Extracting prog: 8m4.67606713s
Minimizing prog: 22m27.185494691s
Simplifying prog options: 6m23.6473005s
Extracting C: 2m38.838928924s
Simplifying C: 0s


30 programs, 3 VMs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 30 programs
single: executing 5 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE-bpf$MAP_UPDATE_BATCH-socketpair$tipc-sendmsg$tipc-close-setsockopt$TIPC_GROUP_JOIN-socket$kcm-openat$cgroup_ro-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet_udplite-getsockopt$inet_udp_int-ioctl$EXT4_IOC_MIGRATE-sendmsg$kcm-ioctl$sock_SIOCGIFINDEX_80211-close-bpf$BPF_BTF_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-setsockopt$inet_tcp_TCP_ULP
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x0, 0x3)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x11, 0x5, &(0x7f00000002c0)=ANY=[@ANYBLOB="1805000020000000000000004b64ffec850000007d000000850000000700000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f00000003c0)=@base={0x6, 0x4, 0x240, 0x7}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000007c0), &(0x7f0000000380), 0xfff, r1, 0x0, 0xa0028000}, 0x38)
socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f0000000000)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
sendmsg$tipc(r3, &(0x7f0000000240)={0x0, 0xfffffff5, &(0x7f0000000200)=[{&(0x7f0000000140)="a2", 0xfffffdef}], 0x1, 0x0, 0x0, 0x700}, 0x0)
close(r2)
setsockopt$TIPC_GROUP_JOIN(r3, 0x10f, 0x87, &(0x7f0000000080)={0x40}, 0x10)
r4 = socket$kcm(0x10, 0x2, 0x4)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x7a05, 0x1700)
write$cgroup_subtree(r6, &(0x7f0000000080)=ANY=[], 0x32600)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r5, 0x0)
r7 = socket$inet_udplite(0x2, 0x2, 0x88)
getsockopt$inet_udp_int(r7, 0x11, 0xa, 0x0, &(0x7f0000000000))
ioctl$EXT4_IOC_MIGRATE(r0, 0x6609)
sendmsg$kcm(r4, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000013c0)=[{&(0x7f00000001c0)="39000000140081ae0000dc676f97daf01e2357f9ffffffffffffff0521018701546fabca1b4e8a06a6580e", 0x2b}], 0x1}, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan0\x00'})
close(0xffffffffffffffff)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000480)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x24, 0x24, 0x2, [@enum, @array={0x0, 0x0, 0x0, 0x3, 0x0, {0x2, 0x5}}]}}, 0x0, 0x3e}, 0x20)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000400)='kfree\x00'}, 0x10)
setsockopt$inet_tcp_TCP_ULP(r0, 0x6, 0x1f, 0x0, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-openat$cgroup_ro-write$binfmt_script-mmap-getsockopt$bt_BT_SECURITY
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
write$binfmt_script(r3, &(0x7f0000000100), 0xfecc)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r3, 0x0)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x2, 0x0, 0x20001100)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$sock_int-bind$inet6-connect$inet6-ioctl$FS_IOC_GET_ENCRYPTION_POLICY_EX-socket$nl_generic-syz_genetlink_get_family_id$nl80211-socket$nl_netfilter-ioctl$BTRFS_IOC_QGROUP_LIMIT-sendmsg$IPCTNL_MSG_TIMEOUT_NEW-syz_genetlink_get_family_id$mptcp-ioctl$sock_ipv6_tunnel_SIOCDELTUNNEL-ioctl$sock_ipv6_tunnel_SIOCGET6RD-sendmsg$MPTCP_PM_CMD_SET_FLAGS-pipe-bpf$BPF_PROG_QUERY-ioctl$sock_SIOCGIFINDEX-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-sendmsg$nl_route-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_REKEY_OFFLOAD-sendmsg$NL80211_CMD_GET_MPATH-socket$nl_generic-bind$vsock_stream-socket$kcm-sendmsg$kcm
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0xf, &(0x7f0000000180)=0x800001, 0x4)
bind$inet6(r0, &(0x7f0000000140)={0xa, 0x4e22}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @loopback}, 0x1c)
ioctl$FS_IOC_GET_ENCRYPTION_POLICY_EX(r0, 0xc0096616, &(0x7f0000000440)={0x1, [0x0]})
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000140), 0xffffffffffffffff)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
ioctl$BTRFS_IOC_QGROUP_LIMIT(0xffffffffffffffff, 0x8030942b, &(0x7f0000000000)={0x9, {0x0, 0x12, 0x80000001, 0x5, 0x700000000000000}})
sendmsg$IPCTNL_MSG_TIMEOUT_NEW(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)={0x34, 0x0, 0x8, 0x101, 0x0, 0x0, {}, [@CTA_TIMEOUT_L4PROTO={0x5, 0x3, 0xffffffffffffffff}, @CTA_TIMEOUT_NAME={0x9, 0x1, 'syz1\x00'}, @CTA_TIMEOUT_L3PROTO={0x6}, @CTA_TIMEOUT_DATA={0x4, 0x4, 0x0, 0x1, @sctp}]}, 0x34}}, 0x0)
r4 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000140), 0xffffffffffffffff)
ioctl$sock_ipv6_tunnel_SIOCDELTUNNEL(0xffffffffffffffff, 0x89f2, 0x0)
ioctl$sock_ipv6_tunnel_SIOCGET6RD(0xffffffffffffffff, 0x89f8, &(0x7f0000000300)={'syztnl2\x00', 0x0})
sendmsg$MPTCP_PM_CMD_SET_FLAGS(0xffffffffffffffff, &(0x7f0000000400)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x40000}, 0xc, &(0x7f00000003c0)={&(0x7f0000000340)={0x48, r4, 0x100, 0x70bd28, 0x25dfdbff, {}, [@MPTCP_PM_ATTR_ADDR={0x34, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_IF_IDX={0x8}, @MPTCP_PM_ADDR_ATTR_IF_IDX={0x8}, @MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e20}, @MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e21}, @MPTCP_PM_ADDR_ATTR_FAMILY={0x6, 0x1, 0x2}, @MPTCP_PM_ADDR_ATTR_ID={0x5, 0x2, 0x6}]}]}, 0x48}, 0x1, 0x0, 0x0, 0x1}, 0x4000800)
pipe(&(0x7f0000000d80)={<r5=>0xffffffffffffffff})
bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000300)={@map=r5, 0x2f, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x40)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000200)={'syzkaller1\x00'})
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f0000000240)={'batadv_slave_1\x00'})
sendmsg$nl_route(r5, &(0x7f0000000380)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x4000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x40000800}, 0x4)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000004c0)={'wlan0\x00'})
sendmsg$NL80211_CMD_SET_REKEY_OFFLOAD(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, 0x0}, 0x0)
sendmsg$NL80211_CMD_GET_MPATH(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f00000000c0), 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x2c, r2, 0x400, 0x70bd27, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40001}, 0x20000000)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
bind$vsock_stream(r6, &(0x7f0000000000)={0x10}, 0x10)
r7 = socket$kcm(0x10, 0x3, 0x10)
sendmsg$kcm(r7, &(0x7f0000000000)={0x0, 0xfffffffffffffed2, &(0x7f0000000080)=[{&(0x7f0000000040)="e03f03002a000b05d25a806c8c6f94f90424fc601000127a0a000600093582c137153e37080c188002ac0f000300", 0x33fe0}], 0x1}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet-connect$inet-listen-accept4-sendmsg$rds
detailed listing:
executing program 0:
r0 = socket$inet(0xa, 0x801, 0x84)
connect$inet(r0, &(0x7f0000004cc0)={0x2, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff}}, 0x10)
listen(r0, 0x8)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$rds(r1, &(0x7f0000001a40)={&(0x7f0000000000)={0x2, 0x0, @dev}, 0x10, &(0x7f00000015c0)=[{&(0x7f0000000200)=""/155, 0x9b}], 0x1}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): pipe-setsockopt$SO_ATTACH_FILTER-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$nl802154-sendmsg$NL802154_CMD_SET_SEC_PARAMS-socket$nl_generic-bpf$BPF_PROG_TEST_RUN-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_DAEMON-sendmsg$NL802154_CMD_SET_CHANNEL-socket$nl_route-sendmsg$nl_route_sched-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$nl802154-ioctl$sock_SIOCGIFINDEX_802154-sendmsg$NL802154_CMD_DEL_SEC_KEY-ioctl$sock_SIOCGIFINDEX_802154-sendmsg$NL802154_CMD_SET_LBT_MODE-socket$key-sendmsg$key-ppoll-readv-write$binfmt_script-socket$packet-ioctl$sock_SIOCGIFINDEX-socket$nl_route-sendmsg$nl_route
detailed listing:
executing program 0:
pipe(&(0x7f0000000580)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000000140)={0x1, &(0x7f0000000080)=[{}]}, 0x10)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
sendmsg$NL802154_CMD_SET_SEC_PARAMS(0xffffffffffffffff, 0x0, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={0xffffffffffffffff, 0x2000d00, 0x8, 0x0, &(0x7f0000000140)="a06ad876d56a0064", 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
r5 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$IPVS_CMD_NEW_DAEMON(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB='X\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="01000000000000000000090000004400038008000300000000001400020076657468315f746f5f7465616d0000000800010001000000050008"], 0x58}}, 0x0)
sendmsg$NL802154_CMD_SET_CHANNEL(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000000c0)={0x2c, r3, 0x1, 0x70bd2d, 0x25dfdbff, {}, [@NL802154_ATTR_PAGE={0x5, 0x7, 0x15}, @NL802154_ATTR_WPAN_PHY={0x8}, @NL802154_ATTR_CHANNEL={0x5}]}, 0x2c}}, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0)
r6 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_802154(r6, 0x8933, &(0x7f0000000140)={'wpan0\x00', <r7=>0x0})
sendmsg$NL802154_CMD_DEL_SEC_KEY(r6, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX_802154(r2, 0x8933, &(0x7f0000000240)={'wpan1\x00', <r8=>0x0})
sendmsg$NL802154_CMD_SET_LBT_MODE(0xffffffffffffffff, &(0x7f0000000400)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x80000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000380)={0x48, r3, 0x300, 0x70bd28, 0x25dfdbfd, {}, [@NL802154_ATTR_LBT_MODE={0x5}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_IFINDEX={0xfffffe42, 0x3, r7}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x200000002}, @NL802154_ATTR_IFINDEX={0x8, 0x3, r8}, @NL802154_ATTR_LBT_MODE={0x5, 0x13, 0x1}]}, 0x48}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
r9 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r9, &(0x7f0000000040)={0xa, 0x0, &(0x7f0000000340)={&(0x7f0000000100)=ANY=[@ANYBLOB="02040000041f0000200000000000000002000100000000fb0200000000000000"], 0x20}, 0x1, 0x7}, 0x0)
ppoll(&(0x7f0000000000)=[{r0}], 0x1, 0x0, 0x0, 0x0)
readv(r0, &(0x7f0000000680)=[{&(0x7f0000000100)=""/225, 0xe1}], 0x1)
write$binfmt_script(r1, &(0x7f0000000340), 0x208e24b)
r10 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000180)={'bond0\x00', <r11=>0x0})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r12, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=@newlink={0x5c, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x34, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x24, 0x2, 0x0, 0x1, [@IFLA_VLAN_ID={0x6}, @IFLA_VLAN_EGRESS_QOS={0x10, 0x3, 0x0, 0x1, [@IFLA_VLAN_QOS_MAPPING={0xc, 0x2}]}, @IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r11}]}, 0x5c}}, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 15s
testing program (duration=22s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 6, 6, 15, 5, 1, 19, 3, 6, 14, 7, 1, 8, 4, 27, 12, 15, 8, 4, 30, 9, 9, 6, 3, 6, 3, 5, 26, 9, 23]
detailed listing:
executing program 3:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$devlink(&(0x7f0000005580), 0xffffffffffffffff)
sendmsg$DEVLINK_CMD_TRAP_GROUP_GET(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)={0x14, r1, 0xf01}, 0x14}}, 0x0)
executing program 3:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="18000000001c0000000000004b64ffec850000007d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000100)='kfree\x00', r0}, 0x10)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000c80)={'lo\x00', <r3=>0x0})
sendmsg$nl_route_sched(r2, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, r3, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_hhf={{0x8}, {0xc, 0x2, [@TCA_HHF_NON_HH_WEIGHT={0x8}]}}]}, 0x38}}, 0x0)
executing program 3:
socket$packet(0x11, 0x3, 0x300)
r0 = socket$inet6(0xa, 0x800000000000002, 0x0)
setsockopt$inet6_udp_int(r0, 0x11, 0x67, &(0x7f0000000180)=0x7f, 0x4)
connect$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @mcast2, 0x2}, 0x1c)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e25, 0x0, @ipv4={'\x00', '\xff\xff', @local}}, 0x1c)
write(r0, &(0x7f0000000080)="89ba41c97928dec7cec15a160d3dba257872aed129d4b5247c9834550448a4f46c37425b873ec95db3d757e8b2333a64d9abf416fd83f942661c47bcdf71f7d07ba2b2f051829a7f66952e57962614db0d03474a4a4bce636ea8d2b882b2b49ef18e76edbec7302a96e41f206d930eda2769c56e6d5e3d541ce9a21c3ce5cb5f", 0x80)
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0x1b)
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x48241, 0x0)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32})
r2 = socket$kcm(0x2, 0xa, 0x2)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
getsockopt$SO_COOKIE(r3, 0x1, 0x39, &(0x7f0000000180), &(0x7f0000000000)=0x11)
getsockopt$SO_COOKIE(r3, 0x1, 0x39, &(0x7f0000000100), &(0x7f0000000140)=0x8)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f0000000100)={'wlan1\x00', <r7=>0x0})
sendmsg$NL80211_CMD_DEL_KEY(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)={0x2c, r6, 0x1, 0x0, 0x0, {{0xa}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_KEY={0x10, 0x50, 0x0, 0x1, [@NL80211_KEY_DEFAULT={0x4}, @NL80211_KEY_IDX={0x5}]}]}, 0x2c}}, 0x0)
sendmsg$NL80211_CMD_RADAR_DETECT(r0, &(0x7f0000000200)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000080)={0x3c, r6, 0x200, 0x70bd28, 0x25dfdbff, {{}, {@void, @void}}, [@NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x2}, @NL80211_ATTR_WIPHY_EDMG_CHANNELS={0x5, 0x118, 0x37}, @NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x2}, @NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x3}, @NL80211_ATTR_CENTER_FREQ2={0x8}]}, 0x3c}, 0x1, 0x0, 0x0, 0x4}, 0x4800)
ioctl$SIOCSIFHWADDR(r2, 0x8914, &(0x7f0000000240)={'syzkaller1\x00', @link_local})
write$tun(r1, &(0x7f0000000740)=ANY=[@ANYBLOB="000000000080bf008100090080000000000000000d006f94fe6403cc1101fc010000000000000000000000000000fe8000000000000000000000000000bb5e000320670000002f14000000000000c204000001010001000466e09852d81a666e3b34cfc7c1210fb43f56b4aa1568ebe0412df2e8cefec979f97a982266a0ebd4b74d801eb308ade09d76add9a95bfee37393328abdd386a6f121bfe1b54510a8ea89833b69835c4bf301edcfa984479ffdca0389b063baa831def22fb0e5f90401130001000101000728000000020801008008000000000000000200000000000000040000000000000005000000000000000000000062000641660000002900ff90650000003a0602ff00000000fe8000000000000000000000000000bbff020000000000000000000000000001fe80000000000000000000000000002e333000000000000001010005020081c20400000004010200004b9bff9713bc0a40a3c999e9f79ab7e3879da3ece9ce446d4982706e2c0830f8f2d13f609305d5d8b536cbdd4510a76e3c8546e9ac7b202ece6834cefbc818d6c8642033bf4fee838e32be1d012ca33667e5fd1922c4db0d9d5315157de75fe139ddb184c80833739d94fa29fafe6f15a4a5dae5b6943758b53b90ffc309e4de5a18933541139790f8881ce2cf2d89bca19da78f59d4590ed575cbb4fa075800000001148005000900000000000000020000000000000054b70000000000000600000000000000000000001c00000004000000000000000300000000000000010400000000000000000000000000000000000000000000c15d483114b308562fbc876214399fb9a92519b357aa8adfa2f12e7a3239be57bb0d6c1c49e9b2cb685b2b8ce58f2a39f82de85c7b7f77617a069a3f63c2ffc1d34265621f07d42d7c2a5deb0e4f7d8fca6a2553be0ae9340b05296910df0d26a054e1f96d9efeb3c2996c8e42dc7107180000000104d2400080000000000000000500000000000000040103000000003305000000000000010700000000000000000100c910ff010000000000000000000000000001c204ffffffcd01050000000000000000000087001f11640000004e204e2200fc9078a10300009d58f4c6448c7fd20442c1f9c865375cea1c32a0e3715f0d64325253805ca2b29b1f6a3cf66e71cfee183f0468889219c839162e1df0c5c8acb6c6154857c02df4018642df4a6c3e2af1886e911ba5baa0a63ca9c689d19dbde4e3f2ae4a3cb845a2807cb8ef179a4f0d18e2d7c81b107609af5f7d489f5705e621c802c88f431235ab004fdacf610918b79db3e63056bea7bed26dd44f6798ecf92686b6d38014d75d917b4a3e8a415e3cc54c94b26d353a9ac4dd25402d8fd384cc8edc36035c979bceb1520c7aa384c9e3d317c22f3c2bbd32e4be3f8de439b5107f22a8e9d6c69858d4540be910f0772654517000"], 0x40a)
executing program 3:
bpf$BPF_GET_BTF_INFO(0xf, 0x0, 0x0)
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xc, &(0x7f00000002c0)=ANY=[@ANYBLOB="18000000000000000000000000000000850000007d00000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000400000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000100)={&(0x7f00000000c0)='percpu_alloc_percpu\x00', r0}, 0x10)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x26e1, 0x3a0ffffffff)
bpf$MAP_CREATE(0x0, &(0x7f0000000340)=@base={0xa, 0x4, 0x3, 0x8}, 0x48)
executing program 2:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000000)=ANY=[@ANYBLOB="1801000020000000000000004b84ffec850000006d000000850000003700000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
executing program 3:
r0 = socket$can_raw(0x1d, 0x3, 0x1)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000000)={'wlan1\x00', <r4=>0x0})
r5 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$IPT_SO_SET_REPLACE(r5, 0x8001000000000000, 0x40, &(0x7f0000000540)=@raw={'raw\x00', 0x8, 0x3, 0x4d8, 0x340, 0x11, 0x148, 0x340, 0x0, 0x440, 0x2a8, 0x2a8, 0x440, 0x2a8, 0x3, 0x0, {[{{@uncond, 0x0, 0x2f8, 0x340, 0x0, {}, [@common=@inet=@hashlimit1={{0x58}, {'ip_vti0\x00', {0x0, 0x0, 0x3f, 0x0, 0x0, 0x3, 0x7}}}, @common=@unspec=@bpf1={{0x230}, @pinned={0x3, 0x0, 0x0, './file0\x00'}}]}, @unspec=@CT0={0x48}}, {{@ip={@multicast2, @empty, 0x0, 0x0, 'vlan0\x00', 'netdevsim0\x00'}, 0x0, 0xd0, 0x100, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@unspec=@quota={{0x38}}]}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x538)
sendmsg$NL80211_CMD_DEL_TX_TS(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000100)={0x30, r2, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_TSID={0x5}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}]}, 0x30}}, 0x0)
accept(r0, 0x0, 0x0)
unshare(0x0)
r6 = socket$alg(0x26, 0x5, 0x0)
getpeername(r0, &(0x7f0000001bc0)=@l2tp6={0xa, 0x0, 0x0, @private2}, &(0x7f0000001c40)=0x80)
bind$alg(r6, &(0x7f0000000000)={0x26, 'hash\x00', 0x0, 0x0, 'sha512-avx\x00'}, 0x58)
r7 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='cpuset.effective_cpus\x00', 0x275a, 0x0)
ioctl$FS_IOC_SETFLAGS(r7, 0x40086602, &(0x7f0000000080))
r8 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='cpuset.effective_cpus\x00', 0x275a, 0x0)
write$binfmt_script(r8, &(0x7f0000000100), 0xfcb8)
ioctl$EXT4_IOC_MOVE_EXT(r7, 0x40305829, &(0x7f0000000000)={0x17c04, 0xffffffffffffffff, 0xb8fc, 0x25d5})
ioctl$EXT4_IOC_MIGRATE(r7, 0x6609)
executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000340)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r0, &(0x7f0000000e00)={0x0, 0x0, &(0x7f0000000dc0)={&(0x7f0000000a80)={{0x14}, [@NFT_MSG_DELSET={0x20, 0xb, 0xa, 0x101, 0x0, 0x0, {0x2}, [@NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14}}, 0x48}}, 0x0)
executing program 4:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x0, 0x12, r0, 0x0)
socketpair(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x12, 0x4, 0x4, 0x2}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000180)={{r2, <r3=>0xffffffffffffffff}, &(0x7f0000000040), &(0x7f0000000140)=r1}, 0x20)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xc, &(0x7f0000000100)=@framed={{}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r3}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, &(0x7f0000000180)='syzkaller\x00', 0x7, 0xff8, &(0x7f0000001e00)=""/4088}, 0x90)
executing program 1:
r0 = socket(0x10, 0x2, 0x0)
ioctl$sock_SIOCSIFVLAN_SET_VLAN_FLAG_CMD(r0, 0x8983, &(0x7f0000000100)={0x7, 'nr0\x00', {0x1}, 0x5})
ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(r0, 0x89f1, &(0x7f00000000c0)={'ip6tnl0\x00', &(0x7f0000000140)={'syztnl1\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x44, @empty, @mcast2={0xff, 0x5}, 0x0, 0x8}})
socket$inet6_udp(0xa, 0x2, 0x0)
r1 = socket$inet_sctp(0x2, 0x5, 0x84)
r2 = socket$inet_sctp(0x2, 0x5, 0x84)
getsockopt$inet_sctp_SCTP_MAX_BURST(r2, 0x84, 0xc, &(0x7f0000000240)=@assoc_value={<r3=>0x0}, &(0x7f0000000080)=0x8)
setsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f0000000180)={0x0, 0x8004, 0xfffffffe, 0x2, r3}, 0x10)
connect$l2tp6(r0, &(0x7f0000000280)={0xa, 0x0, 0x4, @private0, 0x9, 0x3}, 0x20)
setsockopt$inet6_udp_encap(r0, 0x11, 0x64, &(0x7f00000003c0)=0x5, 0x4)
r4 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet_sctp6_SCTP_AUTH_DEACTIVATE_KEY(r4, 0x84, 0x23, &(0x7f0000000380)={r3, 0x4}, 0x8)
getsockopt$inet_sctp_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f00000001c0)=@sack_info={r3, 0x3, 0xfffff000}, &(0x7f0000000200)=0xc)
getsockname(r1, &(0x7f00000002c0), &(0x7f0000000340)=0x80)
executing program 2:
r0 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, 0x0, &(0x7f0000000140))
r1 = socket$inet(0x2, 0x80001, 0x84)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x0, 0x3, &(0x7f0000000000)=ANY=[@ANYBLOB="180005000000000000070000000000000095000000001600"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24}, 0x90)
getsockopt$inet_sctp_SCTP_MAX_BURST(r1, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000300)=0x8)
getsockopt$inet_sctp_SCTP_PR_SUPPORTED(r1, 0x84, 0x71, &(0x7f0000001080)={<r3=>r2}, &(0x7f00000010c0)=0x8)
setsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000001100)={r3}, 0x8)
executing program 4:
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x8, 0x6, &(0x7f0000000000)=@framed={{0xffffffb4, 0x8, 0x0, 0x0, 0x0, 0x73, 0x11, 0x3a}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0xb7}, @exit={0x95, 0x0, 0xc2}], {0x95, 0x0, 0x1200}}, &(0x7f0000000080)='GPL\x00', 0x4, 0xc3, &(0x7f000000cf3d)=""/195}, 0x70)
executing program 0:
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0xe, 0x4, 0x8, 0x8}, 0x48)
close(r0)
bpf$MAP_CREATE(0x0, &(0x7f0000000440)=@base={0x19, 0x4, 0x4, 0x3, 0x0, 0x1}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=<r1=>r0, @ANYBLOB="0000000000000000b70800000000396f7b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r2 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x48)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x11, 0x10, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r2, @ANYBLOB="0000000000000000b702000000000000850000008600000018110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b7080000008000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={&(0x7f0000000080)='ext4_allocate_inode\x00', r3}, 0x10)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000240)='cgroup.controllers\x00', 0x26e1, 0x0)
executing program 1:
r0 = socket$inet6(0xa, 0x80002, 0x0)
setsockopt$sock_linger(r0, 0x1, 0x3c, &(0x7f0000000340)={0x1}, 0x8)
setsockopt$SO_TIMESTAMPING(r0, 0x1, 0x25, &(0x7f0000000000)=0x645, 0x4)
sendmmsg$inet6(r0, &(0x7f0000000680)=[{{&(0x7f0000000040)={0x2, 0x4e21, 0x0, @local}, 0x1c, 0x0}}], 0x1, 0x4004000)
executing program 3:
pipe(&(0x7f0000000580)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000000140)={0x1, &(0x7f0000000080)=[{}]}, 0x10)
r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
sendmsg$NL802154_CMD_SET_SEC_PARAMS(0xffffffffffffffff, 0x0, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000080)={0xffffffffffffffff, 0x2000d00, 0x8, 0x0, &(0x7f0000000140)="a06ad876d56a0064", 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0}, 0x50)
r5 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$IPVS_CMD_NEW_DAEMON(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB='X\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="01000000000000000000090000004400038008000300000000001400020076657468315f746f5f7465616d0000000800010001000000050008"], 0x58}}, 0x0)
sendmsg$NL802154_CMD_SET_CHANNEL(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000000c0)={0x2c, r3, 0x1, 0x70bd2d, 0x25dfdbff, {}, [@NL802154_ATTR_PAGE={0x5, 0x7, 0x15}, @NL802154_ATTR_WPAN_PHY={0x8}, @NL802154_ATTR_CHANNEL={0x5}]}, 0x2c}}, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0)
r6 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl802154(0x0, 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_802154(r6, 0x8933, &(0x7f0000000140)={'wpan0\x00', <r7=>0x0})
sendmsg$NL802154_CMD_DEL_SEC_KEY(r6, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX_802154(r2, 0x8933, &(0x7f0000000240)={'wpan1\x00', <r8=>0x0})
sendmsg$NL802154_CMD_SET_LBT_MODE(0xffffffffffffffff, &(0x7f0000000400)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x80000000}, 0xc, &(0x7f0000000280)={&(0x7f0000000380)={0x48, r3, 0x300, 0x70bd28, 0x25dfdbfd, {}, [@NL802154_ATTR_LBT_MODE={0x5}, @NL802154_ATTR_IFINDEX={0x8}, @NL802154_ATTR_IFINDEX={0xfffffe42, 0x3, r7}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x200000002}, @NL802154_ATTR_IFINDEX={0x8, 0x3, r8}, @NL802154_ATTR_LBT_MODE={0x5, 0x13, 0x1}]}, 0x48}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
r9 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r9, &(0x7f0000000040)={0xa, 0x0, &(0x7f0000000340)={&(0x7f0000000100)=ANY=[@ANYBLOB="02040000041f0000200000000000000002000100000000fb0200000000000000"], 0x20}, 0x1, 0x7}, 0x0)
ppoll(&(0x7f0000000000)=[{r0}], 0x1, 0x0, 0x0, 0x0)
readv(r0, &(0x7f0000000680)=[{&(0x7f0000000100)=""/225, 0xe1}], 0x1)
write$binfmt_script(r1, &(0x7f0000000340), 0x208e24b)
r10 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000180)={'bond0\x00', <r11=>0x0})
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r12, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=@newlink={0x5c, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x34, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x24, 0x2, 0x0, 0x1, [@IFLA_VLAN_ID={0x6}, @IFLA_VLAN_EGRESS_QOS={0x10, 0x3, 0x0, 0x1, [@IFLA_VLAN_QOS_MAPPING={0xc, 0x2}]}, @IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r11}]}, 0x5c}}, 0x0)
executing program 4:
socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f0000000000)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
sendmsg$tipc(r1, &(0x7f0000003280)={0x0, 0x0, 0x0}, 0x0)
sendmsg$tipc(r1, &(0x7f0000000e40)={0x0, 0x0, 0x0}, 0x0)
sendmsg$inet(r1, &(0x7f0000000f80)={0x0, 0x0, &(0x7f0000000f40)=[{&(0x7f00000042c0)="86", 0x1}], 0x1}, 0x0)
sendmsg$tipc(r1, &(0x7f0000002700)={0x0, 0x0, 0x0}, 0x0)
setsockopt$sock_attach_bpf(r0, 0x1, 0x21, &(0x7f0000000040), 0x4)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000100)=@base={0x1, 0x4, 0x7fe2, 0x1}, 0x48)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r2}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000040)='kmem_cache_free\x00', r3}, 0x10)
sendmsg$tipc(r1, &(0x7f0000000240)={0x0, 0x0, 0x0}, 0x0)
close(r1)
recvmsg(r0, &(0x7f0000000900)={0x0, 0x0, &(0x7f0000000880)=[{&(0x7f0000000600)=""/203, 0xcb}], 0x1}, 0x0)
executing program 2:
r0 = socket$netlink(0x10, 0x3, 0x1b)
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x48241, 0x0)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32})
r2 = socket$kcm(0x2, 0xa, 0x2)
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
getsockopt$SO_COOKIE(r3, 0x1, 0x39, &(0x7f0000000180), &(0x7f0000000000)=0x11)
getsockopt$SO_COOKIE(r3, 0x1, 0x39, &(0x7f0000000100), &(0x7f0000000140)=0x8)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f0000000100)={'wlan1\x00', <r7=>0x0})
sendmsg$NL80211_CMD_DEL_KEY(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)={0x2c, r6, 0x1, 0x0, 0x0, {{0xa}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_KEY={0x10, 0x50, 0x0, 0x1, [@NL80211_KEY_DEFAULT={0x4}, @NL80211_KEY_IDX={0x5}]}]}, 0x2c}}, 0x0)
sendmsg$NL80211_CMD_RADAR_DETECT(r0, &(0x7f0000000200)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000080)={0x3c, r6, 0x200, 0x70bd28, 0x25dfdbff, {{}, {@void, @void}}, [@NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x2}, @NL80211_ATTR_WIPHY_EDMG_CHANNELS={0x5, 0x118, 0x37}, @NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x2}, @NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x3}, @NL80211_ATTR_CENTER_FREQ2={0x8}]}, 0x3c}, 0x1, 0x0, 0x0, 0x4}, 0x4800)
ioctl$SIOCSIFHWADDR(r2, 0x8914, &(0x7f0000000240)={'syzkaller1\x00', @link_local})
write$tun(r1, &(0x7f0000000740)=ANY=[@ANYBLOB="000000000080bf008100090080000000000000000d006f94fe6403cc1101fc010000000000000000000000000000fe8000000000000000000000000000bb5e000320670000002f14000000000000c204000001010001000466e09852d81a666e3b34cfc7c1210fb43f56b4aa1568ebe0412df2e8cefec979f97a982266a0ebd4b74d801eb308ade09d76add9a95bfee37393328abdd386a6f121bfe1b54510a8ea89833b69835c4bf301edcfa984479ffdca0389b063baa831def22fb0e5f90401130001000101000728000000020801008008000000000000000200000000000000040000000000000005000000000000000000000062000641660000002900ff90650000003a0602ff00000000fe8000000000000000000000000000bbff020000000000000000000000000001fe80000000000000000000000000002e333000000000000001010005020081c20400000004010200004b9bff9713bc0a40a3c999e9f79ab7e3879da3ece9ce446d4982706e2c0830f8f2d13f609305d5d8b536cbdd4510a76e3c8546e9ac7b202ece6834cefbc818d6c8642033bf4fee838e32be1d012ca33667e5fd1922c4db0d9d5315157de75fe139ddb184c80833739d94fa29fafe6f15a4a5dae5b6943758b53b90ffc309e4de5a18933541139790f8881ce2cf2d89bca19da78f59d4590ed575cbb4fa075800000001148005000900000000000000020000000000000054b70000000000000600000000000000000000001c00000004000000000000000300000000000000010400000000000000000000000000000000000000000000c15d483114b308562fbc876214399fb9a92519b357aa8adfa2f12e7a3239be57bb0d6c1c49e9b2cb685b2b8ce58f2a39f82de85c7b7f77617a069a3f63c2ffc1d34265621f07d42d7c2a5deb0e4f7d8fca6a2553be0ae9340b05296910df0d26a054e1f96d9efeb3c2996c8e42dc7107180000000104d2400080000000000000000500000000000000040103000000003305000000000000010700000000000000000100c910ff010000000000000000000000000001c204ffffffcd01050000000000000000000087001f11640000004e204e2200fc9078a10300009d58f4c6448c7fd20442c1f9c865375cea1c32a0e3715f0d64325253805ca2b29b1f6a3cf66e71cfee183f0468889219c839162e1df0c5c8acb6c6154857c02df4018642df4a6c3e2af1886e911ba5baa0a63ca9c689d19dbde4e3f2ae4a3cb845a2807cb8ef179a4f0d18e2d7c81b107609af5f7d489f5705e621c802c88f431235ab004fdacf610918b79db3e63056bea7bed26dd44f6798ecf92686b6d38014d75d917b4a3e8a415e3cc54c94b26d353a9ac4dd25402d8fd384cc8edc36035c979bceb1520c7aa384c9e3d317c22f3c2bbd32e4be3f8de439b5107f22a8e9d6c69858d4540be910f0772654517000"], 0x40a)
executing program 0:
r0 = epoll_create1(0x0)
r1 = socket$tipc(0x1e, 0x5, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r1, &(0x7f0000000500)={0x20000014})
r2 = socket$vsock_stream(0x28, 0x1, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r2, &(0x7f00000000c0)={0xc0002015})
setsockopt$TIPC_GROUP_JOIN(r1, 0x10f, 0x87, &(0x7f0000000000)={0x42}, 0x10)
r3 = epoll_create1(0x0)
epoll_ctl$EPOLL_CTL_ADD(r3, 0x1, r0, &(0x7f0000001300))
executing program 1:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000080)={'wlan0\x00', <r2=>0x0})
sendmsg$NL80211_CMD_JOIN_MESH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000100)={0x3c, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_MESH_ID={0xa}, @NL80211_ATTR_TX_RATES={0x14, 0x5a, 0x0, 0x1, [@NL80211_BAND_6GHZ={0xfffffffffffffd5d, 0x3, 0x0, 0x1, [@NL80211_TXRATE_HT={0x5, 0x2, [{}]}, @NL80211_TXRATE_LEGACY={0x4}]}]}]}, 0x3c}}, 0x0)
executing program 4:
syz_genetlink_get_family_id$nl802154(&(0x7f0000000040), 0xffffffffffffffff)
r0 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r0, &(0x7f0000000000)=@nameseq={0x1e, 0x2}, 0x10)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0xb, 0x7, 0x10001, 0x9, 0x1}, 0x48)
r1 = socket$kcm(0x29, 0x5, 0x0)
close(r1)
r2 = socket$kcm(0x2b, 0x1, 0x0)
close(r2)
r3 = socket(0x2, 0x2, 0x0)
r4 = bpf$MAP_CREATE(0x100000000000000, &(0x7f0000000440)=@base={0x12, 0x7d, 0x8, 0x2}, 0x48)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000001d80)={r4, &(0x7f0000001d00), &(0x7f0000001d40)=@tcp6=r3}, 0x20)
setsockopt$sock_attach_bpf(r1, 0x1, 0xd, &(0x7f0000000080), 0x2cb)
r5 = socket$kcm(0x10, 0x3, 0x10)
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000600)={0x11, 0x3, &(0x7f0000000200)=@framed, &(0x7f0000000100)='GPL\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000040)='contention_end\x00', r6}, 0x10)
sendmsg$kcm(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000040)="1400000037000b63d25a80648c2594f90724fc60", 0x14}], 0x1}, 0x0)
close(r2)
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
close(r7)
r8 = socket$inet6_tcp(0xa, 0x1, 0x0)
listen(r8, 0x0)
r9 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000680)={0x10, 0x4, &(0x7f0000000380)=ANY=[@ANYBLOB="1802000000c400000000000000000000850000003e00000095"], &(0x7f00000000c0)='GPL\x00', 0x1}, 0x90)
r10 = bpf$MAP_CREATE(0x0, &(0x7f00000023c0)=@base={0x12, 0x4, 0x8, 0xb}, 0x48)
bpf$BPF_PROG_DETACH(0x8, &(0x7f00000001c0)={@map=r10, r9, 0x7}, 0x10)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000500)={r10, &(0x7f0000000240), &(0x7f00000004c0)=@tcp6=r8}, 0x20)
sendmsg$IPCTNL_MSG_CT_DELETE(r7, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000140)=ANY=[], 0x14}}, 0x0)
sendto$inet6(r8, &(0x7f0000000040)="0b118f2b4190be586d04d99304c7975dfca451f6a36e5e11c583738f22bfc241adfd70c9456ea4fe6a5e0716c24ab3", 0xfffffffffffffea5, 0x0, &(0x7f0000000100)={0xa, 0x0, 0x0, @private1}, 0x1c)
sendmmsg(r7, &(0x7f0000002640)=[{{0x0, 0x0, &(0x7f0000000980)=[{&(0x7f0000000540)="402b801dbf1801444f3e2de5beb13cb286650aa9cf295a2d2d36665347495c89efdbd8bc17593bb8dcf560f8d4072de2d9236697398982460eec0884def609ed8c4b58349dc752e27fedee195c3de4376f6f29b2216720c037538e628fd31a7f32fbf1b2c404b57e5e1909b81aa3fd637de9599ab2e113bfa77ab63ffa3e7494ebacca9a8b2ad18007ec3770254aa803c8a6a21f580843039c5666ff0e0ea99a9ec5170fd5ab816bc6c5441560", 0xad}, {&(0x7f0000000780)="59c99668969c20a79aad77cd92a5796eea6895dbb0876ac9ac5a3dfe06bdb7b605b99043f8c1a78e26c32d21e905145995f39271ef9325e0c191431f801dcffdc2071f86514a3f4c6b41dd83a7e25d7fd929991b0a98cb83a3626ec3cc94ad85e30c52a55b12e329a28ce2e03dd1688147087295ec214d01588daa59081c0d6506b70371d4aa775506a3623a05e1d03113b7c7b8c7742973b65c8cb9b9540cd106ac9859f8a63c8a6c47b916cd31ff76600195e1b0a223beb52cd405b9a01a0cee5cacddf2bd3cda3c87f74100be816108d0368a0e01b6f8fa13de", 0xdb}, {0x0}, {&(0x7f0000000000)="17fb2fdfb50a4724cf477fc8eacdbb159343d10a94", 0x15}, {&(0x7f0000000900)="eefa7ecb828e6d2a38544751c43068b7fb36c461455b7a0eda681fcf6ea8c05c6c00c75574689cc303f99e121994211540f3a3a9cf9aa43165d311f4024dfc87ca5871f9ea8bc99a2c78c709e386dc6a", 0x50}, {&(0x7f0000000080)="0acf51f51b7f1c4e152a", 0xa}], 0x6}}, {{0x0, 0x0, &(0x7f0000000bc0)=[{&(0x7f0000000140)="e43d04fd2170bd50125ffa6d1e179f98984b2c72ca3bffd4871a112972963a9b524958b63a1619122acc32a1e1c81a85", 0x30}, {&(0x7f0000000480)="149d044c07e578f48f6e7fb65172a61b0316e20d92e71c834e31de4335c697b4f63ff06e8ef72792bc9e4d188015c40f05384741eea7303566305add", 0x3c}], 0x2}}, {{0x0, 0x0, &(0x7f0000000e00)=[{&(0x7f0000000d40)="d7a92f8644cf4415acf7f5e870119282d7f60cf7b3c7de6ba0ed931dfc44a5229a4dd1ba32682754d61b68fa8c52b41dbf0db11ccf953586d379fed7efcae3b96cff06aea060bb4e8e0394d1d053d6cb1a35e046478829c098921589fd3d1917d2511991d1f21559b550a4c345460aa58103d9ddf3343e18d761a75bd6851db03670e16d203c0fd640117acf2fdb6ef569ea7cd6ccf76db10262d38abe9b93e3a46abb6e2a48cebc5afe864034b9ae1810a5d4", 0xb3}, {&(0x7f0000001140)="2cd30c74459fd7f3868040d841d76b181fd9307ab6160bd199a50b64e09d2a5950fd97de7cca2e06d14a95362b04715a1e666884f00b754fad3ad29f4366148e8225d6b51c6eeb3707e5c2c09b866c08712ab96b3bfb9eca390527d3bd24b8ac8fbefb0646220dda67b50fefa28662fef769962f3c93b3839bb04a79ed46426bc4a3849806a1e8fb0038997c4088a27caf953ce6c52507d307e8b78d70c3feb2c0b6bbac1a346a689f033de570e01bcfa23ae90b294f254f8671ce0d6832a3fcbf48fa9618bf49edec47ba1e0725e5d8ad32a746e05ead482c38b34d52efff0858932471f0be04f67222eca8dbea65c41eff6ea0b0eb0bd45fa2e8ddb2fc5dd17904238a5864e80225a6e6e67212c9f8cc445025d9da9a7f26f2b03a8b4696e093a6581a06fc6506e98d900acbb20a4ef7f3751ac72b3c9168eea221ed96bd1365e973ae45f5b7c1d89223d999beda3d2b4fe38a2e371336afa01cb78112fdf7997803d0f73dabb24076edb16315ebf5a90171314e8fcdfec74b46c83fa3481e0c575e78bac158ac4f4e368233f5da9b11c9df11c6f2a12bde1759d93d6cfe3a435d16063905f0e187de92e714b59243c86caeb1958a46fdeb76fa49dc24a7fa3a43287d282593cb7121bf9fc89b9acb5096636390a511fd0bab546c3bd7bb1b5f80aba51dcf2891029838b9fbf350bb56e696b943c011dbc18d58cdef23738f84b792832aad2924eb32f4016f83ef722b2e55c74d9daaf2a8a6aac0c365470710a3a6f881b060b82f5c6392a8ac82a5b7d3b8d2ea36d7d4fb53780ce198aa7800fa5649a586c6cf740d595e8f18de8cd0bfe7f9ee7aae66d9e938f7f70151071137c32829062a99b6f0785d8eec2a1dd0caf3b9e7030e44574cdacd4e8e6e3cf241e0eefc7d959f495d8172ccb0fd668475db4e842f1105e621ee7ae847845dc0e87ffc7fb129a911a1d7f460a9746f64fdc85101d7d02ae7aeb24f0bcd622102c373f4d3a365adb3fb659ccf3e229e63d0726410dca82f7cbc9aace60b065f6fd52e690478a11135a42894f4de546ab09b6671cb25a32f79b925a97dfaa610721292b0eeae29b0dfff73c9ad0bf215ca6dc2bbd34ffdb096b9405d341380afbb26c46d86968b973a62c4b1e5a93ef43ab8ea86562ff88cf0e2aab581a7b4da39dc45a990ee2c4af7e8fb54f7475cc9776e9a0634b05a26725cea0b5bece95791f3493f5ed77cd40cc0cfab09c0f91e4c615d9d03c385508c672b04a425cdbdc428e5f9b64d09f8d1e856a68059dc662f685ca819380efe8eeb7e6f088ac46350f72321433bf0ea9809fb8738c384afada472ae3392e8d9492d5858075da00ee867cdbf8ead8a11a0d45f1664f7c20c2373f5c283a1a12df9fac3a43f185c2ff6c2492d266888f77eb23ecea2c1a618284fe7f55ca6a47f298e7e6501f31897c8c6a19f77bb072a0d0ba1395e0f3d6e7c20c3283b34ab1427d9494fed54052d59f2eaebe0671a6ed1555908f8ceded0451e895513989496438ecf0089a1c49d75e65d08567ec0fa24299ca5a9d1630ac1cf95896aa2caedd84fb5eb776ad6e0800af1c5b45ed54659665e5a8f4a5f1586e6bb97dd09ca257ab680931050c80ac1f259df4d647cb5adeff9d3b026cb84917cfbcf2f8e21044b4af5383e2ad1dc6086b1012ee007820be74a0e87e717942237f1129cf2a1cad3d101f2888aca96e770cd9bb45e2c9ec9c28be744317a71d8db21b5c29cf1e25d7ba1aea4d333b54d0462f13f1940ea8a7b6c8f553d7fe1a4d210cd5c376e6f196c2d2715271e6700a84b67a6854fb5210083de0f76627d949017a37748e5eed9c05bad06c1314031ef1596cba1e25f0f8c75198d10f369fecc57fbc78896962b6c024013fe2e4ea673888eceb4aac93b6b23c3dedd0c7438db58282df9ad3ab449d2199f4fe1d51c548084389353a9ed4c1962f66a80a04e43c5c514b10e6c0099c3926d10f91a3c4b54422e68a004883f68663c4f4503c3ac79af0f46f06c9858a57a7b64010460d6268bbe5cd919ed469eec7f9bf4494afb8ce6b2890679dff6f3a5fb713fa8876c7750ea19c6ad8ba27c0ab382a816f7450ed15f3aaeb906f4c62f0c11ef3f99bdd5d703cb94c3cab42122088039631daaac7b294e17ced609ea741a19a0cfd9c8f454094d21077815f366ea9ad6cc0c72567ff98f5e99e379588b3cb0844be56250a550025986c239d6c0a4c9cd55b326b298386ccedc59d230b531ea3fea2b48f97e64508015496a3aa401ba16569d8d68e4347334d358b9d124b6f775d43ada7bd0e43524bb4555833129ddbd5ef6df7cbbb8e3a77a82369b07b7fc97d993392fa52c2f20dfc25aa2bb614be03e39c6a067dac2fee393573ff10701ecbae920b4cf2dcf41149634fd4e4cde6fc2d3f660902e884ab269a3321557557c75533cc0404488d05fdf3d5083ef5b86c58e43035559b43e41640c368d5b7c8d6a0951245c35dbef5ca9ffc77655d89680bb958d056524d0df0dc0ec604dd95d9ae9cfabdb5b30d022b62018725c31adc207cbda9147aa18f5d87a087cf0b430be3dd90e0add262e285b6e609dbcb7215c260618134242e4b70164e87a93d87e1b591618f1b279575857c56285f2b0cbe4bc3c1656b5d3bf9a8177914fcb202117ffe9f40f6a842855d3dc98e09a19740965527ef318ca23fd7ba1028af25a1dee4e0b76475d9b42b706f7502917aa6596a5eb34f72ec2c64b4cc49bb6ba8f9a87b2c2546e1c848c394fb61b1ecf137525954249e2c9db0af55e684d9d9e2eb48b16547a9823813137fe8205287fd8f6cab91801d5f253f4d1f9a3d0bd93e975c310e28532bdf9b9c680cc7273dca17f5016820033a3254887b44e7a42db56ddf757e2214b613e3ebe26acad6bfb4122a79576b65e6562aab019aac513e39bd9352f7e1bc5aa0e58a4975485bcff98cb28034baa6e448ce0341c229d6dafacf6bb1afbde1bdfd606af6c2387f0fbcd3c9cc50691413fc9482d62423a7c9f927fa4acb1901fa3d7da38b075dd7ceaa2ec2d8a5568ee9fc91d0ccf2c67d4901f65596cb5f7cff57251e6375161a753bfb0d11500a4afb32b779b8937ad8113579591de9f699947afd810b586689c70d1e638151ba789e15157e5f320dbd21544e8b00011122d17ee96504be299767b5b8caa6b930f337ccbfbb36e9989bd2517b18a04e8be2d041232b62b9b5f31097428af89b14a5ff5bcdd4c1ec0be7a74c95b6971ca522e03e43adfbcb29dc6214a19b0edb7724fd3abf1a76158c104c177b775e456b7fae635c189ee692db56e6a61677833d37479e94fbdb0cee1e1388c03d47928a8df4a34e88933e499f345452cb250a7014340afb6146f5884d4ca5867266b71e2ed7210ecfe4e7ab496ad4c55876f8742d7cabcccb3b2b8f2cd301b60290798604515cdf1797a2fc9248bb27c8b5f84c83a11da2a534b1fccf47fd1db0ae72df256280b84ce61ebbd9f32df3b51cdf4f51f6d064a5a8747d634bd92e8e521092b120d0aa72ac28b0076ec894e4d027e052bf83aec11f14d6c8bd1994adbb6e2da6dcebf8202abbec2a1688aae577539dfedf0cb5e7f7bc6521ac1a3fbdb72de2066e381f52c0339de8d8deaeef1acbaac1c0a0dd9994709503bf5d5d63004685096d104e2ef29678141dcb742708ee62ba94ddb06ba2dbe27c19ee42d714afd65916e33b0d0892241be82b8dd19577a5b4b0593bc9dd7ad277449233c849471f262827e6eddc01dc47f15ec00fd9c21cf474f1cc105a9138e9832868285058a4cece5236064083774f166fc436375b107a5d2f5010d9b189d78d0826e96873ea0a710178a9676d210c7c2bc6ea010796f32207038e6119b685c32b283e8025d1499f7483efacf64c3c0d6aac0723b8af8cadb2b177657295f919551e3ba02fa4dfb9e4921236352f5c04b826a5fdb5a918e98455a0c395840d6f8fd1b8df6ded2269cc8db1405e363c2eba7dc10f6196702b83a67e94cdf0bf4d2769bee03bee8c40aa05d247be180cb96817f41c3149ccc61cdb75188b224a6598e4246584c1330bc809232568df03035c794b723945c5b4d4b80ce91479db687dd224ee4a9a85f2f3f72784f757448bf63d32a3c07c1c50d7325cf35822286f7cc62e554531cb57d10a6af6fd7c9fc0293eefab8d9ffc6d635e01033ea18ad7e69d1bc8b1d9151d9ba7e34f1340be3befd34bf3e8881e057c72cfaeffaa6da2029e2d911f366e1420c6f8760c53215a98739f36f4435de55c3fbf1b3c231f4db36d4c70b9bd00d97cca491a6204eeb4412dd433fcb345fd5c89c6c432f477592268c528dceb1ba991c14bcf7f7f873b5344fe981ecfe3f2de722625bdc182155d48dfe1a222b740c5f6529744d56f77d20c39e6c08eae1fef6b24f72e86d5264e15d35249d816a8be4cf63104b548d3108e6b780383904fb1aff0df9a8a7b1d431a2069543fb40dc437884086fd52aa075cfce09", 0xc71}], 0x2}}], 0x3, 0x0)
sendmsg$SOCK_DESTROY(r7, &(0x7f0000001100)={0x0, 0x0, &(0x7f00000010c0)={&(0x7f0000002440)={0x14}, 0xc3ec}}, 0x0)
executing program 1:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f0000000100)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000080)={&(0x7f0000000500)={{0x14}, [@NFT_MSG_NEWTABLE={0x54, 0x0, 0xa, 0x801, 0x0, 0x0, {0x3, 0x0, 0x7}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz1\x00'}, @NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}, @NFTA_TABLE_USERDATA={0x14, 0x6, "8a2679a473b71811a8758042209996f8"}, @NFTA_TABLE_FLAGS={0x8}, @NFTA_TABLE_HANDLE={0xc, 0x4, 0x1, 0x0, 0x5}]}, @NFT_MSG_NEWTABLE={0x16c, 0x0, 0xa, 0x201, 0x0, 0x0, {0x7}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz1\x00'}, @NFTA_TABLE_USERDATA={0x60, 0x6, "2cb7a7365f3e6b5df2674a0b51428a86325e74b2438ce12a1328688974c3473ef2669e626f601de954adf3a532a0948e922b31cdf69f9f123f2e17355437cc5281fbb29e5ab88671847b27f4d5c16619fcfea74f39b81a68cae100fb"}, @NFTA_TABLE_USERDATA={0xec, 0x6, "ab03295e8889db8233ae3ab6162f41b965700f05186c667f520a1083b7e27dd355148c9527573cecab5643dbb83ba372788b4d2c3b1c81da8dd4102950b68b8945d361f6c7010474fa5704aef0229bf759c1e1d874c5a7ee1af700388c69e2ba76377eefcbd3a4638c1337b1fea217b3b2ed1fc4181e04b0102abb4c15c440833cade7a6e86500ef96439280e43bb512eb86cf9d634ce1b7c2b1e70602a0a14ab1e2e9834b7ad08232f162289eb505f16fb7a48cb40e1d8a7c0d924ba59c08b5446872ebb9929648021157ab9d9f5e0ad80f253c82c878f95b636d16ee3173810aaa502a4903cdb8"}]}, @NFT_MSG_DELCHAIN={0x24, 0x5, 0xa, 0x101, 0x0, 0x0, {0x3, 0x0, 0x1}, [@NFTA_CHAIN_FLAGS={0x8, 0xa, 0x1, 0x0, 0x2}, @NFTA_CHAIN_FLAGS={0x8, 0xa, 0x1, 0x0, 0x3}]}, @NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x101, 0x0, 0x0, {0x7, 0x0, 0x2}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz1\x00'}]}, @NFT_MSG_DELFLOWTABLE={0x1ac, 0x18, 0xa, 0x201, 0x0, 0x0, {0x1, 0x0, 0x2}, [@NFTA_FLOWTABLE_HOOK={0x2c, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x7}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}]}, @NFTA_FLOWTABLE_FLAGS={0x8, 0x7, 0x1, 0x0, 0x1}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x94, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_DEVS={0x90, 0x3, 0x0, 0x1, [{0x14, 0x1, 'nr0\x00'}, {0x14, 0x1, 'pim6reg1\x00'}, {0x14, 0x1, 'batadv_slave_0\x00'}, {0x14, 0x1, 'batadv_slave_0\x00'}, {0x14, 0x1, 'netpci0\x00'}, {0x14, 0x1, 'macvlan0\x00'}, {0x14, 0x1, 'sit0\x00'}]}]}, @NFTA_FLOWTABLE_HOOK={0xc4, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x3}, @NFTA_FLOWTABLE_HOOK_DEVS={0x54, 0x3, 0x0, 0x1, [{0x14, 0x1, 'vlan0\x00'}, {0x14, 0x1, 'vlan1\x00'}, {0x14, 0x1, 'syz_tun\x00'}, {0x14, 0x1, 'geneve0\x00'}]}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_DEVS={0x2c, 0x3, 0x0, 0x1, [{0x14, 0x1, 'vlan0\x00'}, {0x14, 0x1, 'batadv0\x00'}]}, @NFTA_FLOWTABLE_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x9}, @NFTA_FLOWTABLE_HOOK_DEVS={0x18, 0x3, 0x0, 0x1, [{0x14, 0x1, 'wg0\x00'}]}]}]}, @NFT_MSG_DELSETELEM={0x38, 0xe, 0xa, 0x301, 0x0, 0x0, {0xe}, [@NFTA_SET_ELEM_LIST_SET_ID={0x8, 0x4, 0x1, 0x0, 0x2}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_SET_ID={0x8, 0x4, 0x1, 0x0, 0x1}, @NFTA_SET_ELEM_LIST_SET_ID={0x8}]}], {0x14}}, 0x410}, 0x1, 0x0, 0x0, 0x800}, 0x40)
sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000400)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x3, 0x0, 0x0, {0x7}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWSET={0x3c, 0x9, 0xa, 0x401, 0x0, 0x0, {0x7}, [@NFTA_SET_ID={0x8}, @NFTA_SET_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_KEY_LEN={0x8, 0x5, 0x1, 0x0, 0x21}]}, @NFT_MSG_NEWSETELEM={0x64, 0x1e, 0xa, 0x105, 0x0, 0x0, {0x7}, [@NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_ELEM_LIST_ELEMENTS={0x38, 0x3, 0x0, 0x1, [{0x30, 0x0, 0x0, 0x1, [@NFTA_SET_ELEM_KEY={0x2c, 0x1, 0x0, 0x1, [@NFTA_DATA_VALUE={0x25, 0x1, "7bb0c03ce8ed22d039cce454fd98ae614b08a9f3d4ddf1f742d55995afac076948"}]}]}, {0x4}]}]}], {0x14, 0x10, 0x1, 0x0, 0x0, {0x0, 0x84}}}, 0xe8}}, 0x0)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
socket$inet_sctp(0x2, 0x5, 0x84)
write$binfmt_script(r1, &(0x7f0000000100), 0xfecc)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$wireguard(&(0x7f0000000200), 0xffffffffffffffff)
sendmsg$WG_CMD_SET_DEVICE(r2, &(0x7f0000001040)={0x0, 0x0, &(0x7f0000001000)={&(0x7f0000000040)=ANY=[@ANYBLOB="d8010000", @ANYRES16=r3, @ANYBLOB="010000000000fbdbdf25010000000800050001000000060006004e220000140002007767320000000000000000000000000024000300a0cb879a47f5bc644c0e693fa6d031c74a1553b6e901b9ff2f518c78042fb5427c010880"], 0x1d8}}, 0x0)
executing program 0:
r0 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r0, 0x29, 0x2a, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x0, 0x0, @remote}}}, 0x108)
r1 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r1, 0x29, 0x2a, &(0x7f0000000080)={0x20, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x0, 0x0, @remote}}}, 0x108)
r2 = socket(0x80000000000000a, 0x2, 0x0)
setsockopt$inet6_group_source_req(r2, 0x29, 0x2a, &(0x7f0000000680)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x0, 0x0, @dev}}}, 0x108)
setsockopt$inet6_group_source_req(r2, 0x29, 0x2b, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x0, 0x0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}}}, 0x108)
setsockopt$inet6_group_source_req(r1, 0x29, 0x2e, &(0x7f0000000200)={0x0, {{0xa, 0x0, 0x0, @mcast1={0xff, 0x7}}}, {{0xa, 0x0, 0x0, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x0, 0x0}}}}}, 0x108)
close(r0)
executing program 1:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x0, 0x12, r0, 0x0)
socketpair(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x12, 0x4, 0x4, 0x2}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000180)={{r2, <r3=>0xffffffffffffffff}, &(0x7f0000000040), &(0x7f0000000140)=r1}, 0x20)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000001c0)={0x11, 0xc, &(0x7f0000000100)=@framed={{}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r3}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, &(0x7f0000000180)='syzkaller\x00', 0x7, 0xff8, &(0x7f0000001e00)=""/4088}, 0x90)
executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000340)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r0, &(0x7f0000000e00)={0x0, 0x0, &(0x7f0000000dc0)={&(0x7f0000000a80)={{0x14}, [@NFT_MSG_DELSET={0x20, 0xb, 0xa, 0x101, 0x0, 0x0, {0x2}, [@NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14}}, 0x48}}, 0x0)
executing program 2:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700)
write$cgroup_int(r1, &(0x7f0000000200), 0xf000)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r0, 0x0)
r2 = socket$pppl2tp(0x18, 0x1, 0x1)
getsockopt$bt_BT_SECURITY(r2, 0x111, 0x3, 0x0, 0x20001100)
executing program 4:
r0 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0xc, &(0x7f0000000040)={0x5}, 0x10)
sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)=@ipv6_getroute={0x24, 0x1a, 0x1, 0x0, 0x0, {0x2}, [@RTA_ENCAP_TYPE={0x5}]}, 0x24}}, 0x0)
executing program 2:
r0 = socket$inet(0xa, 0x801, 0x84)
connect$inet(r0, &(0x7f0000004cc0)={0x2, 0x0, @remote={0xac, 0x14, 0xffffffffffffffff}}, 0x10)
listen(r0, 0x8)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$rds(r1, &(0x7f0000001a40)={&(0x7f0000000000)={0x2, 0x0, @dev}, 0x10, &(0x7f00000015c0)=[{&(0x7f0000000200)=""/155, 0x9b}], 0x1}, 0x0)
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0xf, &(0x7f0000000180)=0x800001, 0x4)
bind$inet6(r0, &(0x7f0000000140)={0xa, 0x4e22}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @loopback}, 0x1c)
ioctl$FS_IOC_GET_ENCRYPTION_POLICY_EX(r0, 0xc0096616, &(0x7f0000000440)={0x1, [0x0]})
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000140), 0xffffffffffffffff)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
ioctl$BTRFS_IOC_QGROUP_LIMIT(0xffffffffffffffff, 0x8030942b, &(0x7f0000000000)={0x9, {0x0, 0x12, 0x80000001, 0x5, 0x700000000000000}})
sendmsg$IPCTNL_MSG_TIMEOUT_NEW(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)={0x34, 0x0, 0x8, 0x101, 0x0, 0x0, {}, [@CTA_TIMEOUT_L4PROTO={0x5, 0x3, 0xffffffffffffffff}, @CTA_TIMEOUT_NAME={0x9, 0x1, 'syz1\x00'}, @CTA_TIMEOUT_L3PROTO={0x6}, @CTA_TIMEOUT_DATA={0x4, 0x4, 0x0, 0x1, @sctp}]}, 0x34}}, 0x0)
r4 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000140), 0xffffffffffffffff)
ioctl$sock_ipv6_tunnel_SIOCDELTUNNEL(0xffffffffffffffff, 0x89f2, 0x0)
ioctl$sock_ipv6_tunnel_SIOCGET6RD(0xffffffffffffffff, 0x89f8, &(0x7f0000000300)={'syztnl2\x00', 0x0})
sendmsg$MPTCP_PM_CMD_SET_FLAGS(0xffffffffffffffff, &(0x7f0000000400)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x40000}, 0xc, &(0x7f00000003c0)={&(0x7f0000000340)={0x48, r4, 0x100, 0x70bd28, 0x25dfdbff, {}, [@MPTCP_PM_ATTR_ADDR={0x34, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_IF_IDX={0x8}, @MPTCP_PM_ADDR_ATTR_IF_IDX={0x8}, @MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e20}, @MPTCP_PM_ADDR_ATTR_PORT={0x6, 0x5, 0x4e21}, @MPTCP_PM_ADDR_ATTR_FAMILY={0x6, 0x1, 0x2}, @MPTCP_PM_ADDR_ATTR_ID={0x5, 0x2, 0x6}]}]}, 0x48}, 0x1, 0x0, 0x0, 0x1}, 0x4000800)
pipe(&(0x7f0000000d80)={<r5=>0xffffffffffffffff})
bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000300)={@map=r5, 0x2f, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x40)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000200)={'syzkaller1\x00'})
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f0000000240)={'batadv_slave_1\x00'})
sendmsg$nl_route(r5, &(0x7f0000000380)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x4000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x40000800}, 0x4)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000004c0)={'wlan0\x00'})
sendmsg$NL80211_CMD_SET_REKEY_OFFLOAD(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, 0x0}, 0x0)
sendmsg$NL80211_CMD_GET_MPATH(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f00000000c0), 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x2c, r2, 0x400, 0x70bd27, 0x25dfdbfb, {{}, {@void, @void}}, [@NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MPATH_NEXT_HOP={0xa, 0x1a, @broadcast}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40001}, 0x20000000)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
bind$vsock_stream(r6, &(0x7f0000000000)={0x10}, 0x10)
r7 = socket$kcm(0x10, 0x3, 0x10)
sendmsg$kcm(r7, &(0x7f0000000000)={0x0, 0xfffffffffffffed2, &(0x7f0000000080)=[{&(0x7f0000000040)="e03f03002a000b05d25a806c8c6f94f90424fc601000127a0a000600093582c137153e37080c188002ac0f000300", 0x33fe0}], 0x1}, 0x0)
executing program 4:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
write$binfmt_script(r3, &(0x7f0000000100), 0xfecc)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r3, 0x0)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x2, 0x0, 0x20001100)
executing program 1:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x0, 0x3)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x11, 0x5, &(0x7f00000002c0)=ANY=[@ANYBLOB="1805000020000000000000004b64ffec850000007d000000850000000700000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f00000003c0)=@base={0x6, 0x4, 0x240, 0x7}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000007c0), &(0x7f0000000380), 0xfff, r1, 0x0, 0xa0028000}, 0x38)
socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f0000000000)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
sendmsg$tipc(r3, &(0x7f0000000240)={0x0, 0xfffffff5, &(0x7f0000000200)=[{&(0x7f0000000140)="a2", 0xfffffdef}], 0x1, 0x0, 0x0, 0x700}, 0x0)
close(r2)
setsockopt$TIPC_GROUP_JOIN(r3, 0x10f, 0x87, &(0x7f0000000080)={0x40}, 0x10)
r4 = socket$kcm(0x10, 0x2, 0x4)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x7a05, 0x1700)
write$cgroup_subtree(r6, &(0x7f0000000080)=ANY=[], 0x32600)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r5, 0x0)
r7 = socket$inet_udplite(0x2, 0x2, 0x88)
getsockopt$inet_udp_int(r7, 0x11, 0xa, 0x0, &(0x7f0000000000))
ioctl$EXT4_IOC_MIGRATE(r0, 0x6609)
sendmsg$kcm(r4, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000013c0)=[{&(0x7f00000001c0)="39000000140081ae0000dc676f97daf01e2357f9ffffffffffffff0521018701546fabca1b4e8a06a6580e", 0x2b}], 0x1}, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan0\x00'})
close(0xffffffffffffffff)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000480)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x24, 0x24, 0x2, [@enum, @array={0x0, 0x0, 0x0, 0x3, 0x0, {0x2, 0x5}}]}}, 0x0, 0x3e}, 0x20)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000400)='kfree\x00'}, 0x10)
setsockopt$inet_tcp_TCP_ULP(r0, 0x6, 0x1f, 0x0, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 5 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_l2cap-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$MAP_CREATE-bpf$MAP_UPDATE_BATCH-socketpair$tipc-sendmsg$tipc-close-setsockopt$TIPC_GROUP_JOIN-socket$kcm-openat$cgroup_ro-openat$cgroup_ro-write$cgroup_subtree-mmap-socket$inet_udplite-getsockopt$inet_udp_int-ioctl$EXT4_IOC_MIGRATE-sendmsg$kcm-ioctl$sock_SIOCGIFINDEX_80211-close-bpf$BPF_BTF_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-setsockopt$inet_tcp_TCP_ULP
detailed listing:
executing program 0:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x0, 0x3)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x11, 0x5, &(0x7f00000002c0)=ANY=[@ANYBLOB="1805000020000000000000004b64ffec850000007d000000850000000700000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f00000003c0)=@base={0x6, 0x4, 0x240, 0x7}, 0x48)
bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000007c0), &(0x7f0000000380), 0xfff, r1, 0x0, 0xa0028000}, 0x38)
socketpair$tipc(0x1e, 0x1, 0x0, &(0x7f0000000000)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
sendmsg$tipc(r3, &(0x7f0000000240)={0x0, 0xfffffff5, &(0x7f0000000200)=[{&(0x7f0000000140)="a2", 0xfffffdef}], 0x1, 0x0, 0x0, 0x700}, 0x0)
close(r2)
setsockopt$TIPC_GROUP_JOIN(r3, 0x10f, 0x87, &(0x7f0000000080)={0x40}, 0x10)
r4 = socket$kcm(0x10, 0x2, 0x4)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x7a05, 0x1700)
write$cgroup_subtree(r6, &(0x7f0000000080)=ANY=[], 0x32600)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r5, 0x0)
r7 = socket$inet_udplite(0x2, 0x2, 0x88)
getsockopt$inet_udp_int(r7, 0x11, 0xa, 0x0, &(0x7f0000000000))
ioctl$EXT4_IOC_MIGRATE(r0, 0x6609)
sendmsg$kcm(r4, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000013c0)=[{&(0x7f00000001c0)="39000000140081ae0000dc676f97daf01e2357f9ffffffffffffff0521018701546fabca1b4e8a06a6580e", 0x2b}], 0x1}, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan0\x00'})
close(0xffffffffffffffff)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000480)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x24, 0x24, 0x2, [@enum, @array={0x0, 0x0, 0x0, 0x3, 0x0, {0x2, 0x5}}]}}, 0x0, 0x3e}, 0x20)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000400)='kfree\x00'}, 0x10)
setsockopt$inet_tcp_TCP_ULP(r0, 0x6, 0x1f, 0x0, 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-openat$cgroup_ro-write$binfmt_script-mmap-getsockopt$bt_BT_SECURITY
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
write$binfmt_script(r3, &(0x7f0000000100), 0xfecc)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r3, 0x0)
getsockopt$bt_BT_SECURITY(r0, 0x111, 0x2, 0x0, 0x20001100)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
single: successfully extracted reproducer
found reproducer with 9 syscalls
minimizing guilty program
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-openat$cgroup_ro-write$binfmt_script-mmap
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
write$binfmt_script(r3, &(0x7f0000000100), 0xfecc)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x12, r3, 0x0)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-openat$cgroup_ro-write$binfmt_script
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
write$binfmt_script(r3, &(0x7f0000000100), 0xfecc)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp-openat$cgroup_ro
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp
detailed listing:
executing program 0:
socket$pppl2tp(0x18, 0x1, 0x1)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, 0x0, 0x0)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
simplifying guilty program options
testing program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Write in l2tp_session_delete
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
testing program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000980)=@pppol2tpin6={0x18, 0x1, {0x0, r2, 0x1, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x32)
connect$pppl2tp(r0, &(0x7f0000000980)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @empty}, 0x1, 0x3}}, 0x26)

program crashed: KASAN: slab-use-after-free Read in l2tp_tunnel_del_work
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$pppl2tp-socket$inet_udp-connect$pppl2tp-connect$pppl2tp
program did not crash
reproducing took 39m32.732593664s
repro crashed as (corrupted=false):
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
==================================================================
BUG: KASAN: slab-use-after-free in l2tp_tunnel_del_work+0xe5/0x330 net/l2tp/l2tp_core.c:1334
Read of size 8 at addr ffff88801ff3c0b8 by task kworker/u8:0/11

CPU: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.10.0-rc4-syzkaller-00836-gb0d3969d2b4d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: l2tp l2tp_tunnel_del_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 l2tp_tunnel_del_work+0xe5/0x330 net/l2tp/l2tp_core.c:1334
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5308:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x1f9/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 l2tp_session_create+0x3b/0xc20 net/l2tp/l2tp_core.c:1675
 pppol2tp_connect+0xca3/0x17a0 net/l2tp/l2tp_ppp.c:782
 __sys_connect_file net/socket.c:2049 [inline]
 __sys_connect+0x2df/0x310 net/socket.c:2066
 __do_sys_connect net/socket.c:2076 [inline]
 __se_sys_connect net/socket.c:2073 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2073
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 24:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4437 [inline]
 kfree+0x149/0x360 mm/slub.c:4558
 __sk_destruct+0x58/0x5f0 net/core/sock.c:2191
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928
 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 pppol2tp_release+0x24b/0x350 net/l2tp/l2tp_ppp.c:457
 __sock_release net/socket.c:659 [inline]
 sock_close+0xbc/0x240 net/socket.c:1421
 __fput+0x406/0x8b0 fs/file_table.c:422
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801ff3c000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 184 bytes inside of
 freed 1024-byte region [ffff88801ff3c000, ffff88801ff3c400)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ff38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015041dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015041dc0 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea00007fce01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 62, tgid 62 (kworker/u8:4), ts 170500836332, free_ts 170485857715
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x2e43/0x2f00 mm/page_alloc.c:3420
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4678
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2265
 allocate_slab+0x5a/0x2f0 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3989 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 kmalloc_node_track_caller_noprof+0x281/0x440 mm/slub.c:4142
 kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:597
 __alloc_skb+0x1f3/0x440 net/core/skbuff.c:666
 alloc_skb include/linux/skbuff.h:1320 [inline]
 nlmsg_new include/net/netlink.h:1015 [inline]
 inet6_rt_notify+0xdf/0x290 net/ipv6/route.c:6180
 fib6_add_rt2node net/ipv6/ip6_fib.c:1266 [inline]
 fib6_add+0x1e33/0x4430 net/ipv6/ip6_fib.c:1495
 __ip6_ins_rt net/ipv6/route.c:1314 [inline]
 ip6_ins_rt+0x106/0x170 net/ipv6/route.c:1324
 __ipv6_ifa_notify+0x5d2/0x1230 net/ipv6/addrconf.c:6267
 ipv6_ifa_notify net/ipv6/addrconf.c:6306 [inline]
 addrconf_dad_completed+0x181/0xcd0 net/ipv6/addrconf.c:4319
 addrconf_dad_work+0xdc2/0x16f0
page last free pid 5306 tgid 5306 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2583
 discard_slab mm/slub.c:2527 [inline]
 __put_partials+0xeb/0x130 mm/slub.c:2995
 put_cpu_partial+0x17c/0x250 mm/slub.c:3070
 __slab_free+0x2ea/0x3d0 mm/slub.c:4307
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3941 [inline]
 slab_alloc_node mm/slub.c:4001 [inline]
 kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4008
 ptlock_alloc mm/memory.c:6444 [inline]
 ptlock_init include/linux/mm.h:2968 [inline]
 pmd_ptlock_init include/linux/mm.h:3068 [inline]
 pagetable_pmd_ctor include/linux/mm.h:3106 [inline]
 pmd_alloc_one_noprof include/asm-generic/pgalloc.h:141 [inline]
 __pmd_alloc+0x110/0x630 mm/memory.c:5925
 pmd_alloc include/linux/mm.h:2866 [inline]
 __handle_mm_fault mm/memory.c:5483 [inline]
 handle_mm_fault+0xf4c/0x1ba0 mm/memory.c:5688
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

Memory state around the buggy address:
 ffff88801ff3bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801ff3c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801ff3c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88801ff3c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801ff3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
==================================================================
BUG: KASAN: slab-use-after-free in l2tp_tunnel_del_work+0xe5/0x330 net/l2tp/l2tp_core.c:1334
Read of size 8 at addr ffff88801ff3c0b8 by task kworker/u8:0/11

CPU: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.10.0-rc4-syzkaller-00836-gb0d3969d2b4d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: l2tp l2tp_tunnel_del_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 l2tp_tunnel_del_work+0xe5/0x330 net/l2tp/l2tp_core.c:1334
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5308:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x1f9/0x400 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 l2tp_session_create+0x3b/0xc20 net/l2tp/l2tp_core.c:1675
 pppol2tp_connect+0xca3/0x17a0 net/l2tp/l2tp_ppp.c:782
 __sys_connect_file net/socket.c:2049 [inline]
 __sys_connect+0x2df/0x310 net/socket.c:2066
 __do_sys_connect net/socket.c:2076 [inline]
 __se_sys_connect net/socket.c:2073 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2073
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 24:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4437 [inline]
 kfree+0x149/0x360 mm/slub.c:4558
 __sk_destruct+0x58/0x5f0 net/core/sock.c:2191
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928
 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 pppol2tp_release+0x24b/0x350 net/l2tp/l2tp_ppp.c:457
 __sock_release net/socket.c:659 [inline]
 sock_close+0xbc/0x240 net/socket.c:1421
 __fput+0x406/0x8b0 fs/file_table.c:422
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88801ff3c000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 184 bytes inside of
 freed 1024-byte region [ffff88801ff3c000, ffff88801ff3c400)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ff38
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015041dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015041dc0 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea00007fce01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 62, tgid 62 (kworker/u8:4), ts 170500836332, free_ts 170485857715
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x2e43/0x2f00 mm/page_alloc.c:3420
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4678
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2265
 allocate_slab+0x5a/0x2f0 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3989 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 kmalloc_node_track_caller_noprof+0x281/0x440 mm/slub.c:4142
 kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:597
 __alloc_skb+0x1f3/0x440 net/core/skbuff.c:666
 alloc_skb include/linux/skbuff.h:1320 [inline]
 nlmsg_new include/net/netlink.h:1015 [inline]
 inet6_rt_notify+0xdf/0x290 net/ipv6/route.c:6180
 fib6_add_rt2node net/ipv6/ip6_fib.c:1266 [inline]
 fib6_add+0x1e33/0x4430 net/ipv6/ip6_fib.c:1495
 __ip6_ins_rt net/ipv6/route.c:1314 [inline]
 ip6_ins_rt+0x106/0x170 net/ipv6/route.c:1324
 __ipv6_ifa_notify+0x5d2/0x1230 net/ipv6/addrconf.c:6267
 ipv6_ifa_notify net/ipv6/addrconf.c:6306 [inline]
 addrconf_dad_completed+0x181/0xcd0 net/ipv6/addrconf.c:4319
 addrconf_dad_work+0xdc2/0x16f0
page last free pid 5306 tgid 5306 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2583
 discard_slab mm/slub.c:2527 [inline]
 __put_partials+0xeb/0x130 mm/slub.c:2995
 put_cpu_partial+0x17c/0x250 mm/slub.c:3070
 __slab_free+0x2ea/0x3d0 mm/slub.c:4307
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3941 [inline]
 slab_alloc_node mm/slub.c:4001 [inline]
 kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4008
 ptlock_alloc mm/memory.c:6444 [inline]
 ptlock_init include/linux/mm.h:2968 [inline]
 pmd_ptlock_init include/linux/mm.h:3068 [inline]
 pagetable_pmd_ctor include/linux/mm.h:3106 [inline]
 pmd_alloc_one_noprof include/asm-generic/pgalloc.h:141 [inline]
 __pmd_alloc+0x110/0x630 mm/memory.c:5925
 pmd_alloc include/linux/mm.h:2866 [inline]
 __handle_mm_fault mm/memory.c:5483 [inline]
 handle_mm_fault+0xf4c/0x1ba0 mm/memory.c:5688
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

Memory state around the buggy address:
 ffff88801ff3bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801ff3c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801ff3c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88801ff3c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801ff3c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================