Extracting prog: 6m0.48850288s
Minimizing prog: 1h35m1.859256719s
Simplifying prog options: 0s
Extracting C: 57.462495378s
Simplifying C: 26m13.077327593s


18 programs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 18 programs
single: executing 3 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS-socket-ioctl$IMGETDEVINFO-socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})
r11 = socket(0x22, 0x2, 0x1)
ioctl$IMGETDEVINFO(r11, 0x80044944, 0x0)
r12 = socket$nl_generic(0x10, 0x3, 0x10)
r13 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r12, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r14=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r12, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000000)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r13, @ANYBLOB="0100004100200069676f69dd81d26f6426a13eb839028944f002744aa4a6f24ccaf6c43ba3b53fdaa009fa9b3445a2be747b4506bc59e56579944d5847628ac8c3fc98ff71ffd088865bdd5a0db1d3ac95c6514411", @ANYRES32=r14, @ANYBLOB="0800050008000000"], 0x24}}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$netlink-sendmsg$NL80211_CMD_NEW_KEY-ioctl$sock_SIOCBRDELBR-socket$inet6_sctp-syz_emit_ethernet-socket$inet_smc-setsockopt$IP_VS_SO_SET_ADD-syz_emit_ethernet
detailed listing:
executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$NL80211_CMD_NEW_KEY(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)={0x1c, 0x0, 0x0, 0x0, 0x0, {{}, {@val={0x8}, @void}}}, 0x1c}}, 0x0)
ioctl$sock_SIOCBRDELBR(r0, 0x89a2, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_emit_ethernet(0x4a, &(0x7f0000000040)={@local, @dev, @void, {@ipv6={0x86dd, @tcp={0x0, 0x6, "4dd708", 0x14, 0x6, 0x0, @dev, @local, {[], {{0x0, 0x0, 0x41424344, 0x41424344, 0x0, 0x0, 0x5}}}}}}}, 0x0)
r1 = socket$inet_smc(0x2b, 0x1, 0x0)
setsockopt$IP_VS_SO_SET_ADD(r1, 0x0, 0x482, &(0x7f0000000000)={0x6, @local, 0x0, 0x0, 'lblc\x00'}, 0x2c)
syz_emit_ethernet(0x2e, &(0x7f00000000c0)={@local, @dev, @void, {@ipv4={0x800, @generic={{0x5, 0x4, 0x0, 0x0, 0x20, 0x0, 0x0, 0x0, 0x84, 0x0, @remote, @remote}, "f2dfbc81cfe0ca1b360883ff"}}}}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$nl_route-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$nl_route-socket$phonet-socket$nl_generic-syz_genetlink_get_family_id$mptcp-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-sendmsg$WG_CMD_SET_DEVICE-sendmsg$MPTCP_PM_CMD_DEL_ADDR-socket-getsockopt$inet_sctp_SCTP_RESET_STREAMS-sendmsg$nl_generic-bpf$PROG_LOAD-socket$igmp-socket$nl_route-socket$nl_route-ioctl$ifreq_SIOCGIFINDEX_batadv_mesh-sendmsg$nl_route-syz_emit_ethernet-setsockopt$MRT_FLUSH-getsockopt$MRT-ioctl$SIOCPNGETOBJECT-socket$igmp-sendmmsg$inet-sendto$phonet
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000000)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000400)='kfree\x00', r0}, 0x10)
r1 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000000040)={'vxcan0\x00'})
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$phonet(0x23, 0x2, 0x1)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000100), 0xffffffffffffffff)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000080)=@framed, &(0x7f0000000000)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000440)={&(0x7f0000000400)='sched_switch\x00', r4}, 0x10)
sendmsg$WG_CMD_SET_DEVICE(0xffffffffffffffff, 0x0, 0x0)
sendmsg$MPTCP_PM_CMD_DEL_ADDR(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000140)=ANY=[@ANYBLOB="010026bd7000fcdbdf25020000001c"], 0x30}}, 0x0)
r5 = socket(0x11, 0x3, 0x0)
getsockopt$inet_sctp_SCTP_RESET_STREAMS(r5, 0x84, 0x77, 0x0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000000)={0x14, 0x31, 0x105, 0x0, 0x0, {0x1a}}, 0x14}}, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x1d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r6 = socket$igmp(0x2, 0x3, 0x2)
r7 = socket$nl_route(0x10, 0x3, 0x0)
r8 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r8, 0x8933, &(0x7f0000000080)={'batadv0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000440)={&(0x7f00000003c0)=@ipv6_deladdr={0x2c, 0x15, 0x1, 0x0, 0x0, {0xa, 0x78, 0x0, 0x0, r9}, [@IFA_LOCAL={0x14, 0x2, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}]}, 0x2c}}, 0x0)
syz_emit_ethernet(0x4e, &(0x7f0000000540)=ANY=[@ANYBLOB="85a2e9966700bbbbbbbbbbbb86dd60001f0000180200fe80000000b0dd35523b3f537e0000bbfe8000000000000000000000000000aa88009078fa0000000000000000000000000000000000000096aae1e31d27fddf9775414de4f10b395eb38831d273832e5d2f57830fa30189302fad748ea864517da222902ae5133c38973bfe74c7434c146a66587c2c2c45c59a19b84a8f4adb145761a2c670676c54ccd98e0b4d09e69defac8392c372e3b4c51edac8352e54f21a85327a17b147c8e7ee31193ac69002844f5954a40c9d43aad5b5ce7cfe4afee65ab648100c429b9ad524ea24edc7e7e73f28cfb51aad2b2f8cee87aac869e056fb45fe35fcd87ec89c504f83cbde010a602203f59829c93bc14bd7d3b46b3b0edeff1425940e875038384f7f60009b8d94814ea53ff2ce56e6b6b3ff7d73d22af18f4d0c0b5748965c6dfcf3aa"], 0x0)
setsockopt$MRT_FLUSH(r6, 0x0, 0xd1, &(0x7f0000000480)=0x2, 0x4)
getsockopt$MRT(r6, 0x0, 0xce, 0x0, 0x0)
ioctl$SIOCPNGETOBJECT(r2, 0x89e0, &(0x7f0000000080)=0x36)
r10 = socket$igmp(0x2, 0x3, 0x2)
sendmmsg$inet(r10, &(0x7f0000003a40)=[{{&(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10, 0x0}}, {{&(0x7f0000000000)={0x2, 0x0, @multicast2}, 0x10, 0x0, 0x0, 0x0, 0x20}}], 0x2, 0x0)
sendto$phonet(r2, 0x0, 0x400300, 0x0, &(0x7f0000000140), 0x10)

program did not crash
single: failed to extract reproducer
bisect: bisecting 18 programs with base timeout 15s
testing program (duration=19s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [29, 23, 8, 5, 17, 4, 27, 11, 28, 2, 8, 6, 4, 15, 2, 28, 8, 28]
detailed listing:
executing program 1:
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x4)
getsockopt$sock_buf(r1, 0x1, 0x3b, &(0x7f0000000000)=""/4096, &(0x7f0000001000)=0x1000)
connect$inet(r0, &(0x7f0000003580)={0x2, 0x0, @dev}, 0x10)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r2, 0x8933, &(0x7f0000000040)={'batadv0\x00', <r3=>0x0})
sendmsg$nl_route(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000240)=ANY=[@ANYBLOB="540000001300230000d71a4abb0da55d1d000000", @ANYRES32=r3, @ANYBLOB="0000000000000000300016802c0001802800010000000000aaaaaaaaaa00000000000000000000000000000000000000000000000000000004001400"], 0x54}}, 0x0)
bind$inet(r0, &(0x7f0000000040)={0x2, 0x4e21, @empty}, 0x10)
setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000100), 0x4)
connect$inet(r0, &(0x7f0000000140)={0x2, 0x4e21, @empty}, 0x10)
sendmmsg$inet(r0, &(0x7f0000003140)=[{{0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000880)="2085fbf258e8629e7804dcaa83e163cab84944ac7ab76749842a16036ce0e0878be2315141c29a9d4fee13e7f8a642b0ac26de5d54b5abd30ef81ebb43efae8cb5684e7a2123c1186e9cecc4aaaa7c22b617ed8d0e69de96fdac7f625b7b562a01f4e452034e54ed8b0db9d7103979ceba9ed608c6da425e086f2f7908fca1439685e2e182a3e67d5a30b905c1f424ad2de4ce15172d537ed80bc687b5d31948127730b60688aeed2d50ecf942708671a24f052c6b052177f7dce95b32bf4875773eeda5d405c99524", 0xc9}], 0x1, &(0x7f0000000980)=ANY=[], 0x1e8}}, {{0x0, 0x0, &(0x7f0000002e40)=[{&(0x7f0000000bc0)="91a71d4633c75a36c60c39d58d2d06d654ca0d5e21efc0981d35124cd4a9036e715b7913c6588a8123b700db3eb7b32e3ffdcd86e24f2c1e92dad72078f37159a35b69a178e2ca8f21ecbc7157ad72d014eb0e2d18b28d64182835fde723cb2c18bb4072fbd5ec0fefaa6eed321197dcc475da8a93129938c999eea854b1a86b95da23cb7b6ac906bf052f4c18f132303c78ba036436c7a6526863b80cfd5d0b118d4e338070d6ec8624c14d9ad9f076f8deadb0a4312c4015c816ac38c585d3dafcc4b7", 0xc4}, {&(0x7f0000000cc0)="bbaff3a703cb1a169755fd1fd36f397e77e94a34c57bd25d4abef85a9fd821c7d1373a91f9b0ac5c993279c30a5fe450b3a3c48bf3e274cfae9d2b014a498ed426925388f1f05849b1dc075a83f954eb084395537de12a19aa58ec81b7aba5df450b0033be17109daee3e546ea427da08df445c6df3f8007c2e8d77f7a9ee7f67c25cb44ba732456c6f911836a74f9d4bc80e403b8c126798ef045bd12f46e5f3c05c2addad4ea8f052d34a5afa1493a5c9b53aa37fb8c4bca1425dc69e72ea7bd2cbe0b4594bdd791bc76e407e27673cf146cc762ed74ff0ed8716598ff732475af272133c04f25e4c777ebe0526cd9c168d6085ec6dfbc15730bac80cdcfcf50e42712f9e42c9369655041625991c7b8bca387135cd584b97fdc7f400e6e80f8b9df80468577ab55d17a06aae27576d1c18cf74b902110ec0b3533925fffb3ef6b14fadb7e867701d98fd2a84b6614ebac80c1b41c077149d98c7bba690ed08a0d79658fa540ca53a2c70f451ccf3909434c9ccf40eb136b9bb760a18beb3ce531abfe5aa18445fab91ec832e2bcae92f0d932936cdae8e86d1757b731cf309ac9baba90e5c7fdcd59fda4df01b5077d71170e8183d7590161a7476b082bca5d149c2ee9efaebb8ac8e1acbeb8134c399803df833806167aed25175ce9ac0695bcd0de1e10604413fae69f7e4b8cd73c9ee52409578b7c3e9f07eae6b63f7bc96cd6c33a705dbb808a4e964092670798e9d2cf66aa8c982943881cbccc229786beecefa0048f06c0323ae0e477d614d3601d988d44e282bce31fae871bb962fdf683da9124819808cbb9e5d8c38c3fc8b782c132a0045a51fe9e47999eb621c3df54838dcf329fc747f95feaf3e886bad5413fe162038b894bfc67e767e4a17144d4454d7b9d8446e55ec1c086db9fdfa9bd9fe1cf7132e225ba6912c0b6e241e579cb23ebb68cc5efc89a510c1dd8732f1c379cbaff7155b9dab54f84e1fb137da5d5269220863ce6a7918ae8a9b8bfa3da7b6e69f671a361485c4aa6af907205ddbe52a88fcc0f8b71908c55bd69867ac0899f4589ef3459b7f894edabc9ddfe4bbff9f4e690aa7244b78b30f09b171d160ebec7bb28d0a667b77e6e3a253457f4176423811e549f288ffe3240f2acf3854fdd14049ede3298d3e0579b4bc4fa815158dc69c64a34ce0000f3f57acbd3fee2a070e0960b147839b3a792dd23f0c97ba55e346dbfa13f01a02a656fde676768e06253ec1ea3c63a6e5874e040995587c5590d595c0352a7495ddeb563fe3b1fd66e8b8a907b18f121bf39cb0bf4a3981d6746720c72f763b579d5a28fc2a62de72a5d0066516a820460dca8e5ed95acdddc8552141cc920d21fbdea3e601a741611a68c21f447481c76248eea6ba2351df2aff12ac22a7a3e075541804c3870", 0x3f4}], 0x2}}], 0x2, 0x0)
recvfrom$inet(r0, &(0x7f0000000980)=""/231, 0xe7, 0x0, 0x0, 0x0)
r4 = socket$inet_dccp(0x2, 0x6, 0x0)
r5 = socket$packet(0x11, 0x2, 0x300)
setsockopt$packet_add_memb(r5, 0x107, 0x1, &(0x7f00000000c0)={0x0, 0x1, 0x6, @multicast}, 0x10)
setsockopt$packet_add_memb(r5, 0x107, 0x1, &(0x7f00000001c0)={0x0, 0x1, 0x4d, @random="82dfa24cd463"}, 0x10)
setsockopt$packet_drop_memb(r5, 0x107, 0x2, &(0x7f0000000180)={0x0, 0x1, 0x6, @multicast}, 0x10)
bind$inet(r4, &(0x7f0000000280)={0x2, 0xfffc, @local}, 0x10)
connect$inet(r4, &(0x7f0000000040)={0x2, 0x0, @local}, 0x10)
connect$inet(r4, &(0x7f0000000000)={0x2, 0x0, @multicast1}, 0x10)
recvfrom$inet(r4, 0x0, 0x0, 0x0, 0x0, 0x0)
shutdown(r4, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
r7 = syz_genetlink_get_family_id$tipc2(&(0x7f00000000c0), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r6, 0x8933, &(0x7f0000001140)={'wlan1\x00', <r8=>0x0})
sendmsg$NL80211_CMD_PEER_MEASUREMENT_START(r6, &(0x7f00000011c0)={&(0x7f00000010c0)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000001180)={&(0x7f00000035c0)=ANY=[@ANYBLOB="dc280000", @ANYRES16=r7, @ANYBLOB="2000280070000100dffde21d7f9db38dc9020d6f57c1796d468276b5561c6894c2dd02332d0da1efd286f2fb6572d754e27868f045acb326ed0e69f836e4dbc8609f75e394a65eaa062039132518a0bc979c900ec32bbe34201d03c496a08c3cceb68f58db378d488ce06163e4d31d0b4eed7188c21996e962a758f1e13444f9926d6ea0d582f94aa9035e7ee17cafca8967e1a866d1e98c2147c53409c2c7f8f1db7cfcdcc2ff7392fa746b2c4231f5bdaec9e92f7a702c275107b4b9e0b683759325f3fdd325042bdaaf13c2a9fc12a8b2c626db5abb61027803788c302c04c9bba3c4a45c22efc838f7ab", @ANYRES32=r8, @ANYBLOB="0c009900000001005c00000068080580e40000802c00028008009f000500000008009f0000000000080026006c0900000800a100000800000800a10006000000b4000380640001802000018004000b0004000c000400080004000b000400080008000200000000004000018004000a0004000b00050007000000000004000100080002000200000004000a0005000700000000000800020000000000050007000500000004000a004c000180140001800400090008000200030000000400080028000180040009000500050008000000050007000100000004000800080002000200000004000b000c00018004000c0004000900440500804c0002800800a10001010000050019010b000000050018012000000008009f000400000008009f00060000000800a10006000000050018010a00000008009f0000000000080026006c0900000c00028008002600f31600007c020380380001803400018006000400010000000500050001000000050003000000000006000400200000000500070000000000050005000a0000008c0001803c0001800500050009000000040008000600040002000000040008000400080004000100050007003f000000050007000200000005000300060000001c000180050003000000000005000700ff000000050006001400000014000180050003000300000005000700040000001c0001800500030009000000050006000d0000000500050003000000600001802c00018006000400020000000600040006000000060004000300000004000c0004000c0005000500080000003000018004000c000600040001ff00000400010004000b000500050004000000050006000100000005000700d60000003c00018038000180080002000100000004000c00050003000000000004000c000500030002000000050003000400000004000900050003000400000004000200880001800c000180050007000800000014000180040008000400010004000900040009002c0001800400080004000c0006000400030000000800020003000000040009000500070003000000040008003800018004000900040008000500060009000000050003000400000004000a0004000a0004000a00060004000500000006000400ff7f0000040002008400018018000180050006001c0000000600040001000000040008003400018004000100050005000c00000004000100060004007f00000004000c0004000800050007007f00000004000900040008003400018004000b0005000300000000000600040007000000050006001f00000004000900050003000b000000050006001d0000000400020028020380040002008c00018010000180050007000000000004000100440001800500060004000000050005000800000005000700020000000400090004000b00060004004f00000004000b0004000800050003000800000005000700090000002800018004000b000500060012000000040009000800020003000000040008000500060018000000040001800800018004000a00040002000c0101802c00018004000a00050006000a0000000400080004000900050007000800000004000c0005000700000000000c000180050003000f00000014000180050003000700000006000400070000002800018004000900050006000d000000050005000a000000050006001100000005000600080000000c0001800600040004000000340001800400090004000100040008000500070003000000080002000200000004000b00050007000900000006000400800000001c00018005000300070000000500060003000000050003000b0000003800018004000b0004000a0004000900060004000900000004000a00050003000500000004000c000500060007000000040001000400080004000200040002007c00018010000180050006001300000004000b001c00018004000c00050003000500000004000b000400090004000b002400018004000800050005000b00000004000b0004000900060004000000000004000100140001800500060003000000050005000a00000014000180080002000000000006000400030000001800038004000200040002000400020004000200040002002c000280050018011f00000008009f00040000000800a100ffffffff0800a100070000000800a000ef050000100000800a000100ffffffffffff00002801008024000280080026006c09000008002201a3000000050019010900000008002700000000000a00010008021100000100000a00010008021100000000000a0001000802110000010000a80003809c000180180001800600040001800000050003000d00000004000c00240001800600040000000000080002000200000005000700000000000400010004000a001400018008000200030000000400090004000a00400001800500060001000000050006000500000004000a0006000400050000000500050005000000050003000b000000060004000300000004000a0004000100080001800400010004000200040002003400028005001801140000000800a00008000000080022013900000008009f0001000000080027000000000008002201240200002800008024000280080026005014000008002600df16000005001901050000000800220135010000bc000080b80003800400020004000200ac0001800c000180050007000000000014000180050005000500000005000500010000000800018004000b000c00018004000b0004000b003800018004000800050007001f000000050007009e0000000800020001000000040009000500050004000000050006000100000004000c00200001800600040002000000050006000c00000004000100050005000c0000001c000180050005000b000000050005000a0000000500030002000000200000801c0002800800a000000000800800a1000300000008002201c8000000040005808c1405801c0200800c00028008002201370100000c02038004000200ac00018008000180040009002800018008000200010000000400010004000c0006000400062f00000400010008000200040000002000018004000b00080002000300000006000400014b000004000c000400010024000180040008000400010004000a000400090004000a000400080005000300030000000c000180050005000e000000280001800400010004000b0004000b00050005000200000005000600080000000500030007000000700001800c00018004000a00040008003c000180050006000e00000004000c0006000400000800000400080005000700200000000500070080000000050005000200000006000400fc0a0000040001800c0001800400090004000c0014000180050003000600000004000c0004000900500001804c00018005000500080000000500070081000000050005000400000004000800040008000500070008000000050005000400000008000200030000000500050005000000080002000300000098000180300001800400090005000600010000000800020004000000050003000f000000040009000400080008000200030000002400018004000c00050005000600000004000a0004000a000400090005000600190000001c00018005000600180000000500070097000000040001000400080024000180050007004000000004000100050003000500000004000b000500050000000000ec0300805801038038000180200001800600040009000000040008000500070008000000050005000c00000008000180040009000c00018005000700070000008400018028000180040009000400090005000600160000000600040005000000080002000200000004000a0018000180050005000b00000004000a0004000a00040001001c000180050007001f0000000500030000000000050007000300000024000180060004007074000004000b0004000100050003000100000006000400000000009800018030000180050007000600000004000c00050006001600000005000300070000000800020003000000060004000100000010000180040008000500070001000000480001800500030000000000040009000500060009000000050006000d000000050006000900000005000300020000000500050008000000050006001a0000000400080004000b000c00018005000600030000000a00010008021100000000000a000100ffffffffffff0000000203803c0101801c0001800500070001000000040001000500030006000000040009002400018004000c0004000100050003000100000008000200030000000600040008000000040001802400018005000300080000000600040000000000050005000800000008000200000000002400018006000400250700000600040009000000050007000500000004000b0004000c002000018004000b0008000200030000000500070040000000050007000400000020000180060004000800000004000b0005000700d600000005000300080000001400018004000800050005000b00000004000c003c00018005000300070000000500070000000000050007004000000006000400060000000400080004000800050005000b00000004000a00040001001c00018004000c00050006000400000004000b0005000700a2000000bc00018010000180050006000c0000000400080014000180050003000a00000005000700000000001c00018008000200020000000400010004000b00050006000000000014000180060004006a3c000004000b00040008001c00018005000300080000000500060019000000080002000b000000140001800500060011000000050005000100000008000180040008002000018005000300080000000500060003000000050003000a000000040009000c0001800500070006000000040002000a000100ffffffffffff00000a000100ffffffffffff000060000380040002005800018038000180060004000900000004000b000600040004000000050005000b00000004000b0004000100050006000600000005000500060000001000018004000c0006000400020000000c000180050005000600000048000080040003800a00010008021100000100003400028008002201950100000800a00047000000080022011c0000000800a00003000000080027000000000005001901000000008803008040010380d00001801000018004000a00080002000100000014000180050007000200000005000600170000002800018006000400ff7f000008000200000000000500070003000000050007001f000000040009001c00018006000400080000000800020002000000080002000200000024000180050005000700000006000400040000000500030001000000080002000400000020000180050005000000000004000c0004000a0004000900050003000e0000000c00018005000700c00000000c000180050006000c0000000800018004000a006c00018034000180050007007f000000040001000400010008000200020000000400010008000200030000000600040059000000040008001c0001800500070009000000050003000300000004000100040001001800018004000b0004000100080002000200000004000a000a00010008021100000100000a000100ffffffffffff000024000280080027000100000008009f000700000008002201a50000000800270002000000300103805c0001800800018004000c0018000180060004000001000004000800080002000300000038000180060004000200000005000700ff00000004000a000400090004000900050003000d0000000400080004000b00050003000f00000004000200c000018048000180050006001f00000005000700fc0000000800020001000000050005000800000004000b00050006000100000004000a000500030004000000050007000400000004000b001c000180040008000500050007000000050007008000000004000b0044000180050007003f00000005000600080000000500030009000000050003000b00000008000200010000000400010005000600000000000400010005000300070000001400018004000b00050007002000000004000a000400020004000200040002000a00010008021100000000000c0003800400020004000200c0000380bc0001804400018004000b0008000200040000000800020007000000080002000300000006000400070000000500030005000000050003000900000004000800040009000400010020000180050005000d00000004000100050006000a00000005000700010000002800018004000c00050006001200000004000800050007000500000004000a0004000800040008002c000180050006000e00000004000800050005000500000004000c0004000b000800020009a26b4604000b008402008028000380240001801400018008000200cb36742d08000200010000000c00018005000300060000002c000280050018012700000008002600940900000800a100040000000800a100000080040800a00001000000b0000380540001802400018004000a000400010004000c0004000800040008000500030004000000040009000c00018006000400f9ff00002000018005000600190000000500070026000000050005000c000000040008000400020004000200040002004c000180100001800500030005000000040008001c00018004000c0004000a00050006000300000004000b00040001001c000180050005000c000000050003000000000004000b0004000800680103805c0001801400018004000a0005000300070000000400080044000180080002000100000004000a000400010008000200000000000400010004000c00050005000c000000050007000700000005000700030000000500060016000000080101802c00018004000c0008000200010000000500070080000000080002000100000004000a0005000600170000001c00018004000b000800020002000000050007002c0000000400010018000180050007007f00000008000200040000000400090020000180050003000900000004000c000400090004000a00050005000700000028000180050003000f0000000800020000000000050003000000000006000400"], 0x28dc}, 0x1, 0x0, 0x0, 0x8000}, 0x4084)
sendmsg$TIPC_NL_MON_GET(0xffffffffffffffff, 0x0, 0x800)
shutdown(r0, 0x1)
recvmmsg(r0, &(0x7f0000008840)=[{{0x0, 0x0, &(0x7f0000000b40)=[{&(0x7f0000001d40)=""/4096, 0x1000}], 0x1}}], 0x1, 0x0, 0x0)
executing program 2:
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000600)={0x0, 0x0, &(0x7f00000005c0)={&(0x7f0000000500)=ANY=[], 0x20}}, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
connect$inet6(0xffffffffffffffff, 0x0, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x0)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
sendmmsg$inet6(r0, &(0x7f0000002000)=[{{&(0x7f0000000000)={0xa, 0x0, 0x0, @private2}, 0x1c, &(0x7f0000000340)=[{&(0x7f0000000040)='q', 0x1}], 0x1}}], 0x1, 0x0) (async)
shutdown(r0, 0x1)
r1 = socket$inet6_sctp(0xa, 0x1, 0x84)
getsockopt$inet_sctp6_SCTP_MAX_BURST(r1, 0x84, 0x83, &(0x7f0000000000)=@assoc_value={<r2=>0x0}, &(0x7f0000000040)=0x54)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x85, &(0x7f0000000180)={r2, @in6={{0x2, 0x0, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}}}, 0x90)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0) (async)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) (async)
socket$nl_route(0x10, 0x3, 0x0)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$rds(0x15, 0x5, 0x0)
r4 = socket$inet6_sctp(0xa, 0x1, 0x84)
sendmmsg$inet6(r4, &(0x7f0000002580)=[{{&(0x7f0000000f40)={0xa, 0x0, 0x0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x7}, 0x1c, &(0x7f0000001fc0)=[{&(0x7f0000000f80)="ea", 0x1}], 0x1}}], 0x1, 0x0) (async)
shutdown(r4, 0x1) (async)
getsockopt$inet_sctp6_SCTP_MAX_BURST(r4, 0x84, 0x14, &(0x7f00000000c0), &(0x7f0000000140)=0x4) (async)
r5 = socket(0x1, 0x3, 0x0)
setsockopt$sock_int(r5, 0x1, 0x20, &(0x7f00000001c0)=0xfffffffc, 0x4)
bind$rds(r5, &(0x7f0000000000)={0x2, 0x0, @dev}, 0x10) (async)
sendmsg$inet(r3, &(0x7f0000000780)={&(0x7f00000000c0)={0x2, 0x0, @dev}, 0x10, 0x0}, 0x0)
executing program 1:
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYBLOB="050000000000009900000600000008000300", @ANYRES32=r2, @ANYBLOB="0800050003"], 0x24}}, 0x0)
sendmsg$NL80211_CMD_START_AP(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x5c, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={0x28, 0xe, {{{}, {}, @broadcast, @device_a, @from_mac=@device_b}, 0x0, @default, 0x0, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void}}], @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}], @NL80211_ATTR_BEACON_INTERVAL={0x8}, @NL80211_ATTR_DTIM_PERIOD={0x8}]}, 0x5c}}, 0x0)
syz_80211_inject_frame(&(0x7f0000000180), &(0x7f00000001c0)=ANY=[@ANYBLOB="84"], 0x42)
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x0, 0x84)
shutdown(r0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFULNL_MSG_CONFIG(r1, &(0x7f0000000900)={0x0, 0x60000000, &(0x7f00000008c0)={&(0x7f0000000840)={0x2c, 0x1, 0x4, 0x5, 0x0, 0x0, {}, [@NFULA_CFG_QTHRESH={0x8}, @NFULA_CFG_TIMEOUT={0x8}, @NFULA_CFG_CMD={0x5, 0x1, 0x1}]}, 0x2c}}, 0x0)
executing program 2:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$packet(0x11, 0x2, 0x300)
r2 = socket(0x1d, 0x2, 0x6)
ioctl$sock_SIOCETHTOOL(r2, 0x8946, &(0x7f0000000040)={'veth1_to_bond\x00', &(0x7f0000000400)=@ethtool_ringparam={0x18}})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000001e00)={'bond0\x00', <r3=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)=@newlink={0x3c, 0x10, 0x49920d862a92153b, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @vcan={{0x9}, {0x4}}}, @IFLA_MASTER={0x8, 0xa, r3}]}, 0x3c}}, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r5, 0x400454ca, &(0x7f0000000180)={'syzkaller1\x00', 0x2})
ioctl$TUNSETPERSIST(r5, 0x400454cb, 0x0)
r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r7=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r6, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0xb}]}, 0x24}}, 0x0)
r8 = socket$nl_generic(0x10, 0x3, 0x10)
r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r8, 0x8933, &(0x7f0000000100)={'wlan1\x00', <r10=>0x0})
sendmsg$NL80211_CMD_DEL_KEY(r8, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000140)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r9, @ANYBLOB="010000000000000006000000000008000300", @ANYRES32=r10, @ANYBLOB], 0x1c}}, 0x0)
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000280)={0x0, 0x1c, &(0x7f0000000000)=[@in6={0xa, 0x0, 0x0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}]}, &(0x7f00000002c0)=0x10)
shutdown(r0, 0x2)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r0, 0x84, 0x85, &(0x7f0000000100)={0x0, @in={{0x2, 0x0, @empty}}, 0x2}, &(0x7f00000001c0)=0x90)
executing program 1:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
r2 = socket$inet_udp(0x2, 0x2, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$team(0x0, 0xffffffffffffffff)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b}, 0x0, @default, 0x0, @void, @void, @void, @void, @void, @void, @void, @void, [{0xdd, 0x34, "d089e7800000bec2c730ef17eceac2cdc59102941b0a7d50279666b4e48a55e95fb6ca5ccb6b1637a8a9c3d693436d2776cde8ef"}]}, 0x5a)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000440)=ANY=[@ANYBLOB="50000000080211000001080211000000505050505050000000000000000000006400000025837dbd8ddd14135841adc77516c0ecc876b555e000b869dff2c94078e83b972c6437800f934c5d63e6860c820f6d75d3201ed78037924842c6c6c74f798f94814f0092b550dd78fb2cbc7ee5d25482d14a8c04f52df8c185b3f087d4f5e69ea70dccb9c91d125daa8b76410785376c2e8385e54cc9082061fd56edc0e07ffc48ec898a5a1c993db133c9b5f4e44dc6804ad19b42c2"], 0x24)
ioctl$ifreq_SIOCGIFINDEX_team(r3, 0x8933, &(0x7f0000000000)={'team0\x00', <r5=>0x0})
sendmsg$TEAM_CMD_OPTIONS_SET(r3, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000780)=ANY=[@ANYBLOB="e8000000", @ANYRES16=r4, @ANYBLOB="000200000000000000000100000008000100", @ANYRES32=r5, @ANYBLOB="4400028040000100240001006d6f64650000000000000000000000000000000000000000000000000000000005000300050000000e00040062726f61646361737400000008000100", @ANYRES32=r5, @ANYBLOB="800002803c00018024000100757301800000696e6b75702a0bb4aa000000f8000000000000000000000000000500030006000000040004000800066c", @ANYRES32=r5, @ANYBLOB="40000100240001006d6f64650000000000000000000000000000000000000000000000000000000005000300050000000e00040062726f616463617374000000"], 0xe8}}, 0x0)
ioctl$sock_ipv4_tunnel_SIOCADDTUNNEL(r2, 0x89f1, &(0x7f0000000040)={'sit0\x00', &(0x7f0000000400)={'syztnl0\x00', r5, 0x0, 0x0, 0x0, 0x1, {{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0x0, 0x0, 0x0, @loopback, @multicast1}}}})
ioctl$sock_ipv4_tunnel_SIOCGETTUNNEL(r1, 0x89f5, &(0x7f00000001c0)={'syztnl0\x00', &(0x7f0000000140)={'gretap0\x00', 0x0, 0x0, 0x0, 0x0, 0x0, {{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0x0, 0x0, 0x0, @broadcast, @dev}}}})
r6 = socket$packet(0x11, 0x3, 0x300)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r0, 0x8933, &(0x7f0000000040)={'batadv0\x00', <r8=>0x0})
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'geneve1\x00', <r9=>0x0})
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000040)=@gettclass={0x24, 0x2a, 0xaa399a277c9b29ff, 0x70bd26, 0x0, {0x0, 0x0, 0x0, r9, {}, {0xffe0}}}, 0x24}}, 0x0)
r10 = socket$packet(0x11, 0x2, 0x300)
r11 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000140)=ANY=[@ANYBLOB="1800000000000000000000000000000095000000000000003606ee57566f3700cb13abba3c4437d887006509eaeffda541fa0164ffb761009b6d447405c58e1ecaf1238ba5529b51adff33e84e84a22a2f9e7bb8818d016e32515e2b68add6b74f7eeb5e09c3441a8f7f175a5d268deae6d38c6e8173b2bdbbf07ac8eaf5ea27593855d2ee25b8e62a1f177cfde9bb74c72fb73c7c8e705346ece265a474f01bc0a22dc7a9ae8624add4215240337edf6c57a38e9516f03ec22d4173eba22179ca42317939313468e9b9ca962fe41b2492ba346e56ebe3390f63dad90035828c01e6d2aeec4cc998c6e78cb2a98596bedc0e1fce864c5504eb8d35775f90aa382cf1572f35414f40778a27ffa9c0c64d82ab1dae0686eec19561fcca028fc6f6"], &(0x7f0000000000)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000400)='kfree\x00', r11}, 0x10)
r12 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_TX_RING(r12, 0x11b, 0x3, &(0x7f0000000100)=0x8, 0x4)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f00000005c0)={'gre0\x00', <r13=>0x0})
sendto$packet(r10, 0x0, 0x0, 0x0, &(0x7f0000000000)={0x11, 0x15, r13}, 0x14)
setsockopt$packet_add_memb(r10, 0x107, 0x1, &(0x7f0000000280)={r8, 0x1, 0x6, @random="edb6bf6ec725"}, 0x10)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000740)={'veth0_to_team\x00', <r14=>0x0})
setsockopt$packet_add_memb(r6, 0x107, 0x1, &(0x7f0000000100)={r14, 0x1, 0x6, @dev}, 0x10)
setsockopt$packet_drop_memb(r6, 0x107, 0x2, &(0x7f0000000000)={r14, 0x1, 0x1, @dev}, 0x10)
executing program 2:
socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000000)={<r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000040)={'lo\x00', <r1=>0x0})
r2 = socket$inet6_sctp(0xa, 0x5, 0x84)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_1\x00', <r3=>0x0})
ioctl$sock_inet6_SIOCADDRT(r2, 0x890b, &(0x7f0000000040)={@private0, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @mcast1={0xff, 0x5}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, r3})
r4 = socket$igmp6(0xa, 0x3, 0x2)
ioctl$sock_inet6_SIOCADDRT(r4, 0x890b, &(0x7f00000000c0)={@mcast2={0xff, 0x5}, @ipv4={'\x00', '\xff\xff', @loopback}, @mcast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r1})
sendmmsg$inet(0xffffffffffffffff, &(0x7f0000002fc0), 0x0, 0x0)
r5 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000100)=ANY=[@ANYBLOB="5000000010003b1500"/20, @ANYRES32=0x0, @ANYBLOB="43b000a13aadf600280012800b00010067656e657665000018000280140007"], 0x50}}, 0x0)
syz_emit_ethernet(0x2b, &(0x7f00000003c0)=ANY=[@ANYBLOB="aaaaaaaaaaaa0180c200000186dd"], 0x0)
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000000)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000400)='kfree\x00', r0}, 0x10)
r1 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000000040)={'vxcan0\x00'})
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$phonet(0x23, 0x2, 0x1)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000100), 0xffffffffffffffff)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000080)=@framed, &(0x7f0000000000)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000440)={&(0x7f0000000400)='sched_switch\x00', r4}, 0x10)
sendmsg$WG_CMD_SET_DEVICE(0xffffffffffffffff, 0x0, 0x0)
sendmsg$MPTCP_PM_CMD_DEL_ADDR(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000140)=ANY=[@ANYBLOB="010026bd7000fcdbdf25020000001c"], 0x30}}, 0x0)
r5 = socket(0x11, 0x3, 0x0)
getsockopt$inet_sctp_SCTP_RESET_STREAMS(r5, 0x84, 0x77, 0x0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000000)={0x14, 0x31, 0x105, 0x0, 0x0, {0x1a}}, 0x14}}, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x1d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r6 = socket$igmp(0x2, 0x3, 0x2)
r7 = socket$nl_route(0x10, 0x3, 0x0)
r8 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r8, 0x8933, &(0x7f0000000080)={'batadv0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000440)={&(0x7f00000003c0)=@ipv6_deladdr={0x2c, 0x15, 0x1, 0x0, 0x0, {0xa, 0x78, 0x0, 0x0, r9}, [@IFA_LOCAL={0x14, 0x2, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}]}, 0x2c}}, 0x0)
syz_emit_ethernet(0x4e, &(0x7f0000000540)=ANY=[@ANYBLOB="85a2e9966700bbbbbbbbbbbb86dd60001f0000180200fe80000000b0dd35523b3f537e0000bbfe8000000000000000000000000000aa88009078fa0000000000000000000000000000000000000096aae1e31d27fddf9775414de4f10b395eb38831d273832e5d2f57830fa30189302fad748ea864517da222902ae5133c38973bfe74c7434c146a66587c2c2c45c59a19b84a8f4adb145761a2c670676c54ccd98e0b4d09e69defac8392c372e3b4c51edac8352e54f21a85327a17b147c8e7ee31193ac69002844f5954a40c9d43aad5b5ce7cfe4afee65ab648100c429b9ad524ea24edc7e7e73f28cfb51aad2b2f8cee87aac869e056fb45fe35fcd87ec89c504f83cbde010a602203f59829c93bc14bd7d3b46b3b0edeff1425940e875038384f7f60009b8d94814ea53ff2ce56e6b6b3ff7d73d22af18f4d0c0b5748965c6dfcf3aa"], 0x0)
setsockopt$MRT_FLUSH(r6, 0x0, 0xd1, &(0x7f0000000480)=0x2, 0x4)
getsockopt$MRT(r6, 0x0, 0xce, 0x0, 0x0)
ioctl$SIOCPNGETOBJECT(r2, 0x89e0, &(0x7f0000000080)=0x36)
r10 = socket$igmp(0x2, 0x3, 0x2)
sendmmsg$inet(r10, &(0x7f0000003a40)=[{{&(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10, 0x0}}, {{&(0x7f0000000000)={0x2, 0x0, @multicast2}, 0x10, 0x0, 0x0, 0x0, 0x20}}], 0x2, 0x0)
sendto$phonet(r2, 0x0, 0x400300, 0x0, &(0x7f0000000140), 0x10)
executing program 2:
r0 = socket(0x11, 0x3, 0x0)
ioctl$sock_inet6_SIOCADDRT(r0, 0x890b, &(0x7f00000000c0)={@rand_addr=' \x01\x00', @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x0, 0x0, 0x0, 0x0, 0x7, 0x100000})
executing program 1:
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYBLOB="050000000000009900000600000008000300", @ANYRES32=r2, @ANYBLOB="0800050003"], 0x24}}, 0x0)
sendmsg$NL80211_CMD_START_AP(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x5c, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={0x28, 0xe, {{{}, {}, @broadcast, @device_a, @from_mac=@device_b}, 0x0, @default, 0x0, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void, @void}}], @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}], @NL80211_ATTR_BEACON_INTERVAL={0x8}, @NL80211_ATTR_DTIM_PERIOD={0x8}]}, 0x5c}}, 0x0)
syz_80211_inject_frame(&(0x7f0000000180), &(0x7f00000001c0)=ANY=[@ANYBLOB="84"], 0x42)
executing program 0:
r0 = socket$qrtr(0x2a, 0x2, 0x0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000000000)={'vcan0\x00', <r2=>0x0})
r3 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r3, &(0x7f0000001200)={0x1d, r2}, 0x18)
ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000080)={'vcan0\x00'})
executing program 2:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000100)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
socket$nl_generic(0x10, 0x3, 0x10)
r1 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
sendmsg$unix(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f00000000c0)=')', 0x1}], 0x1, &(0x7f0000000180)=[@rights={{0x18, 0x1, 0x1, [r1, r0]}}], 0x18}, 0x0)
executing program 1:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000400)={0x0, r0}, 0x10)
socketpair$unix(0x1, 0x0, 0x0, &(0x7f00000000c0))
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x11, 0x3, &(0x7f0000000080)=ANY=[@ANYBLOB="1800000000000000000000000000200095"], &(0x7f0000000100)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x28}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={&(0x7f0000001000)='sched_switch\x00', r1}, 0x10)
r2 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFBR(r2, 0x8940, 0x0)
setsockopt$RDS_CANCEL_SENT_TO(0xffffffffffffffff, 0x114, 0x1, &(0x7f0000000080)={0x2, 0x4e24, @initdev={0xac, 0x1e, 0x1, 0x0}}, 0x10)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
r4 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r4, 0x84, 0x64, &(0x7f0000000080), 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r4, 0x84, 0x6f, &(0x7f0000000280)={0x0, 0x1c, &(0x7f0000000000)=[@in6={0xa, 0x4e20, 0x0, @loopback}]}, &(0x7f00000002c0)=0x10)
sendto$inet6(r3, 0x0, 0x0, 0x20080001, &(0x7f0000000140)={0xa, 0x0, 0x0, @dev, 0x11}, 0x1c)
shutdown(r3, 0x0)
executing program 0:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
setsockopt$inet6_IPV6_IPSEC_POLICY(r0, 0x29, 0x2e, 0x0, 0x0)
executing program 2:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000000)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000400)='kfree\x00', r0}, 0x10)
r1 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r1, 0x8933, &(0x7f0000000040)={'vxcan0\x00'})
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$phonet(0x23, 0x2, 0x1)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f0000000100), 0xffffffffffffffff)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000080)=@framed, &(0x7f0000000000)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000440)={&(0x7f0000000400)='sched_switch\x00', r4}, 0x10)
sendmsg$WG_CMD_SET_DEVICE(0xffffffffffffffff, 0x0, 0x0)
sendmsg$MPTCP_PM_CMD_DEL_ADDR(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000140)=ANY=[@ANYBLOB="010026bd7000fcdbdf25020000001c"], 0x30}}, 0x0)
r5 = socket(0x11, 0x3, 0x0)
getsockopt$inet_sctp_SCTP_RESET_STREAMS(r5, 0x84, 0x77, 0x0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000000)={0x14, 0x31, 0x105, 0x0, 0x0, {0x1a}}, 0x14}}, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x1d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r6 = socket$igmp(0x2, 0x3, 0x2)
r7 = socket$nl_route(0x10, 0x3, 0x0)
r8 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r8, 0x8933, &(0x7f0000000080)={'batadv0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000440)={&(0x7f00000003c0)=@ipv6_deladdr={0x2c, 0x15, 0x1, 0x0, 0x0, {0xa, 0x78, 0x0, 0x0, r9}, [@IFA_LOCAL={0x14, 0x2, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}]}, 0x2c}}, 0x0)
syz_emit_ethernet(0x4e, &(0x7f0000000540)=ANY=[@ANYBLOB="85a2e9966700bbbbbbbbbbbb86dd60001f0000180200fe80000000b0dd35523b3f537e0000bbfe8000000000000000000000000000aa88009078fa0000000000000000000000000000000000000096aae1e31d27fddf9775414de4f10b395eb38831d273832e5d2f57830fa30189302fad748ea864517da222902ae5133c38973bfe74c7434c146a66587c2c2c45c59a19b84a8f4adb145761a2c670676c54ccd98e0b4d09e69defac8392c372e3b4c51edac8352e54f21a85327a17b147c8e7ee31193ac69002844f5954a40c9d43aad5b5ce7cfe4afee65ab648100c429b9ad524ea24edc7e7e73f28cfb51aad2b2f8cee87aac869e056fb45fe35fcd87ec89c504f83cbde010a602203f59829c93bc14bd7d3b46b3b0edeff1425940e875038384f7f60009b8d94814ea53ff2ce56e6b6b3ff7d73d22af18f4d0c0b5748965c6dfcf3aa"], 0x0)
setsockopt$MRT_FLUSH(r6, 0x0, 0xd1, &(0x7f0000000480)=0x2, 0x4)
getsockopt$MRT(r6, 0x0, 0xce, 0x0, 0x0)
ioctl$SIOCPNGETOBJECT(r2, 0x89e0, &(0x7f0000000080)=0x36)
r10 = socket$igmp(0x2, 0x3, 0x2)
sendmmsg$inet(r10, &(0x7f0000003a40)=[{{&(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10, 0x0}}, {{&(0x7f0000000000)={0x2, 0x0, @multicast2}, 0x10, 0x0, 0x0, 0x0, 0x20}}], 0x2, 0x0)
sendto$phonet(r2, 0x0, 0x400300, 0x0, &(0x7f0000000140), 0x10)
executing program 1:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$NL80211_CMD_NEW_KEY(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)={0x1c, 0x0, 0x0, 0x0, 0x0, {{}, {@val={0x8}, @void}}}, 0x1c}}, 0x0)
ioctl$sock_SIOCBRDELBR(r0, 0x89a2, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_emit_ethernet(0x4a, &(0x7f0000000040)={@local, @dev, @void, {@ipv6={0x86dd, @tcp={0x0, 0x6, "4dd708", 0x14, 0x6, 0x0, @dev, @local, {[], {{0x0, 0x0, 0x41424344, 0x41424344, 0x0, 0x0, 0x5}}}}}}}, 0x0)
r1 = socket$inet_smc(0x2b, 0x1, 0x0)
setsockopt$IP_VS_SO_SET_ADD(r1, 0x0, 0x482, &(0x7f0000000000)={0x6, @local, 0x0, 0x0, 'lblc\x00'}, 0x2c)
syz_emit_ethernet(0x2e, &(0x7f00000000c0)={@local, @dev, @void, {@ipv4={0x800, @generic={{0x5, 0x4, 0x0, 0x0, 0x20, 0x0, 0x0, 0x0, 0x84, 0x0, @remote, @remote}, "f2dfbc81cfe0ca1b360883ff"}}}}, 0x0)
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})
r11 = socket(0x22, 0x2, 0x1)
ioctl$IMGETDEVINFO(r11, 0x80044944, 0x0)
r12 = socket$nl_generic(0x10, 0x3, 0x10)
r13 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r12, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r14=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r12, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000000)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r13, @ANYBLOB="0100004100200069676f69dd81d26f6426a13eb839028944f002744aa4a6f24ccaf6c43ba3b53fdaa009fa9b3445a2be747b4506bc59e56579944d5847628ac8c3fc98ff71ffd088865bdd5a0db1d3ac95c6514411", @ANYRES32=r14, @ANYBLOB="0800050008000000"], 0x24}}, 0x0)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 3 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS-socket-ioctl$IMGETDEVINFO-socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})
r11 = socket(0x22, 0x2, 0x1)
ioctl$IMGETDEVINFO(r11, 0x80044944, 0x0)
r12 = socket$nl_generic(0x10, 0x3, 0x10)
r13 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r12, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r14=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r12, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000000)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r13, @ANYBLOB="0100004100200069676f69dd81d26f6426a13eb839028944f002744aa4a6f24ccaf6c43ba3b53fdaa009fa9b3445a2be747b4506bc59e56579944d5847628ac8c3fc98ff71ffd088865bdd5a0db1d3ac95c6514411", @ANYRES32=r14, @ANYBLOB="0800050008000000"], 0x24}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in lockref_get
single: successfully extracted reproducer
found reproducer with 28 syscalls
minimizing guilty program
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS-socket-ioctl$IMGETDEVINFO-socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})
r11 = socket(0x22, 0x2, 0x1)
ioctl$IMGETDEVINFO(r11, 0x80044944, 0x0)
r12 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r12, 0x8933, &(0x7f00000000c0)={'wlan1\x00'})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS-socket-ioctl$IMGETDEVINFO-socket$nl_generic-syz_genetlink_get_family_id$nl80211
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})
r11 = socket(0x22, 0x2, 0x1)
ioctl$IMGETDEVINFO(r11, 0x80044944, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS-socket-ioctl$IMGETDEVINFO-socket$nl_generic
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})
r11 = socket(0x22, 0x2, 0x1)
ioctl$IMGETDEVINFO(r11, 0x80044944, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS-socket-ioctl$IMGETDEVINFO
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})
r11 = socket(0x22, 0x2, 0x1)
ioctl$IMGETDEVINFO(r11, 0x80044944, 0x0)

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS-socket
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})
socket(0x22, 0x2, 0x1)

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-socket$nl_generic
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
socket$qrtr(0x2a, 0x2, 0x0)
r9 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r9)
socket$nl_generic(0x10, 0x3, 0x10)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
r10 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), r10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_init_net_socket$nl_generic-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r9, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r4 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r5})
r7 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r7, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r8, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000040)='contention_end\x00', r3}, 0x10)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(0xffffffffffffffff, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-ioctl$HCIINQUIRY-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r4=>0x0})
r5 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r5, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r4})
r6 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r6, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
ioctl$HCIINQUIRY(r7, 0x400448e0, &(0x7f0000000000)={0x0, 0x0, 'PKX'})
r8 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r8, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$inet_udp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r4=>0x0})
r5 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r5, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r4})
r6 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r6, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$inet_udp(0x2, 0x2, 0x0)
r7 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r7, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-syz_init_net_socket$bt_hci-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r4=>0x0})
r5 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r5, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r4})
r6 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r6, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r7 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r7, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-setsockopt$inet6_IPV6_RTHDR-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r4=>0x0})
r5 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r5, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r4})
r6 = socket$inet6_sctp(0xa, 0x5, 0x84)
setsockopt$inet6_IPV6_RTHDR(r6, 0x29, 0x39, &(0x7f0000000800)=ANY=[], 0x18)
r7 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r7, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$inet6_sctp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r4=>0x0})
r5 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r5, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r4})
socket$inet6_sctp(0xa, 0x5, 0x84)
r6 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r6, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-ioctl$sock_inet6_SIOCADDRT-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r4=>0x0})
r5 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r5, 0x890b, &(0x7f0000000540)={@private1, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', @ipv4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r4})
r6 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r6, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00'})
socket$inet6_mptcp(0xa, 0x1, 0x106)
r4 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-ioctl$sock_SIOCGIFINDEX-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00'})
r4 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: lost connection to test machine
suppressed program crash: lost connection to test machine
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r2 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r1=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, 0x0, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r1}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, 0x0, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r1}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r2 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r1=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r0, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r1}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r0, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r1}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r2 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0)
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r2 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, 0x0, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, 0x0}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, 0x0, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, 0x0}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={0x0}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(0x0, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, 0x0, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000013c0)={0x18, 0x3, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000100000095"], &(0x7f0000000100)='syzkaller\x00'}, 0x90)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(0x0, 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, &(0x7f00000000c0)={'wlan1\x00', 0x1})

program crashed: KASAN: slab-use-after-free Read in lockref_get
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
detailed listing:
executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = socket$qrtr(0x2a, 0x2, 0x0)
syz_genetlink_get_family_id$netlbl_unlabel(0x0, 0xffffffffffffffff)
ioctl$sock_inet_SIOCSIFFLAGS(r3, 0x8924, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
simplifying C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:3 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program did not crash
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program did not crash
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program did not crash
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:true IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-syz_genetlink_get_family_id$nl80211-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_SET_INTERFACE-sendmsg$NL80211_CMD_CONNECT-syz_80211_inject_frame-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-socket$inet6_mptcp-socket$qrtr-syz_genetlink_get_family_id$netlbl_unlabel-ioctl$sock_inet_SIOCSIFFLAGS
program crashed: KASAN: slab-use-after-free Read in lockref_get
reproducing took 2h8m12.88760046s
repro crashed as (corrupted=false):
wlan1: authentication with 08:02:11:00:00:00 timed out
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005
Read of size 8 at addr ffff8880115fd0d8 by task kworker/u8:2/35

CPU: 0 PID: 35 Comm: kworker/u8:2 Not tainted 6.10.0-rc6-syzkaller-01414-g58f9416d413a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 lockref_get+0x15/0x60 lib/lockref.c:50
 dget include/linux/dcache.h:333 [inline]
 simple_recursive_removal+0x35/0x8e0 fs/libfs.c:601
 debugfs_remove+0x49/0x70 fs/debugfs/inode.c:823
 ieee80211_sta_debugfs_remove+0x40/0x60 net/mac80211/debugfs_sta.c:1287
 __sta_info_destroy_part2+0x35e/0x450 net/mac80211/sta_info.c:1476
 __sta_info_destroy net/mac80211/sta_info.c:1492 [inline]
 sta_info_destroy_addr+0xf4/0x140 net/mac80211/sta_info.c:1504
 ieee80211_destroy_auth_data+0x139/0x270 net/mac80211/mlme.c:4163
 ieee80211_sta_work+0x1256/0x3850 net/mac80211/mlme.c:7801
 cfg80211_wiphy_work+0x2db/0x490 net/wireless/core.c:440
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 9:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3940 [inline]
 slab_alloc_node mm/slub.c:4002 [inline]
 kmem_cache_alloc_lru_noprof+0x139/0x2b0 mm/slub.c:4021
 __d_alloc+0x31/0x700 fs/dcache.c:1624
 d_alloc fs/dcache.c:1704 [inline]
 d_alloc_parallel+0xdf/0x1600 fs/dcache.c:2462
 __lookup_slow+0x117/0x3f0 fs/namei.c:1677
 lookup_one_len+0x18b/0x2d0 fs/namei.c:2764
 start_creating+0x187/0x310 fs/debugfs/inode.c:378
 debugfs_create_dir+0x25/0x430 fs/debugfs/inode.c:593
 ieee80211_sta_debugfs_add+0x132/0x820 net/mac80211/debugfs_sta.c:1262
 sta_info_insert_finish net/mac80211/sta_info.c:881 [inline]
 sta_info_insert_rcu+0xecf/0x1900 net/mac80211/sta_info.c:949
 sta_info_insert+0x16/0xc0 net/mac80211/sta_info.c:954
 ieee80211_prep_connection+0xecd/0x12d0 net/mac80211/mlme.c:8319
 ieee80211_mgd_auth+0xd42/0x14c0 net/mac80211/mlme.c:8564
 rdev_auth net/wireless/rdev-ops.h:485 [inline]
 cfg80211_mlme_auth+0x59f/0x980 net/wireless/mlme.c:291
 cfg80211_conn_do_work+0x5ed/0xe60 net/wireless/sme.c:181
 cfg80211_conn_work+0x27c/0x4d0 net/wireless/sme.c:271
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 0:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4438 [inline]
 kmem_cache_free+0x145/0x350 mm/slub.c:4513
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 __dentry_kill+0x497/0x630 fs/dcache.c:622
 dput+0x19f/0x2b0 fs/dcache.c:845
 find_next_child fs/libfs.c:594 [inline]
 simple_recursive_removal+0x2bd/0x8e0 fs/libfs.c:609
 debugfs_remove+0x49/0x70 fs/debugfs/inode.c:823
 ieee80211_debugfs_remove_netdev net/mac80211/debugfs_netdev.c:1022 [inline]
 ieee80211_debugfs_recreate_netdev+0xc4/0x1400 net/mac80211/debugfs_netdev.c:1044
 drv_remove_interface+0x1e1/0x590 net/mac80211/driver-ops.c:119
 _ieee80211_change_mac net/mac80211/iface.c:278 [inline]
 ieee80211_change_mac+0xaf5/0x11e0 net/mac80211/iface.c:310
 dev_set_mac_address+0x327/0x510 net/core/dev.c:9095
 dev_set_mac_address_user+0x31/0x50 net/core/dev.c:9114
 dev_ifsioc+0xbd9/0xe70 net/core/dev_ioctl.c:541
 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:786
 sock_do_ioctl+0x240/0x460 net/socket.c:1236
 sock_ioctl+0x629/0x8e0 net/socket.c:1341
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880115fd028
 which belongs to the cache dentry of size 312
The buggy address is located 176 bytes inside of
 freed 312-byte region [ffff8880115fd028, ffff8880115fd160)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115fc
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015ef98c0 ffffea00018a6180 dead000000000003
raw: 0000000000000000 0000000000150015 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015ef98c0 ffffea00018a6180 dead000000000003
head: 0000000000000000 0000000000150015 00000001ffffefff 0000000000000000
head: 00fff00000000001 ffffea0000457f01 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 4559, tgid 4559 (udevd), ts 22899453785, free_ts 18216174778
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2265
 allocate_slab+0x5a/0x2f0 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3990 [inline]
 kmem_cache_alloc_lru_noprof+0x1c5/0x2b0 mm/slub.c:4021
 __d_alloc+0x31/0x700 fs/dcache.c:1624
 d_alloc fs/dcache.c:1704 [inline]
 d_alloc_parallel+0xdf/0x1600 fs/dcache.c:2462
 __lookup_slow+0x117/0x3f0 fs/namei.c:1677
 lookup_slow+0x53/0x70 fs/namei.c:1709
 walk_component fs/namei.c:2004 [inline]
 link_path_walk+0x9ea/0xea0 fs/namei.c:2331
 path_parentat fs/namei.c:2540 [inline]
 __filename_parentat+0x263/0x6f0 fs/namei.c:2564
 filename_parentat fs/namei.c:2582 [inline]
 do_unlinkat+0x189/0x830 fs/namei.c:4388
 __do_sys_unlink fs/namei.c:4461 [inline]
 __se_sys_unlink fs/namei.c:4459 [inline]
 __x64_sys_unlink+0x49/0x60 fs/namei.c:4459
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2588
 free_reserved_page include/linux/mm.h:3192 [inline]
 free_reserved_area+0x198/0x240 mm/page_alloc.c:5799
 free_init_pages arch/x86/mm/init.c:927 [inline]
 free_kernel_image_pages arch/x86/mm/init.c:943 [inline]
 free_initmem+0x9a/0x110 arch/x86/mm/init.c:970
 kernel_init+0x31/0x2b0 init/main.c:1476
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff8880115fcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
 ffff8880115fd000: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb
>ffff8880115fd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8880115fd100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880115fd180: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
wlan1: authentication with 08:02:11:00:00:00 timed out
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005
Read of size 8 at addr ffff8880115fd0d8 by task kworker/u8:2/35

CPU: 0 PID: 35 Comm: kworker/u8:2 Not tainted 6.10.0-rc6-syzkaller-01414-g58f9416d413a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 lockref_get+0x15/0x60 lib/lockref.c:50
 dget include/linux/dcache.h:333 [inline]
 simple_recursive_removal+0x35/0x8e0 fs/libfs.c:601
 debugfs_remove+0x49/0x70 fs/debugfs/inode.c:823
 ieee80211_sta_debugfs_remove+0x40/0x60 net/mac80211/debugfs_sta.c:1287
 __sta_info_destroy_part2+0x35e/0x450 net/mac80211/sta_info.c:1476
 __sta_info_destroy net/mac80211/sta_info.c:1492 [inline]
 sta_info_destroy_addr+0xf4/0x140 net/mac80211/sta_info.c:1504
 ieee80211_destroy_auth_data+0x139/0x270 net/mac80211/mlme.c:4163
 ieee80211_sta_work+0x1256/0x3850 net/mac80211/mlme.c:7801
 cfg80211_wiphy_work+0x2db/0x490 net/wireless/core.c:440
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 9:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3940 [inline]
 slab_alloc_node mm/slub.c:4002 [inline]
 kmem_cache_alloc_lru_noprof+0x139/0x2b0 mm/slub.c:4021
 __d_alloc+0x31/0x700 fs/dcache.c:1624
 d_alloc fs/dcache.c:1704 [inline]
 d_alloc_parallel+0xdf/0x1600 fs/dcache.c:2462
 __lookup_slow+0x117/0x3f0 fs/namei.c:1677
 lookup_one_len+0x18b/0x2d0 fs/namei.c:2764
 start_creating+0x187/0x310 fs/debugfs/inode.c:378
 debugfs_create_dir+0x25/0x430 fs/debugfs/inode.c:593
 ieee80211_sta_debugfs_add+0x132/0x820 net/mac80211/debugfs_sta.c:1262
 sta_info_insert_finish net/mac80211/sta_info.c:881 [inline]
 sta_info_insert_rcu+0xecf/0x1900 net/mac80211/sta_info.c:949
 sta_info_insert+0x16/0xc0 net/mac80211/sta_info.c:954
 ieee80211_prep_connection+0xecd/0x12d0 net/mac80211/mlme.c:8319
 ieee80211_mgd_auth+0xd42/0x14c0 net/mac80211/mlme.c:8564
 rdev_auth net/wireless/rdev-ops.h:485 [inline]
 cfg80211_mlme_auth+0x59f/0x980 net/wireless/mlme.c:291
 cfg80211_conn_do_work+0x5ed/0xe60 net/wireless/sme.c:181
 cfg80211_conn_work+0x27c/0x4d0 net/wireless/sme.c:271
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 0:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4438 [inline]
 kmem_cache_free+0x145/0x350 mm/slub.c:4513
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2809
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3072 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3176
 __dentry_kill+0x497/0x630 fs/dcache.c:622
 dput+0x19f/0x2b0 fs/dcache.c:845
 find_next_child fs/libfs.c:594 [inline]
 simple_recursive_removal+0x2bd/0x8e0 fs/libfs.c:609
 debugfs_remove+0x49/0x70 fs/debugfs/inode.c:823
 ieee80211_debugfs_remove_netdev net/mac80211/debugfs_netdev.c:1022 [inline]
 ieee80211_debugfs_recreate_netdev+0xc4/0x1400 net/mac80211/debugfs_netdev.c:1044
 drv_remove_interface+0x1e1/0x590 net/mac80211/driver-ops.c:119
 _ieee80211_change_mac net/mac80211/iface.c:278 [inline]
 ieee80211_change_mac+0xaf5/0x11e0 net/mac80211/iface.c:310
 dev_set_mac_address+0x327/0x510 net/core/dev.c:9095
 dev_set_mac_address_user+0x31/0x50 net/core/dev.c:9114
 dev_ifsioc+0xbd9/0xe70 net/core/dev_ioctl.c:541
 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:786
 sock_do_ioctl+0x240/0x460 net/socket.c:1236
 sock_ioctl+0x629/0x8e0 net/socket.c:1341
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880115fd028
 which belongs to the cache dentry of size 312
The buggy address is located 176 bytes inside of
 freed 312-byte region [ffff8880115fd028, ffff8880115fd160)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115fc
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015ef98c0 ffffea00018a6180 dead000000000003
raw: 0000000000000000 0000000000150015 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015ef98c0 ffffea00018a6180 dead000000000003
head: 0000000000000000 0000000000150015 00000001ffffefff 0000000000000000
head: 00fff00000000001 ffffea0000457f01 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 4559, tgid 4559 (udevd), ts 22899453785, free_ts 18216174778
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2265
 allocate_slab+0x5a/0x2f0 mm/slub.c:2428
 new_slab mm/slub.c:2481 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3667
 __slab_alloc+0x58/0xa0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3990 [inline]
 kmem_cache_alloc_lru_noprof+0x1c5/0x2b0 mm/slub.c:4021
 __d_alloc+0x31/0x700 fs/dcache.c:1624
 d_alloc fs/dcache.c:1704 [inline]
 d_alloc_parallel+0xdf/0x1600 fs/dcache.c:2462
 __lookup_slow+0x117/0x3f0 fs/namei.c:1677
 lookup_slow+0x53/0x70 fs/namei.c:1709
 walk_component fs/namei.c:2004 [inline]
 link_path_walk+0x9ea/0xea0 fs/namei.c:2331
 path_parentat fs/namei.c:2540 [inline]
 __filename_parentat+0x263/0x6f0 fs/namei.c:2564
 filename_parentat fs/namei.c:2582 [inline]
 do_unlinkat+0x189/0x830 fs/namei.c:4388
 __do_sys_unlink fs/namei.c:4461 [inline]
 __se_sys_unlink fs/namei.c:4459 [inline]
 __x64_sys_unlink+0x49/0x60 fs/namei.c:4459
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2588
 free_reserved_page include/linux/mm.h:3192 [inline]
 free_reserved_area+0x198/0x240 mm/page_alloc.c:5799
 free_init_pages arch/x86/mm/init.c:927 [inline]
 free_kernel_image_pages arch/x86/mm/init.c:943 [inline]
 free_initmem+0x9a/0x110 arch/x86/mm/init.c:970
 kernel_init+0x31/0x2b0 init/main.c:1476
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff8880115fcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
 ffff8880115fd000: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb
>ffff8880115fd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8880115fd100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880115fd180: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb
==================================================================