf2563626328626c6f776669736829"], 0xf8}}, 0x0)
executing program 3:
r0 = socket$inet6_sctp(0xa, 0x801, 0x84)
sendto$inet6(r0, &(0x7f0000000140)="f9", 0x1, 0x0, &(0x7f0000000040)={0xa, 0x0, 0x0, @ipv4={'\x00', '\xff\xff', @rand_addr=0x64010100}}, 0x1c)
sendto$inet6(r0, &(0x7f0000000000)="db", 0x1, 0x0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @private1}, 0x1c)
close(r0)
executing program 3:
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x6, 0x4, &(0x7f0000000480)=ANY=[@ANYBLOB="18020000d90000040000000000000000850000004100000095"], &(0x7f0000000240)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000600)={r0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9}, 0x50)
executing program 0:
setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, &(0x7f00000010c0), 0x4)
setsockopt$inet6_MCAST_MSFILTER(0xffffffffffffffff, 0x29, 0x18, 0x0, 0x310)
r0 = epoll_create1(0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, 0x0, 0x0)
r3 = epoll_create1(0x0)
epoll_pwait(r3, &(0x7f0000000040)=[{}], 0x1, 0x29a, 0x0, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r2, &(0x7f0000000100)={0x20000014})
epoll_ctl$EPOLL_CTL_ADD(r3, 0x1, r0, &(0x7f0000000000)={0x80000001})
r4 = socket$l2tp6(0xa, 0x2, 0x73)
bind$l2tp6(0xffffffffffffffff, 0x0, 0x0)
connect$l2tp6(r4, &(0x7f0000000000)={0xa, 0x0, 0x0, @remote}, 0x20)
bpf$MAP_CREATE_TAIL_CALL(0x0, 0x0, 0x0)
setsockopt$packet_rx_ring(0xffffffffffffffff, 0x107, 0x5, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r5 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000240), r5)
r7 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000380)=ANY=[@ANYBLOB="1801000000000000000000000000000085000000050000001801000020646c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008008000b703000000009c8c850000006d00000095"], &(0x7f0000000000)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000040)='sched_switch\x00', r7}, 0x10)
bpf$MAP_CREATE(0x300000000000000, &(0x7f0000000100)=@base={0x18, 0x4, 0x41, 0x0, 0x1, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x4002, 0x100001}, 0x48)
sendmsg$IEEE802154_LLSEC_ADD_DEV(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000140)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r6, @ANYRES16], 0x1c}, 0x4, 0x700000000000000}, 0x0)
socket(0x10, 0x803, 0x0)
write$binfmt_script(0xffffffffffffffff, &(0x7f0000000440)={'#! ', './file0', [], 0xa, "6a1c4569c0569ab6a434922455d01a231b3cbe316c1a4ba3230ab965bb484240816c2bc1b11a3adc9eb3e82d1cb12b01b607e69d396133fba338c0d46e8b1d37df2cb06f993cda4b88e14e82ef70"}, 0x59)
executing program 3:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
ioctl$sock_ipv6_tunnel_SIOCCHGTUNNEL(r0, 0x89f3, &(0x7f0000000380)={'ip6_vti0\x00', 0x0})
executing program 2:
r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)=@base={0x11, 0x4, 0x4, 0xbf22}, 0x48)
r1 = socket(0x2c, 0x3, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000100)={r0, &(0x7f0000003340), &(0x7f0000003380)=@tcp=r1, 0x2}, 0x20)
executing program 3:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0xc)
sendmsg$NFQNL_MSG_CONFIG(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000013c0)=ANY=[@ANYBLOB="1c000000020301040000000000000000000040200800010001"], 0x1c}}, 0x0)
close(r0)
executing program 2:
unshare(0x20000400)
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.controllers\x00', 0x275a, 0x0)
ioctl$FS_IOC_GETFSMAP(r0, 0xc0c0583b, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 5 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): unshare-openat$cgroup_ro-ioctl$FS_IOC_GETFSMAP
detailed listing:
executing program 0:
unshare(0x20000400)
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.controllers\x00', 0x275a, 0x0)
ioctl$FS_IOC_GETFSMAP(r0, 0xc0c0583b, 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-getsockopt$bt_BT_SECURITY
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x4, 0x0, 0x20000000)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
single: successfully extracted reproducer
found reproducer with 11 syscalls
minimizing guilty program
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Read in l2tp_tunnel_del_work
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
socket$pppl2tp(0x18, 0x1, 0x1)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$pppl2tp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ITER_CREATE-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$ITER_CREATE(0xb, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE_RINGBUF-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$NFT_BATCH-socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, 0x0, 0x0)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
simplifying guilty program options
testing program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
testing program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000140)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
reproducing took 40m51.276977999s
repro crashed as (corrupted=false):
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
BUG: KASAN: slab-use-after-free in l2tp_session_delete+0x28/0x9e0 net/l2tp/l2tp_core.c:1639
Write of size 8 at addr ffff88807e55d008 by task kworker/u8:6/1280

CPU: 1 PID: 1280 Comm: kworker/u8:6 Not tainted 6.10.0-rc4-syzkaller-00837-g3226607302ca #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: l2tp l2tp_tunnel_del_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
 l2tp_session_delete+0x28/0x9e0 net/l2tp/l2tp_core.c:1639
 l2tp_tunnel_closeall net/l2tp/l2tp_core.c:1302 [inline]
 l2tp_tunnel_del_work+0x1cb/0x330 net/l2tp/l2tp_core.c:1334
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5254:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x1f9/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 l2tp_session_create+0x3b/0xc20 net/l2tp/l2tp_core.c:1675
 pppol2tp_connect+0xca3/0x17a0 net/l2tp/l2tp_ppp.c:782
 __sys_connect_file net/socket.c:2049 [inline]
 __sys_connect+0x2df/0x310 net/socket.c:2066
 __do_sys_connect net/socket.c:2076 [inline]
 __se_sys_connect net/socket.c:2073 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2073
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 784:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4437 [inline]
 kfree+0x149/0x360 mm/slub.c:4558
 __sk_destruct+0x58/0x5f0 net/core/sock.c:2191
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 do_softirq+0x11b/0x1e0 kernel/softirq.c:455
 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
 ipv6_get_lladdr+0x295/0x3d0 net/ipv6/addrconf.c:1935
 mld_newpack+0x338/0xa90 net/ipv6/mcast.c:1754
 add_grhead net/ipv6/mcast.c:1849 [inline]
 add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1987
 mld_send_cr net/ipv6/mcast.c:2113 [inline]
 mld_ifc_work+0x68e/0xd90 net/ipv6/mcast.c:2650
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 pppol2tp_release+0x24b/0x350 net/l2tp/l2tp_ppp.c:457
 __sock_release net/socket.c:659 [inline]
 sock_close+0xbc/0x240 net/socket.c:1421
 __fput+0x406/0x8b0 fs/file_table.c:422
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807e55d000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 8 bytes inside of
 freed 1024-byte region [ffff88807e55d000, ffff88807e55d400)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e558
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015041dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015041dc0 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea0001f95601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5208, tgid 5208 (syz-executor), ts 169771306468, free_ts 169732075922
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x2e43/0x2f00 mm/page_alloc.c:3420
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4678
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2265
 allocate_slab+0x5a/0x2f0 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3989 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_noprof+0x257/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 ipt_alloc_initial_table+0x70/0x5b0 net/ipv4/netfilter/ip_tables.c:36
 iptable_filter_table_init+0x1c/0xc0 net/ipv4/netfilter/iptable_filter.c:42
 xt_find_table_lock+0x2d4/0x3b0 net/netfilter/x_tables.c:1260
 xt_request_find_table_lock+0x26/0x100 net/netfilter/x_tables.c:1285
 get_info net/ipv4/netfilter/ip_tables.c:963 [inline]
 do_ipt_get_ctl+0x89e/0x1810 net/ipv4/netfilter/ip_tables.c:1659
 nf_getsockopt+0x299/0x2c0 net/netfilter/nf_sockopt.c:116
 ip_getsockopt+0x222/0x2e0 net/ipv4/ip_sockglue.c:1777
 tcp_getsockopt+0x163/0x1c0 net/ipv4/tcp.c:4409
page last free pid 1050 tgid 1050 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2583
 discard_slab mm/slub.c:2527 [inline]
 __put_partials+0xeb/0x130 mm/slub.c:2995
 put_cpu_partial+0x17c/0x250 mm/slub.c:3070
 __slab_free+0x2ea/0x3d0 mm/slub.c:4307
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3941 [inline]
 slab_alloc_node mm/slub.c:4001 [inline]
 kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4044
 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:656
 alloc_skb include/linux/skbuff.h:1320 [inline]
 nlmsg_new include/net/netlink.h:1015 [inline]
 inet6_netconf_notify_devconf+0xfc/0x1c0 net/ipv6/addrconf.c:589
 __addrconf_sysctl_unregister net/ipv6/addrconf.c:7249 [inline]
 addrconf_exit_net+0xd1/0x2c0 net/ipv6/addrconf.c:7366
 ops_exit_list net/core/net_namespace.c:173 [inline]
 cleanup_net+0x802/0xcc0 net/core/net_namespace.c:640
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147

Memory state around the buggy address:
 ffff88807e55cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807e55cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807e55d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88807e55d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807e55d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
BUG: KASAN: slab-use-after-free in l2tp_session_delete+0x28/0x9e0 net/l2tp/l2tp_core.c:1639
Write of size 8 at addr ffff88807e55d008 by task kworker/u8:6/1280

CPU: 1 PID: 1280 Comm: kworker/u8:6 Not tainted 6.10.0-rc4-syzkaller-00837-g3226607302ca #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: l2tp l2tp_tunnel_del_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
 l2tp_session_delete+0x28/0x9e0 net/l2tp/l2tp_core.c:1639
 l2tp_tunnel_closeall net/l2tp/l2tp_core.c:1302 [inline]
 l2tp_tunnel_del_work+0x1cb/0x330 net/l2tp/l2tp_core.c:1334
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5254:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x1f9/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 l2tp_session_create+0x3b/0xc20 net/l2tp/l2tp_core.c:1675
 pppol2tp_connect+0xca3/0x17a0 net/l2tp/l2tp_ppp.c:782
 __sys_connect_file net/socket.c:2049 [inline]
 __sys_connect+0x2df/0x310 net/socket.c:2066
 __do_sys_connect net/socket.c:2076 [inline]
 __se_sys_connect net/socket.c:2073 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2073
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 784:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4437 [inline]
 kfree+0x149/0x360 mm/slub.c:4558
 __sk_destruct+0x58/0x5f0 net/core/sock.c:2191
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 do_softirq+0x11b/0x1e0 kernel/softirq.c:455
 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
 ipv6_get_lladdr+0x295/0x3d0 net/ipv6/addrconf.c:1935
 mld_newpack+0x338/0xa90 net/ipv6/mcast.c:1754
 add_grhead net/ipv6/mcast.c:1849 [inline]
 add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1987
 mld_send_cr net/ipv6/mcast.c:2113 [inline]
 mld_ifc_work+0x68e/0xd90 net/ipv6/mcast.c:2650
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 pppol2tp_release+0x24b/0x350 net/l2tp/l2tp_ppp.c:457
 __sock_release net/socket.c:659 [inline]
 sock_close+0xbc/0x240 net/socket.c:1421
 __fput+0x406/0x8b0 fs/file_table.c:422
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807e55d000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 8 bytes inside of
 freed 1024-byte region [ffff88807e55d000, ffff88807e55d400)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e558
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015041dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015041dc0 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea0001f95601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5208, tgid 5208 (syz-executor), ts 169771306468, free_ts 169732075922
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x2e43/0x2f00 mm/page_alloc.c:3420
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4678
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2265
 allocate_slab+0x5a/0x2f0 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3989 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_noprof+0x257/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 ipt_alloc_initial_table+0x70/0x5b0 net/ipv4/netfilter/ip_tables.c:36
 iptable_filter_table_init+0x1c/0xc0 net/ipv4/netfilter/iptable_filter.c:42
 xt_find_table_lock+0x2d4/0x3b0 net/netfilter/x_tables.c:1260
 xt_request_find_table_lock+0x26/0x100 net/netfilter/x_tables.c:1285
 get_info net/ipv4/netfilter/ip_tables.c:963 [inline]
 do_ipt_get_ctl+0x89e/0x1810 net/ipv4/netfilter/ip_tables.c:1659
 nf_getsockopt+0x299/0x2c0 net/netfilter/nf_sockopt.c:116
 ip_getsockopt+0x222/0x2e0 net/ipv4/ip_sockglue.c:1777
 tcp_getsockopt+0x163/0x1c0 net/ipv4/tcp.c:4409
page last free pid 1050 tgid 1050 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2583
 discard_slab mm/slub.c:2527 [inline]
 __put_partials+0xeb/0x130 mm/slub.c:2995
 put_cpu_partial+0x17c/0x250 mm/slub.c:3070
 __slab_free+0x2ea/0x3d0 mm/slub.c:4307
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3941 [inline]
 slab_alloc_node mm/slub.c:4001 [inline]
 kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4044
 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:656
 alloc_skb include/linux/skbuff.h:1320 [inline]
 nlmsg_new include/net/netlink.h:1015 [inline]
 inet6_netconf_notify_devconf+0xfc/0x1c0 net/ipv6/addrconf.c:589
 __addrconf_sysctl_unregister net/ipv6/addrconf.c:7249 [inline]
 addrconf_exit_net+0xd1/0x2c0 net/ipv6/addrconf.c:7366
 ops_exit_list net/core/net_namespace.c:173 [inline]
 cleanup_net+0x802/0xcc0 net/core/net_namespace.c:640
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147

Memory state around the buggy address:
 ffff88807e55cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807e55cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807e55d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88807e55d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807e55d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================