Extracting prog: 27.707915753s
Minimizing prog: 40m13.730378866s
Simplifying prog options: 0s
Extracting C: 57.265092467s
Simplifying C: 11m39.577779381s


extracting reproducer from 28 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay-mkdirat-mkdirat-mount$overlay-syz_mount_image$fuse-linkat-ptrace-ptrace-prctl$PR_SET_SECCOMP
detailed listing:
executing program 0:
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r1, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r2 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r2, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r2, &(0x7f0000005400)={0x2020}, 0xffe4)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r4=>0x0})
sendmsg$NL80211_CMD_START_AP(r2, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r3, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r4, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r2, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r3, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r4, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r5 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r5, 0x2)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r7 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r7, 0x2)
flock(r6, 0x1)
flock(r6, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52)
mount$overlay(0x0, &(0x7f0000000340)='./bus\x00', &(0x7f0000000b80), 0x18, &(0x7f0000000240)={[{@lowerdir={'lowerdir', 0x3d, './bus'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './file1'}}]})
syz_mount_image$fuse(&(0x7f00000001c0), &(0x7f0000000180)='./bus\x00', 0x322020, &(0x7f0000000380)=ANY=[], 0x1, 0x0, 0x0)
linkat(0xffffffffffffff9c, &(0x7f00000003c0)='./cgroup\x00', 0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x1000)
ptrace(0x10, r0) (async)
ptrace(0x10, r0)
prctl$PR_SET_SECCOMP(0x16, 0x1, 0x0)

program crashed: KASAN: use-after-free Read in fast_dput
single: successfully extracted reproducer
found reproducer with 40 syscalls
minimizing guilty program
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay-mkdirat-mkdirat-mount$overlay-syz_mount_image$fuse-linkat-ptrace-ptrace
detailed listing:
executing program 0:
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r1, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r2 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r2, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r2, &(0x7f0000005400)={0x2020}, 0xffe4)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r4=>0x0})
sendmsg$NL80211_CMD_START_AP(r2, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r3, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r4, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r2, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r3, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r4, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r5 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r5, 0x2)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r7 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r7, 0x2)
flock(r6, 0x1)
flock(r6, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52)
mount$overlay(0x0, &(0x7f0000000340)='./bus\x00', &(0x7f0000000b80), 0x18, &(0x7f0000000240)={[{@lowerdir={'lowerdir', 0x3d, './bus'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './file1'}}]})
syz_mount_image$fuse(&(0x7f00000001c0), &(0x7f0000000180)='./bus\x00', 0x322020, &(0x7f0000000380)=ANY=[], 0x1, 0x0, 0x0)
linkat(0xffffffffffffff9c, &(0x7f00000003c0)='./cgroup\x00', 0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x1000)
ptrace(0x10, r0) (async)
ptrace(0x10, r0)

program crashed: KASAN: use-after-free Read in fast_dput
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay-mkdirat-mkdirat-mount$overlay-syz_mount_image$fuse-linkat-ptrace
detailed listing:
executing program 0:
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r1, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r2 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r2, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r2, &(0x7f0000005400)={0x2020}, 0xffe4)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r4=>0x0})
sendmsg$NL80211_CMD_START_AP(r2, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r3, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r4, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r2, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r3, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r4, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r5 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r5, 0x2)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r7 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r7, 0x2)
flock(r6, 0x1)
flock(r6, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52)
mount$overlay(0x0, &(0x7f0000000340)='./bus\x00', &(0x7f0000000b80), 0x18, &(0x7f0000000240)={[{@lowerdir={'lowerdir', 0x3d, './bus'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './file1'}}]})
syz_mount_image$fuse(&(0x7f00000001c0), &(0x7f0000000180)='./bus\x00', 0x322020, &(0x7f0000000380)=ANY=[], 0x1, 0x0, 0x0)
linkat(0xffffffffffffff9c, &(0x7f00000003c0)='./cgroup\x00', 0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x1000)
ptrace(0x10, r0) (async)

program crashed: KASAN: use-after-free Read in fast_dput
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay-mkdirat-mkdirat-mount$overlay-syz_mount_image$fuse-linkat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52)
mount$overlay(0x0, &(0x7f0000000340)='./bus\x00', &(0x7f0000000b80), 0x18, &(0x7f0000000240)={[{@lowerdir={'lowerdir', 0x3d, './bus'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './file1'}}]})
syz_mount_image$fuse(&(0x7f00000001c0), &(0x7f0000000180)='./bus\x00', 0x322020, &(0x7f0000000380)=ANY=[], 0x1, 0x0, 0x0)
linkat(0xffffffffffffff9c, &(0x7f00000003c0)='./cgroup\x00', 0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x1000)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay-mkdirat-mkdirat-mount$overlay-syz_mount_image$fuse
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52)
mount$overlay(0x0, &(0x7f0000000340)='./bus\x00', &(0x7f0000000b80), 0x18, &(0x7f0000000240)={[{@lowerdir={'lowerdir', 0x3d, './bus'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './file1'}}]})
syz_mount_image$fuse(&(0x7f00000001c0), &(0x7f0000000180)='./bus\x00', 0x322020, &(0x7f0000000380)=ANY=[], 0x1, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in fast_dput
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay-mkdirat-mkdirat-mount$overlay
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52)
mount$overlay(0x0, &(0x7f0000000340)='./bus\x00', &(0x7f0000000b80), 0x18, &(0x7f0000000240)={[{@lowerdir={'lowerdir', 0x3d, './bus'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './file1'}}]})

program crashed: KASAN: use-after-free Read in fast_dput
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay-mkdirat-mkdirat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52)

program crashed: KASAN: use-after-free Read in fast_dput
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay-mkdirat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})
mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x52) (async)

program crashed: KASAN: use-after-free Read in fast_dput
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay-mount$overlay
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]})

program crashed: KASAN: use-after-free Read in fast_dput
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse-mount$overlay
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000100)='./bus\x00', &(0x7f0000000440), 0x8, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@nfs_export_on}]}) (async)

program crashed: KASAN: use-after-free Read in fast_dput
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat-syz_mount_image$fuse
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat-mkdirat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock-mkdirat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock-flock
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)
flock(r5, 0x1)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock-flock
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r6 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r6, 0x2)
flock(r5, 0x1)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat-flock
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
r5 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)
flock(r5, 0x2)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat-openat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat-openat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x0) (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock-openat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)
openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0\x00', 0x0, 0x8)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat-flock
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)
flock(r4, 0x2)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP-openat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)
openat(0xffffffffffffff9c, &(0x7f0000000240)='./file0\x00', 0x40042, 0x1)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP-sendmsg$NL80211_CMD_START_AP
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_START_AP
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_START_AP(r1, &(0x7f00000016c0)={&(0x7f0000001400)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000001680)={&(0x7f0000001700)=ANY=[@ANYBLOB="88010000", @ANYRES16=r2, @ANYBLOB="010028bd7000fddbdf250f00000008000300", @ANYRES32=r3, @ANYBLOB="0c00990006000000130000000800a500000000004000a6800a00060008021100000100000a000600ffffffffffff00000a00060008021100000000000a00060008021100000100000a00060008021100000100000800a500010000000800a500000000000800a500010000000800a500010000000800a500010000003400a6800a00060008021100000000000a000600ffffffffffff00000a00060008021100000000000a000600ffffffffffff00005800a6800a00060008021100000100000a000600ffffffff68b5000000000000ffffffffffff00000a00060008021100000000000a00060008021100000100000a000600ffffffffffff00000a000600ffffffffffff00000400050108003500040000000400460008005a80040003800500a300010000000a00340001010101010100000400160130001b80050001000200000004000200040003000400030004000300040002000400020004000200050001001c00000004001601"], 0x188}, 0x1, 0x0, 0x0, 0x4800}, 0x80) (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000001480)={'wlan1\x00'})

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE-syz_genetlink_get_family_id$nl80211
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)
syz_genetlink_get_family_id$nl80211(&(0x7f0000001440), 0xffffffffffffffff)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE-read$FUSE
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs-read$FUSE
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
r1 = syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')
read$FUSE(r1, &(0x7f0000005400)={0x2020}, 0xffe4) (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque-syz_open_procfs
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)
syz_open_procfs(0x0, &(0x7f00000022c0)='net/ipv6_route\x00')

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6-setxattr$trusted_overlay_opaque
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)
setxattr$trusted_overlay_opaque(&(0x7f0000001340)='./bus\x00', &(0x7f0000000140), &(0x7f00000013c0), 0x2, 0x1)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir-sendto$inet6
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')
sendto$inet6(r0, 0x0, 0x0, 0x44890, &(0x7f0000000000)={0xa, 0x4e24, 0xe, @mcast2={0xff, 0x5}, 0xfffffff9}, 0x1c)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir-rmdir
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)
rmdir(&(0x7f0000000240)='./bus\x00')

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr-rmdir
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)
rmdir(&(0x7f0000000240)='./bus\x00') (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr-setxattr
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir-setxattr
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')
setxattr(&(0x7f0000000040)='./bus\x00', &(0x7f00000000c0)=@known='security.selinux\x00', &(0x7f0000000100)='..\x00', 0x3, 0x1) (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs-chdir
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)
chdir(&(0x7f00000001c0)='./bus\x00')

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs-mount$incfs
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat-mount$incfs
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mkdirat
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)

program did not crash
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-socket$inet6_udp-mount$incfs
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)

program did not crash
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_clone-mkdirat-mount$incfs
detailed listing:
executing program 0:
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0) (async)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, 0x0, 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program did not crash
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(0x0, &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program did not crash
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', 0x0, &(0x7f0000000840), 0x1004002, 0x0)

program did not crash
testing program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', 0x0, 0x1004002, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=36.666186093s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
simplifying C reproducer
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program did not crash
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program did not crash
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program did not crash
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing compiled C program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
testing program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
validation run: crashed=true
testing program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
validation run: crashed=true
testing program (duration=36.666186093s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mkdirat-mount$incfs
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./bus\x00', 0x1c0)
mount$incfs(&(0x7f00000007c0)='.\x00', &(0x7f0000000800)='./bus\x00', &(0x7f0000000840), 0x1004002, 0x0)

program crashed: KASAN: null-ptr-deref Write in vfs_rmdir
validation run: crashed=true
reproducing took 55m36.134225076s
repro crashed as (corrupted=false):
RBP: 00007ffed8ced0d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffed8cee160
R13: 00007fa5874c8d7d R14: 0000000000007de0 R15: 00007ffed8cee1a0
---[ end trace 2de2d5f05bfb4cff ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 fs/inode.c:423
Write of size 4 at addr 0000000000000170 by task syz-executor/363

CPU: 0 PID: 363 Comm: syz-executor Tainted: G        W         syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 __kasan_report mm/kasan/report.c:439 [inline]
 kasan_report+0xd8/0x130 mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x280/0x290 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
 ihold+0x20/0x60 fs/inode.c:423
 d_delete_notify include/linux/fsnotify.h:264 [inline]
 vfs_rmdir+0x247/0x3e0 fs/namei.c:3873
 incfs_kill_sb+0xfe/0x210 fs/incfs/vfs.c:1973
 deactivate_locked_super+0xa0/0x100 fs/super.c:335
 deactivate_super+0xaf/0xe0 fs/super.c:366
 cleanup_mnt+0x446/0x500 fs/namespace.c:1123
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1130
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fa587445a77
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffed8ced018 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fa587445a77
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffed8ced0d0
RBP: 00007ffed8ced0d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffed8cee160
R13: 00007fa5874c8d7d R14: 0000000000007de0 R15: 00007ffed8cee1a0
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 10fd06067 P4D 10fd06067 PUD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 363 Comm: syz-executor Tainted: G    B   W         syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x26/0x60 fs/inode.c:423
Code: 00 00 00 00 55 48 89 e5 41 56 53 48 89 fb e8 a1 26 b8 ff 48 8d bb 70 01 00 00 be 04 00 00 00 e8 30 17 f2 ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 70 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 21
RSP: 0018:ffffc90000e07d10 EFLAGS: 00010246
RAX: ffff88810c510000 RBX: 0000000000000000 RCX: 0000000000000286
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: ffffc90000e07d20 R08: 0000000000000004 R09: 0000000000000003
R10: fffffbfff0d8f048 R11: 1ffffffff0d8f048 R12: 1ffff11021a73fc0
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  0000555561d4b500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000010f794000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 d_delete_notify include/linux/fsnotify.h:264 [inline]
 vfs_rmdir+0x247/0x3e0 fs/namei.c:3873
 incfs_kill_sb+0xfe/0x210 fs/incfs/vfs.c:1973
 deactivate_locked_super+0xa0/0x100 fs/super.c:335
 deactivate_super+0xaf/0xe0 fs/super.c:366
 cleanup_mnt+0x446/0x500 fs/namespace.c:1123
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1130
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fa587445a77
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffed8ced018 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fa587445a77
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffed8ced0d0
RBP: 00007ffed8ced0d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffed8cee160
R13: 00007fa5874c8d7d R14: 0000000000007de0 R15: 00007ffed8cee1a0
Modules linked in:
CR2: 0000000000000170
---[ end trace 2de2d5f05bfb4d00 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x26/0x60 fs/inode.c:423
Code: 00 00 00 00 55 48 89 e5 41 56 53 48 89 fb e8 a1 26 b8 ff 48 8d bb 70 01 00 00 be 04 00 00 00 e8 30 17 f2 ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 70 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 21
RSP: 0018:ffffc90000e07d10 EFLAGS: 00010246
RAX: ffff88810c510000 RBX: 0000000000000000 RCX: 0000000000000286
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: ffffc90000e07d20 R08: 0000000000000004 R09: 0000000000000003
R10: fffffbfff0d8f048 R11: 1ffffffff0d8f048 R12: 1ffff11021a73fc0
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  0000555561d4b500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000010f794000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 00                	add    %al,(%rax)
   4:	55                   	push   %rbp
   5:	48 89 e5             	mov    %rsp,%rbp
   8:	41 56                	push   %r14
   a:	53                   	push   %rbx
   b:	48 89 fb             	mov    %rdi,%rbx
   e:	e8 a1 26 b8 ff       	call   0xffb826b4
  13:	48 8d bb 70 01 00 00 	lea    0x170(%rbx),%rdi
  1a:	be 04 00 00 00       	mov    $0x4,%esi
  1f:	e8 30 17 f2 ff       	call   0xfff21754
  24:	41 be 01 00 00 00    	mov    $0x1,%r14d
* 2a:	f0 44 0f c1 b3 70 01 	lock xadd %r14d,0x170(%rbx) <-- trapping instruction
  31:	00 00
  33:	41 ff c6             	inc    %r14d
  36:	bf 02 00 00 00       	mov    $0x2,%edi
  3b:	44 89 f6             	mov    %r14d,%esi
  3e:	e8                   	.byte 0xe8
  3f:	21                   	.byte 0x21

final repro crashed as (corrupted=false):
RBP: 00007ffed8ced0d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffed8cee160
R13: 00007fa5874c8d7d R14: 0000000000007de0 R15: 00007ffed8cee1a0
---[ end trace 2de2d5f05bfb4cff ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 fs/inode.c:423
Write of size 4 at addr 0000000000000170 by task syz-executor/363

CPU: 0 PID: 363 Comm: syz-executor Tainted: G        W         syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 __kasan_report mm/kasan/report.c:439 [inline]
 kasan_report+0xd8/0x130 mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x280/0x290 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
 ihold+0x20/0x60 fs/inode.c:423
 d_delete_notify include/linux/fsnotify.h:264 [inline]
 vfs_rmdir+0x247/0x3e0 fs/namei.c:3873
 incfs_kill_sb+0xfe/0x210 fs/incfs/vfs.c:1973
 deactivate_locked_super+0xa0/0x100 fs/super.c:335
 deactivate_super+0xaf/0xe0 fs/super.c:366
 cleanup_mnt+0x446/0x500 fs/namespace.c:1123
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1130
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fa587445a77
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffed8ced018 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fa587445a77
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffed8ced0d0
RBP: 00007ffed8ced0d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffed8cee160
R13: 00007fa5874c8d7d R14: 0000000000007de0 R15: 00007ffed8cee1a0
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 10fd06067 P4D 10fd06067 PUD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 363 Comm: syz-executor Tainted: G    B   W         syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x26/0x60 fs/inode.c:423
Code: 00 00 00 00 55 48 89 e5 41 56 53 48 89 fb e8 a1 26 b8 ff 48 8d bb 70 01 00 00 be 04 00 00 00 e8 30 17 f2 ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 70 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 21
RSP: 0018:ffffc90000e07d10 EFLAGS: 00010246
RAX: ffff88810c510000 RBX: 0000000000000000 RCX: 0000000000000286
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: ffffc90000e07d20 R08: 0000000000000004 R09: 0000000000000003
R10: fffffbfff0d8f048 R11: 1ffffffff0d8f048 R12: 1ffff11021a73fc0
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  0000555561d4b500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000010f794000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 d_delete_notify include/linux/fsnotify.h:264 [inline]
 vfs_rmdir+0x247/0x3e0 fs/namei.c:3873
 incfs_kill_sb+0xfe/0x210 fs/incfs/vfs.c:1973
 deactivate_locked_super+0xa0/0x100 fs/super.c:335
 deactivate_super+0xaf/0xe0 fs/super.c:366
 cleanup_mnt+0x446/0x500 fs/namespace.c:1123
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1130
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fa587445a77
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffed8ced018 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fa587445a77
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffed8ced0d0
RBP: 00007ffed8ced0d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffed8cee160
R13: 00007fa5874c8d7d R14: 0000000000007de0 R15: 00007ffed8cee1a0
Modules linked in:
CR2: 0000000000000170
---[ end trace 2de2d5f05bfb4d00 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x26/0x60 fs/inode.c:423
Code: 00 00 00 00 55 48 89 e5 41 56 53 48 89 fb e8 a1 26 b8 ff 48 8d bb 70 01 00 00 be 04 00 00 00 e8 30 17 f2 ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 70 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 21
RSP: 0018:ffffc90000e07d10 EFLAGS: 00010246
RAX: ffff88810c510000 RBX: 0000000000000000 RCX: 0000000000000286
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: ffffc90000e07d20 R08: 0000000000000004 R09: 0000000000000003
R10: fffffbfff0d8f048 R11: 1ffffffff0d8f048 R12: 1ffff11021a73fc0
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  0000555561d4b500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000010f794000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 00                	add    %al,(%rax)
   4:	55                   	push   %rbp
   5:	48 89 e5             	mov    %rsp,%rbp
   8:	41 56                	push   %r14
   a:	53                   	push   %rbx
   b:	48 89 fb             	mov    %rdi,%rbx
   e:	e8 a1 26 b8 ff       	call   0xffb826b4
  13:	48 8d bb 70 01 00 00 	lea    0x170(%rbx),%rdi
  1a:	be 04 00 00 00       	mov    $0x4,%esi
  1f:	e8 30 17 f2 ff       	call   0xfff21754
  24:	41 be 01 00 00 00    	mov    $0x1,%r14d
* 2a:	f0 44 0f c1 b3 70 01 	lock xadd %r14d,0x170(%rbx) <-- trapping instruction
  31:	00 00
  33:	41 ff c6             	inc    %r14d
  36:	bf 02 00 00 00       	mov    $0x2,%edi
  3b:	44 89 f6             	mov    %r14d,%esi
  3e:	e8                   	.byte 0xe8
  3f:	21                   	.byte 0x21