Extracting prog: 48.55786418s
Minimizing prog: 41m58.853451732s
Simplifying prog options: 0s
Extracting C: 38.986897619s
Simplifying C: 9m23.786783548s


extracting reproducer from 31 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$x25-ioctl$sock_ifreq-close_range-bpf$MAP_CREATE_CONST_STR-bpf$PROG_LOAD-bpf$BPF_PROG_TEST_RUN-io_submit
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
r2 = eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r3 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000))
r5 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r5, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)
r6 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
ioctl$sock_ifreq(r6, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})
close_range(r3, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[], 0x48)
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000001180)={0x6, 0x10, 0x0, &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000001bc0)={r7, 0x0, 0x136, 0x0, &(0x7f0000001cc0)="633268f83ca3000000a2029e3815bb2fa117d8326687688b2c969fd7267d546214af00d1ca2524d00f9e4d9555f3ab381b5d44fd6bda8c509e66101d296f10c805252e7c5d48d9814f46db8f07441878734b13270fe47fba418b7358984b9a61c2bbf964a520459fd0d90590b46cf1677d580a26933b6e35aee75996b73a15a25aa8ae2f1f9bc9699a505c0dc4050ab2255fc35f508ccc52f10ac12febf28652fe36f725714868675ca2a7042ab4b26904b2f000589694f69ab0b22a5aec72c5036ce1c8974690045e4ab412a70336b4c65b2dfc8121af4143c2e10a0e5632bcd44e0b000029da424d86f298656822dae2c002e289fbfa6fe0dfb2fd57713a7684dc166c628dc45027ac174c5db54f22e409eb4e94263dbc9919f90f1af3290918b9824c3e0268b300bf69cc2eb3fc58f655439bdbe2", 0x0, 0x0, 0x0, 0x47, 0x0, &(0x7f0000001ac0)="9c01bd6f9a6028c80d7364240fd78867d9d62eca43c565f2c5ac65dd4a0fadceb6c65dcb07f2421e69087e0f17b4eb709e4805f2722709c46bef17c4cb9aed9fb1c342179ea349", &(0x7f0000001a40), 0x1, 0x0, 0x13}, 0x50)
io_submit(0x0, 0x1, &(0x7f0000002900)=[&(0x7f0000000200)={0x0, 0x0, 0x0, 0x7, 0x3511, r2, 0x0, 0x0, 0x0, 0x0, 0x1, r2}])

program crashed: KASAN: use-after-free Read in ax25_release
single: successfully extracted reproducer
found reproducer with 19 syscalls
minimizing guilty program
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$x25-ioctl$sock_ifreq-close_range-bpf$MAP_CREATE_CONST_STR-bpf$PROG_LOAD-bpf$BPF_PROG_TEST_RUN
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r2 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
r4 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)
r5 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
ioctl$sock_ifreq(r5, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})
close_range(r2, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[], 0x48)
r6 = bpf$PROG_LOAD(0x5, &(0x7f0000001180)={0x6, 0x10, 0x0, &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000001bc0)={r6, 0x0, 0x136, 0x0, &(0x7f0000001cc0)="633268f83ca3000000a2029e3815bb2fa117d8326687688b2c969fd7267d546214af00d1ca2524d00f9e4d9555f3ab381b5d44fd6bda8c509e66101d296f10c805252e7c5d48d9814f46db8f07441878734b13270fe47fba418b7358984b9a61c2bbf964a520459fd0d90590b46cf1677d580a26933b6e35aee75996b73a15a25aa8ae2f1f9bc9699a505c0dc4050ab2255fc35f508ccc52f10ac12febf28652fe36f725714868675ca2a7042ab4b26904b2f000589694f69ab0b22a5aec72c5036ce1c8974690045e4ab412a70336b4c65b2dfc8121af4143c2e10a0e5632bcd44e0b000029da424d86f298656822dae2c002e289fbfa6fe0dfb2fd57713a7684dc166c628dc45027ac174c5db54f22e409eb4e94263dbc9919f90f1af3290918b9824c3e0268b300bf69cc2eb3fc58f655439bdbe2", 0x0, 0x0, 0x0, 0x47, 0x0, &(0x7f0000001ac0)="9c01bd6f9a6028c80d7364240fd78867d9d62eca43c565f2c5ac65dd4a0fadceb6c65dcb07f2421e69087e0f17b4eb709e4805f2722709c46bef17c4cb9aed9fb1c342179ea349", &(0x7f0000001a40), 0x1, 0x0, 0x13}, 0x50)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$x25-ioctl$sock_ifreq-close_range-bpf$MAP_CREATE_CONST_STR-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r2 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
r4 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)
r5 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
ioctl$sock_ifreq(r5, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})
close_range(r2, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[], 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000001180)={0x6, 0x10, 0x0, &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$x25-ioctl$sock_ifreq-close_range-bpf$MAP_CREATE_CONST_STR
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r2 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
r4 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)
r5 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
ioctl$sock_ifreq(r5, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})
close_range(r2, 0xffffffffffffffff, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[], 0x48)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$x25-ioctl$sock_ifreq-close_range
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r2 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
r4 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r4, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)
r5 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
ioctl$sock_ifreq(r5, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})
close_range(r2, 0xffffffffffffffff, 0x0)

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$x25-ioctl$sock_ifreq
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)
r4 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
ioctl$sock_ifreq(r4, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})

program crashed: KASAN: use-after-free Read in ax25_release
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$x25
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)
syz_init_net_socket$x25(0x9, 0x5, 0x0)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
syz_init_net_socket$ax25(0x3, 0x2, 0xf0)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-syz_init_net_socket$bt_sco-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-socketpair$unix-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
socketpair$unix(0x1, 0x5, 0x0, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(0xffffffffffffffff, 0x8914, &(0x7f0000000000))
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r2, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-openat$sndtimer-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000000), 0x0)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-eventfd2-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
eventfd2(0x0, 0x0)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
r1 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x8, 0x29, &(0x7f0000000000)=ANY=[@ANYBLOB="180800000000000000000000000000001811", @ANYRES32=r1, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000005000000bf0900000000000055090100000000009500000000000000b7020000000000007b9af8ff00000000b6090200000000007baaf0ff00000000bf8600000000000007080000f8ffffffbfa4000000000000b43805dff0ffffffb50200000a95eb53182800002d4f9c07aef268e339e948ec3096525a43ab907ee79bd5864f4494528f68b6833406db11773c5beca17ada0a97", @ANYRES32=r0, @ANYBLOB="0000000000000000b7050000080000001500000076000000b7020000000000007b88f8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018", @ANYRES32=r0, @ANYBLOB="0000000000000000b70500000800000085000000a5000000bf9100000000000056080000000000008500000000000000b7000000000000009500000000000000"], &(0x7f0000000980)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, '\x00', 0x0, @cgroup_skb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
r3 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r3, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$MAP_CREATE_RINGBUF-bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_CONST_STR-bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, 0x0, 0x0)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB], &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, 0x0, 0x0)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, 0x0)
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, &(0x7f00000000c0)=@bpq0, 0x10)

program did not crash
testing program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000640)={0xd, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="1800000000000000000000000000000061121c0000000000"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r0, 0x8914, &(0x7f0000000000))
r1 = syz_init_net_socket$ax25(0x3, 0x2, 0xf0)
setsockopt$ax25_SO_BINDTODEVICE(r1, 0x101, 0x19, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=1m3.047278426s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
simplifying C reproducer
testing compiled C program (duration=1m3.047278426s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m3.047278426s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m3.047278426s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m3.047278426s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m3.047278426s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m3.047278426s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
testing compiled C program (duration=1m3.047278426s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-syz_init_net_socket$bt_sco-setsockopt$ax25_SO_BINDTODEVICE-ioctl$sock_netdev_private-syz_init_net_socket$ax25-setsockopt$ax25_SO_BINDTODEVICE
program crashed: KASAN: use-after-free Read in ax25_fillin_cb
reproducing took 52m50.185025049s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in ax25_fillin_cb_from_dev net/ax25/af_ax25.c:468 [inline]
BUG: KASAN: use-after-free in ax25_fillin_cb+0x460/0x660 net/ax25/af_ax25.c:495
Read of size 4 at addr ffff88801bbb3b38 by task syz-executor332/4164

CPU: 0 PID: 4164 Comm: syz-executor332 Not tainted 5.15.178-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 ax25_fillin_cb_from_dev net/ax25/af_ax25.c:468 [inline]
 ax25_fillin_cb+0x460/0x660 net/ax25/af_ax25.c:495
 ax25_setsockopt+0xab7/0xe70 net/ax25/af_ax25.c:690
 __sys_setsockopt+0x57e/0x990 net/socket.c:2203
 __do_sys_setsockopt net/socket.c:2214 [inline]
 __se_sys_setsockopt net/socket.c:2211 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2211
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f8ad8615b79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff0cd72e48 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000400000000000 RCX: 00007f8ad8615b79
RDX: 0000000000000019 RSI: 0000000000000101 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000010 R09: 0000000000000006
R10: 00004000000000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
 </TASK>

Allocated by task 4162:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 ax25_dev_device_up+0x51/0x5a0 net/ax25/ax25_dev.c:55
 ax25_device_event+0x49b/0x500 net/ax25/af_ax25.c:139
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:391
 __dev_notify_flags+0x304/0x610
 dev_change_flags+0xe7/0x190 net/core/dev.c:8897
 dev_ifsioc+0x147/0x10c0 net/core/dev_ioctl.c:324
 dev_ioctl+0x504/0xf60 net/core/dev_ioctl.c:587
 sock_do_ioctl+0x34f/0x5a0 net/socket.c:1154
 sock_ioctl+0x47f/0x770 net/socket.c:1257
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 4163:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kfree+0xf1/0x270 mm/slub.c:4559
 ax25_dev_put include/net/ax25.h:302 [inline]
 ax25_release+0x3b3/0x840 net/ax25/af_ax25.c:1062
 __sock_release net/socket.c:649 [inline]
 sock_close+0xcd/0x230 net/socket.c:1336
 __fput+0x3fe/0x8e0 fs/file_table.c:280
 task_work_run+0x129/0x1a0 kernel/task_work.c:188
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0x6a3/0x2480 kernel/exit.c:874
 do_group_exit+0x144/0x310 kernel/exit.c:996
 __do_sys_exit_group kernel/exit.c:1007 [inline]
 __se_sys_exit_group kernel/exit.c:1005 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1005
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff88801bbb3b00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of
 192-byte region [ffff88801bbb3b00, ffff88801bbb3bc0)
The buggy address belongs to the page:
page:ffffea00006eecc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bbb3
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888017441a00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2499385460, free_ts 0
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x3b78/0x3d40 mm/page_alloc.c:4192
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5465
 alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2031
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab mm/slub.c:1912 [inline]
 new_slab+0xbb/0x4b0 mm/slub.c:1975
 ___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc_trace+0x1a0/0x290 mm/slub.c:3245
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
 kobject_uevent_env+0x681/0x8d0 lib/kobject_uevent.c:629
 kernel_add_sysfs_param+0x106/0x130 kernel/params.c:816
 param_sysfs_builtin+0x16a/0x1f0 kernel/params.c:851
 param_sysfs_init+0x66/0x70 kernel/params.c:970
 do_one_initcall+0x22b/0x7a0 init/main.c:1302
 do_initcall_level+0x157/0x210 init/main.c:1375
 do_initcalls+0x49/0x90 init/main.c:1391
 kernel_init_freeable+0x425/0x5c0 init/main.c:1615
 kernel_init+0x19/0x290 init/main.c:1506
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88801bbb3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801bbb3a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88801bbb3b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88801bbb3b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88801bbb3c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in ax25_fillin_cb_from_dev net/ax25/af_ax25.c:468 [inline]
BUG: KASAN: use-after-free in ax25_fillin_cb+0x460/0x660 net/ax25/af_ax25.c:495
Read of size 4 at addr ffff88801bbb3b38 by task syz-executor332/4164

CPU: 0 PID: 4164 Comm: syz-executor332 Not tainted 5.15.178-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 ax25_fillin_cb_from_dev net/ax25/af_ax25.c:468 [inline]
 ax25_fillin_cb+0x460/0x660 net/ax25/af_ax25.c:495
 ax25_setsockopt+0xab7/0xe70 net/ax25/af_ax25.c:690
 __sys_setsockopt+0x57e/0x990 net/socket.c:2203
 __do_sys_setsockopt net/socket.c:2214 [inline]
 __se_sys_setsockopt net/socket.c:2211 [inline]
 __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2211
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f8ad8615b79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff0cd72e48 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000400000000000 RCX: 00007f8ad8615b79
RDX: 0000000000000019 RSI: 0000000000000101 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000010 R09: 0000000000000006
R10: 00004000000000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
 </TASK>

Allocated by task 4162:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 ax25_dev_device_up+0x51/0x5a0 net/ax25/ax25_dev.c:55
 ax25_device_event+0x49b/0x500 net/ax25/af_ax25.c:139
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:391
 __dev_notify_flags+0x304/0x610
 dev_change_flags+0xe7/0x190 net/core/dev.c:8897
 dev_ifsioc+0x147/0x10c0 net/core/dev_ioctl.c:324
 dev_ioctl+0x504/0xf60 net/core/dev_ioctl.c:587
 sock_do_ioctl+0x34f/0x5a0 net/socket.c:1154
 sock_ioctl+0x47f/0x770 net/socket.c:1257
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 4163:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kfree+0xf1/0x270 mm/slub.c:4559
 ax25_dev_put include/net/ax25.h:302 [inline]
 ax25_release+0x3b3/0x840 net/ax25/af_ax25.c:1062
 __sock_release net/socket.c:649 [inline]
 sock_close+0xcd/0x230 net/socket.c:1336
 __fput+0x3fe/0x8e0 fs/file_table.c:280
 task_work_run+0x129/0x1a0 kernel/task_work.c:188
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0x6a3/0x2480 kernel/exit.c:874
 do_group_exit+0x144/0x310 kernel/exit.c:996
 __do_sys_exit_group kernel/exit.c:1007 [inline]
 __se_sys_exit_group kernel/exit.c:1005 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1005
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff88801bbb3b00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes inside of
 192-byte region [ffff88801bbb3b00, ffff88801bbb3bc0)
The buggy address belongs to the page:
page:ffffea00006eecc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bbb3
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888017441a00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2499385460, free_ts 0
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x3b78/0x3d40 mm/page_alloc.c:4192
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5465
 alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2031
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab mm/slub.c:1912 [inline]
 new_slab+0xbb/0x4b0 mm/slub.c:1975
 ___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc_trace+0x1a0/0x290 mm/slub.c:3245
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
 kobject_uevent_env+0x681/0x8d0 lib/kobject_uevent.c:629
 kernel_add_sysfs_param+0x106/0x130 kernel/params.c:816
 param_sysfs_builtin+0x16a/0x1f0 kernel/params.c:851
 param_sysfs_init+0x66/0x70 kernel/params.c:970
 do_one_initcall+0x22b/0x7a0 init/main.c:1302
 do_initcall_level+0x157/0x210 init/main.c:1375
 do_initcalls+0x49/0x90 init/main.c:1391
 kernel_init_freeable+0x425/0x5c0 init/main.c:1615
 kernel_init+0x19/0x290 init/main.c:1506
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88801bbb3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801bbb3a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88801bbb3b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88801bbb3b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88801bbb3c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================