Extracting prog: 1m25.177570233s Minimizing prog: 20m23.277980242s Simplifying prog options: 0s Extracting C: 1m2.932013431s Simplifying C: 2m49.524890329s extracting reproducer from 58 programs first checking the prog from the crash report single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-socket$nl_xfrm-sendmsg$nl_xfrm detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r7 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r7, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000380)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r8, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r9, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r8, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r10 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r10, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)=@newsa={0x148, 0x10, 0xad0107152c5a2e33, 0x0, 0x0, {{@in=@dev, @in6=@private2}, {@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x0, 0x6c}, @in6=@remote, {}, {}, {}, 0x0, 0x0, 0xa}, [@replay_val={0x10}, @algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x148}}, 0x0) program crashed: KASAN: use-after-free Write in pppol2tp_release program crashed: KASAN: use-after-free Write in pppol2tp_release single: successfully extracted reproducer found reproducer with 30 syscalls minimizing guilty program testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-socket$nl_xfrm detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r7 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r7, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000380)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r8, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r9, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r8, &(0x7f00000000c0), 0x10106, 0x2, 0x0) socket$nl_xfrm(0x10, 0x3, 0x6) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r7 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r7, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000380)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r8, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r9, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r8, &(0x7f00000000c0), 0x10106, 0x2, 0x0) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r7 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r7, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000380)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r8, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) sendmmsg$unix(r9, &(0x7f0000000000), 0x651, 0x0) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r7 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r7, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000380)={0xffffffffffffffff}) connect$unix(r8, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r7 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r7, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000380)) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r7 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r7, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) r7 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r7, 0x2, &(0x7f0000000200)=0x7) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid-sched_setaffinity detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler-getpid detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) getpid() program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64-sched_setscheduler detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard-prlimit64 detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x9, 0x8b}, 0x0) program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2-ioctl$ifreq_SIOCGIFINDEX_batadv_hard detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) r6 = dup2(r5, r5) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r6, 0x8933, &(0x7f0000000240)={'batadv_slave_0\x00'}) program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6-dup2 detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) r5 = socket$inet6(0xa, 0x1, 0x0) dup2(r5, r5) program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR-socket$inet6 detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) socket$inet6(0xa, 0x1, 0x0) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-syz_mount_image$vfat detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) syz_mount_image$vfat(&(0x7f0000000000), &(0x7f00000009c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x824851, 0x0, 0x1, 0x0, &(0x7f0000000d40)) program did not crash testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-recvmmsg-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) recvmmsg(r3, &(0x7f0000001780)=[{{&(0x7f0000000340)=@ieee802154, 0x80, 0x0}, 0x400}], 0x1, 0x2143, 0x0) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-syz_emit_ethernet-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) syz_emit_ethernet(0x50, &(0x7f0000000b40)=ANY=[@ANYBLOB="0180c2000000aaaaaaaaaa348100000086dd60910100001611fffe8000000000000000000000000000bbfe8000000000000000000000000000aa00000e22001690780203000000000000fff50000000086b14ac845e6776ad1004aa6f346d03d8e8f0ae907886f30674372d08eb19610c86de93ed2bbd2f4004d8c2f12f82c14b0356c8a16fecf960608721e7aa9c77b85ce"], 0x0) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-bind$inet6-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) bind$inet6(r4, &(0x7f0000000000)={0xa, 0xe22, 0x0, @empty}, 0x1c) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-socket$inet6_udp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) socket$inet6_udp(0xa, 0x2, 0x0) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program did not crash testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$pppl2tp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$pppl2tp(0x18, 0x1, 0x1) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program did not crash testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-syz_mount_image$vfat-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) syz_mount_image$vfat(&(0x7f0000000b00), &(0x7f00000005c0)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x181d011, 0x0, 0x40, 0x0, &(0x7f0000000140)) r3 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r3, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(0xffffffffffffffff, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program did not crash testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-sendmsg$IPVS_CMD_NEW_DEST-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r2, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) sendmsg$IPVS_CMD_NEW_DEST(r0, &(0x7f0000000940)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x40001}, 0xc, &(0x7f0000000900)={&(0x7f0000000780)={0x174, r2, 0x10, 0x70bd29, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_SERVICE={0x10, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x7}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x4}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x2781}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0xe5}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x4}]}, @IPVS_CMD_ATTR_DAEMON={0x70, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_GROUP={0x8, 0x5, @dev={0xac, 0x14, 0x14, 0x2b}}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x5, 0x8, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @private2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}]}, @IPVS_CMD_ATTR_SERVICE={0x4c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_PE_NAME={0x8}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv6=@dev={0xfe, 0x80, '\x00', 0x29}}, @IPVS_SVC_ATTR_PROTOCOL={0x6, 0x2, 0x33}, @IPVS_SVC_ATTR_SCHED_NAME={0x7, 0x6, 'dh\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x69}, @IPVS_SVC_ATTR_ADDR={0x14, 0x3, @ipv4=@empty}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x2}, @IPVS_CMD_ATTR_DAEMON={0x18, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'macsec0\x00'}]}, @IPVS_CMD_ATTR_DEST={0x2c, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0xfff}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xd}, @IPVS_DEST_ATTR_TUN_PORT={0x6, 0xe, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0xcf2}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0xf}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x39ad}, @IPVS_CMD_ATTR_SERVICE={0x4}]}, 0x174}, 0x1, 0x0, 0x0, 0x48}, 0x40054) r3 = socket$pppl2tp(0x18, 0x1, 0x1) r4 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r3, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r4, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r3, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-sendmsg$IPVS_CMD_NEW_SERVICE-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$IPVS_CMD_NEW_SERVICE(r0, &(0x7f0000000180)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x50, r1, 0x300, 0x70bd28, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x1}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, 0x0, 0x1, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xb9d}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x4}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x6}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x4}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}, @IPVS_DEST_ATTR_TUN_FLAGS={0x6, 0xf, 0x8}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40090}, 0x40041) r2 = socket$pppl2tp(0x18, 0x1, 0x1) r3 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r2, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r3, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r2, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-syz_genetlink_get_family_id$ipvs-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$ipvs(&(0x7f0000000080), 0xffffffffffffffff) r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$nl_generic-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) socket$nl_generic(0x10, 0x3, 0x10) r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat$selinux_enforce-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") openat$selinux_enforce(0xffffffffffffff9c, &(0x7f0000000140), 0x109200, 0x0) r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Write in pppol2tp_release testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: syz_mount_image$ext4(&(0x7f00000000c0)='ext4\x00', &(0x7f0000000180)='./file1\x00', 0x2084ce, &(0x7f00000001c0), 0x3, 0x454, &(0x7f0000000280)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczBSCFMYwYyKEKBiDK2NM3BuX/guudGOMKxO3ujckxLABXNXc9l6mLW1hSkuV/n7JhXPuPZdznp572nPvaQlgbM1kfyQRWyPi94iYamRbC8w0/rp6+ezStctnl5Ko1d7+K6mXu3L57FJRtDhvS56ZTSPSz5LY3aHe1dNnji9Wq5VTeX5+7cQH86unzzx37MTi0crRysn9hw4dPLDw4gv7nx9InFmbruz6eGXPzjfe++rNw1+0xN8Wx4DM9Dr4ZK024OpGa1tTOpkYYUPYkFJEZN1Vro//qSjFeudNxeufjrRxwFDVarXalu6Hz9WAu1gSrXlDHsZF8UGf3f8WW/sk4OXhTT9G7tIrjRugLO6r+dY4MhFpXqbcdn87SDMR8e65v7/JthjOcwgAgBY/ZPOfZzvN/9J4oKncPfna0HRE3BsR2yPivojYERH3R9TLPhgRD22w/vZFkhvnP+nFvgK7Rdn876V8bat1/lfM/mK6lOe21eMvJ0eOVSv78tdkNsqbsvxCjzp+fO23L7sda57/ZVtWfzEXzNtxcWJT6znLi2uLtxNzs0vnI3ZNdIo/ub4SkETEzojY1Wcdx57+bk+3YzePv4cBrDPVvo14qtH/56It/kLSe31y/n9RreybL66KG/3y64W3utV/W/EPQNb//+94/V+PfzppXq9d3XgdF/74vOs9Tb/X/2TyTj09me/7aHFt7dRCxGRyuNHo5v37188t8kX5LP7ZvZ3H//ZYfyV2R0R2ET8cEY9ExKN52x+LiMcjYm+P+H9+9Yn3+49/uLL4lzfU/+uJyWjf0zlROv7T9y2VTt8Q/7Xe/X+wnprN99zK+9+ttKu/qxkAAAD+e9KI2BpJOnc9naZzc43vy++ISKsrq2vPHFn58ORy4zcC01FOiyddU03PQxfy2/pG/nxENL5aUBw/kD83/rq0uZ6fW1qpLo86eBhzW7qM/8yfpVG3Dhg6v9eC8WX8w/gy/mF8Gf8wvjqM/82jaAdw53X6/P9kBO0A7ry28W/ZD8aI+38YX13H/938P/8AdT7/YSytbo6b/0i+Z6L4l/o8/a5NRPlf0YzbT9SSjp0b6agbVjmVuuqGlhjt+xIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCg/BMAAP//YzDfZQ==") r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: r0 = socket$pppl2tp(0x18, 0x1, 0x1) socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, 0x0, 0x0) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x0, @private}}) program did not crash testing program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, 0x0) program crashed: KASAN: use-after-free Write in pppol2tp_release extracting C reproducer testing compiled C program (duration=36.844359109s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR program crashed: KASAN: use-after-free Write in pppol2tp_release simplifying C reproducer testing compiled C program (duration=36.844359109s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR program crashed: KASAN: use-after-free Write in pppol2tp_release testing compiled C program (duration=36.844359109s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR program crashed: KASAN: use-after-free Write in pppol2tp_release testing compiled C program (duration=36.844359109s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session testing compiled C program (duration=36.844359109s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session testing compiled C program (duration=36.844359109s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session testing compiled C program (duration=36.844359109s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session testing program (duration=36.844359109s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, 0x0) program crashed: KASAN: use-after-free Write in pppol2tp_release validation run: crashed=true testing program (duration=36.844359109s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, 0x0) program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue validation run: crashed=true testing program (duration=36.844359109s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$sock_inet_SIOCGIFDSTADDR detailed listing: executing program 0: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$pppl2tp(r0, &(0x7f0000000740)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x4e23, @broadcast}, 0x2, 0x0, 0x4}}, 0x2e) ioctl$sock_inet_SIOCGIFDSTADDR(r0, 0x8917, 0x0) program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session validation run: crashed=true reproducing took 27m28.57697195s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: use-after-free in pppol2tp_sock_to_session+0x1a0/0x1b0 net/l2tp/l2tp_ppp.c:156 Read of size 4 at addr ffff88812a9bb800 by task syz.2.17/374 CPU: 1 PID: 374 Comm: syz.2.17 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x30 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x10f/0x150 mm/kasan/report.c:444 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 pppol2tp_sock_to_session+0x1a0/0x1b0 net/l2tp/l2tp_ppp.c:156 pppol2tp_release+0x150/0x2b0 net/l2tp/l2tp_ppp.c:435 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x200 net/socket.c:1335 __fput+0x22b/0x900 fs/file_table.c:311 ____fput+0x15/0x20 fs/file_table.c:339 task_work_run+0x127/0x190 kernel/task_work.c:188 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0xd0/0xe0 kernel/entry/common.c:181 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:307 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7f3da4cfae59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb0799a18 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007fffb0799b00 RCX: 00007f3da4cfae59 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 0000000000006f4e R08: 0000000000000001 R09: 0000000000000000 R10: 0000001b32f20000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3da4f73fac R14: 00007f3da4f73fa8 R15: 00007f3da4f73fa0 Allocated by task 374: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:433 [inline] ____kasan_kmalloc mm/kasan/common.c:512 [inline] __kasan_kmalloc+0xd4/0x100 mm/kasan/common.c:521 kasan_kmalloc include/linux/kasan.h:227 [inline] __kmalloc+0x13d/0x2c0 mm/slub.c:4436 kmalloc include/linux/slab.h:624 [inline] kzalloc include/linux/slab.h:750 [inline] l2tp_session_create+0x39/0xb60 net/l2tp/l2tp_core.c:1616 pppol2tp_connect+0xbf5/0x1640 net/l2tp/l2tp_ppp.c:772 __sys_connect_file net/socket.c:1922 [inline] __sys_connect+0x3cb/0x450 net/socket.c:1939 __do_sys_connect net/socket.c:1949 [inline] __se_sys_connect net/socket.c:1946 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:1946 x64_sys_call+0x7c/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 Freed by task 373: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4a/0x70 mm/kasan/common.c:45 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370 ____kasan_slab_free+0x125/0x160 mm/kasan/common.c:365 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373 kasan_slab_free include/linux/kasan.h:193 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1754 slab_free mm/slub.c:3526 [inline] kfree+0xc4/0x270 mm/slub.c:4588 l2tp_session_free net/l2tp/l2tp_core.c:168 [inline] l2tp_session_put+0xaf/0x1a0 net/l2tp/l2tp_core.c:193 l2tp_session_delete+0x3a9/0x4a0 net/l2tp/l2tp_core.c:1589 l2tp_tunnel_closeall net/l2tp/l2tp_core.c:1235 [inline] l2tp_tunnel_del_work+0x180/0x3d0 net/l2tp/l2tp_core.c:1273 process_one_work+0x6c8/0xbb0 kernel/workqueue.c:2328 worker_thread+0xaa0/0x1250 kernel/workqueue.c:2475 kthread+0x3f5/0x4f0 kernel/kthread.c:337 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 The buggy address belongs to the object at ffff88812a9bb800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [ffff88812a9bb800, ffff88812a9bba00) The buggy address belongs to the page: page:ffffea0004aa6e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12a9b8 head:ffffea0004aa6e00 order:2 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 368, ts 28506587042, free_ts 27280358948 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x192/0x1b0 mm/page_alloc.c:2607 prep_new_page+0x1c/0x110 mm/page_alloc.c:2613 get_page_from_freelist+0x2c3a/0x2cd0 mm/page_alloc.c:4487 __alloc_pages+0x1a2/0x460 mm/page_alloc.c:5824 alloc_slab_page mm/slub.c:-1 [inline] allocate_slab mm/slub.c:1937 [inline] new_slab+0xa0/0x4d0 mm/slub.c:2000 ___slab_alloc+0x3ac/0x840 mm/slub.c:3033 __slab_alloc+0x49/0x90 mm/slub.c:3120 slab_alloc_node mm/slub.c:3211 [inline] slab_alloc mm/slub.c:3255 [inline] __kmalloc+0x16a/0x2c0 mm/slub.c:4432 __kmalloc_node include/linux/slab.h:487 [inline] kmalloc_node include/linux/slab.h:642 [inline] kzalloc_node include/linux/slab.h:761 [inline] qdisc_alloc+0x79/0x7b0 net/sched/sch_generic.c:891 qdisc_create_dflt+0x6b/0x390 net/sched/sch_generic.c:953 attach_one_default_qdisc net/sched/sch_generic.c:1116 [inline] netdev_for_each_tx_queue include/linux/netdevice.h:2411 [inline] attach_default_qdiscs net/sched/sch_generic.c:1134 [inline] dev_activate+0x28e/0x1030 net/sched/sch_generic.c:1193 __dev_open+0x3e9/0x500 net/core/dev.c:1567 __dev_change_flags+0x1e4/0x6a0 net/core/dev.c:8887 dev_change_flags+0x80/0x1a0 net/core/dev.c:8958 do_setlink+0xc95/0x2970 net/core/rtnetlink.c:2782 __rtnl_newlink net/core/rtnetlink.c:3453 [inline] rtnl_newlink+0x1598/0x1900 net/core/rtnetlink.c:3575 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1474 [inline] free_pcp_prepare mm/page_alloc.c:1546 [inline] free_unref_page_prepare+0x5fa/0x600 mm/page_alloc.c:3536 free_unref_page+0xae/0x540 mm/page_alloc.c:3618 free_the_page mm/page_alloc.c:805 [inline] __free_pages+0x6c/0x100 mm/page_alloc.c:5900 __vunmap+0x801/0x980 mm/vmalloc.c:2660 __vfree mm/vmalloc.c:2709 [inline] vfree+0x8b/0xc0 mm/vmalloc.c:2740 kcov_put kernel/kcov.c:417 [inline] kcov_close+0x2b/0x50 kernel/kcov.c:519 __fput+0x22b/0x900 fs/file_table.c:311 ____fput+0x15/0x20 fs/file_table.c:339 task_work_run+0x127/0x190 kernel/task_work.c:188 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0xb70/0x29a0 kernel/exit.c:890 do_group_exit+0x149/0x310 kernel/exit.c:1004 get_signal+0x64f/0x1430 kernel/signal.c:2907 arch_do_signal_or_restart+0xe2/0x1100 arch/x86/kernel/signal.c:867 handle_signal_work kernel/entry/common.c:154 [inline] exit_to_user_mode_loop+0xa7/0xe0 kernel/entry/common.c:178 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:307 Memory state around the buggy address: ffff88812a9bb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88812a9bb780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88812a9bb800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88812a9bb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88812a9bb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ WARNING: CPU: 0 PID: 374 at net/l2tp/l2tp_ppp.c:156 pppol2tp_sock_to_session+0x167/0x1b0 net/l2tp/l2tp_ppp.c:156 Modules linked in: CPU: 0 PID: 374 Comm: syz.2.17 Tainted: G B syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 RIP: 0010:pppol2tp_sock_to_session+0x167/0x1b0 net/l2tp/l2tp_ppp.c:156 Code: 5d c3 e8 cc f2 0b fd be 02 00 00 00 eb 0a e8 c0 f2 0b fd be 01 00 00 00 4c 89 f7 e8 13 62 f2 fd e9 0f ff ff ff e8 a9 f2 0b fd <0f> 0b 48 89 df e8 ef 00 00 00 eb bd e8 98 f2 0b fd 4c 89 f7 be 03 RSP: 0018:ffffc90003fc7d10 EFLAGS: 00010293 RAX: ffffffff845db907 RBX: ffff8881112c0000 RCX: ffff88810ca64f00 RDX: 0000000000000000 RSI: 000000000ab07e20 RDI: 000000000c04eb7d RBP: ffffc90003fc7d30 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffffbfff0e18c4c R12: dffffc0000000000 R13: dffffc0000000000 R14: 000000000ab07e20 R15: ffff88812a9bb800 FS: 00005555874c6500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3da5aa3000 CR3: 000000011fd11000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: pppol2tp_release+0x150/0x2b0 net/l2tp/l2tp_ppp.c:435 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x200 net/socket.c:1335 __fput+0x22b/0x900 fs/file_table.c:311 ____fput+0x15/0x20 fs/file_table.c:339 task_work_run+0x127/0x190 kernel/task_work.c:188 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0xd0/0xe0 kernel/entry/common.c:181 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:307 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7f3da4cfae59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb0799a18 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007fffb0799b00 RCX: 00007f3da4cfae59 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 0000000000006f4e R08: 0000000000000001 R09: 0000000000000000 R10: 0000001b32f20000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3da4f73fac R14: 00007f3da4f73fa8 R15: 00007f3da4f73fa0 ---[ end trace 4b1593541c7a8dc6 ]--- final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: use-after-free in pppol2tp_sock_to_session+0x1a0/0x1b0 net/l2tp/l2tp_ppp.c:156 Read of size 4 at addr ffff88812a9bb800 by task syz.2.17/374 CPU: 1 PID: 374 Comm: syz.2.17 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: __dump_stack+0x21/0x30 lib/dump_stack.c:88 dump_stack_lvl+0x110/0x170 lib/dump_stack.c:106 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x10f/0x150 mm/kasan/report.c:444 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 pppol2tp_sock_to_session+0x1a0/0x1b0 net/l2tp/l2tp_ppp.c:156 pppol2tp_release+0x150/0x2b0 net/l2tp/l2tp_ppp.c:435 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x200 net/socket.c:1335 __fput+0x22b/0x900 fs/file_table.c:311 ____fput+0x15/0x20 fs/file_table.c:339 task_work_run+0x127/0x190 kernel/task_work.c:188 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0xd0/0xe0 kernel/entry/common.c:181 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:307 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7f3da4cfae59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb0799a18 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007fffb0799b00 RCX: 00007f3da4cfae59 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 0000000000006f4e R08: 0000000000000001 R09: 0000000000000000 R10: 0000001b32f20000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3da4f73fac R14: 00007f3da4f73fa8 R15: 00007f3da4f73fa0 Allocated by task 374: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:433 [inline] ____kasan_kmalloc mm/kasan/common.c:512 [inline] __kasan_kmalloc+0xd4/0x100 mm/kasan/common.c:521 kasan_kmalloc include/linux/kasan.h:227 [inline] __kmalloc+0x13d/0x2c0 mm/slub.c:4436 kmalloc include/linux/slab.h:624 [inline] kzalloc include/linux/slab.h:750 [inline] l2tp_session_create+0x39/0xb60 net/l2tp/l2tp_core.c:1616 pppol2tp_connect+0xbf5/0x1640 net/l2tp/l2tp_ppp.c:772 __sys_connect_file net/socket.c:1922 [inline] __sys_connect+0x3cb/0x450 net/socket.c:1939 __do_sys_connect net/socket.c:1949 [inline] __se_sys_connect net/socket.c:1946 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:1946 x64_sys_call+0x7c/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 Freed by task 373: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4a/0x70 mm/kasan/common.c:45 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370 ____kasan_slab_free+0x125/0x160 mm/kasan/common.c:365 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373 kasan_slab_free include/linux/kasan.h:193 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1754 slab_free mm/slub.c:3526 [inline] kfree+0xc4/0x270 mm/slub.c:4588 l2tp_session_free net/l2tp/l2tp_core.c:168 [inline] l2tp_session_put+0xaf/0x1a0 net/l2tp/l2tp_core.c:193 l2tp_session_delete+0x3a9/0x4a0 net/l2tp/l2tp_core.c:1589 l2tp_tunnel_closeall net/l2tp/l2tp_core.c:1235 [inline] l2tp_tunnel_del_work+0x180/0x3d0 net/l2tp/l2tp_core.c:1273 process_one_work+0x6c8/0xbb0 kernel/workqueue.c:2328 worker_thread+0xaa0/0x1250 kernel/workqueue.c:2475 kthread+0x3f5/0x4f0 kernel/kthread.c:337 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 The buggy address belongs to the object at ffff88812a9bb800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [ffff88812a9bb800, ffff88812a9bba00) The buggy address belongs to the page: page:ffffea0004aa6e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12a9b8 head:ffffea0004aa6e00 order:2 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 0000000000000000 dead000000000122 ffff888100042f00 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 368, ts 28506587042, free_ts 27280358948 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x192/0x1b0 mm/page_alloc.c:2607 prep_new_page+0x1c/0x110 mm/page_alloc.c:2613 get_page_from_freelist+0x2c3a/0x2cd0 mm/page_alloc.c:4487 __alloc_pages+0x1a2/0x460 mm/page_alloc.c:5824 alloc_slab_page mm/slub.c:-1 [inline] allocate_slab mm/slub.c:1937 [inline] new_slab+0xa0/0x4d0 mm/slub.c:2000 ___slab_alloc+0x3ac/0x840 mm/slub.c:3033 __slab_alloc+0x49/0x90 mm/slub.c:3120 slab_alloc_node mm/slub.c:3211 [inline] slab_alloc mm/slub.c:3255 [inline] __kmalloc+0x16a/0x2c0 mm/slub.c:4432 __kmalloc_node include/linux/slab.h:487 [inline] kmalloc_node include/linux/slab.h:642 [inline] kzalloc_node include/linux/slab.h:761 [inline] qdisc_alloc+0x79/0x7b0 net/sched/sch_generic.c:891 qdisc_create_dflt+0x6b/0x390 net/sched/sch_generic.c:953 attach_one_default_qdisc net/sched/sch_generic.c:1116 [inline] netdev_for_each_tx_queue include/linux/netdevice.h:2411 [inline] attach_default_qdiscs net/sched/sch_generic.c:1134 [inline] dev_activate+0x28e/0x1030 net/sched/sch_generic.c:1193 __dev_open+0x3e9/0x500 net/core/dev.c:1567 __dev_change_flags+0x1e4/0x6a0 net/core/dev.c:8887 dev_change_flags+0x80/0x1a0 net/core/dev.c:8958 do_setlink+0xc95/0x2970 net/core/rtnetlink.c:2782 __rtnl_newlink net/core/rtnetlink.c:3453 [inline] rtnl_newlink+0x1598/0x1900 net/core/rtnetlink.c:3575 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1474 [inline] free_pcp_prepare mm/page_alloc.c:1546 [inline] free_unref_page_prepare+0x5fa/0x600 mm/page_alloc.c:3536 free_unref_page+0xae/0x540 mm/page_alloc.c:3618 free_the_page mm/page_alloc.c:805 [inline] __free_pages+0x6c/0x100 mm/page_alloc.c:5900 __vunmap+0x801/0x980 mm/vmalloc.c:2660 __vfree mm/vmalloc.c:2709 [inline] vfree+0x8b/0xc0 mm/vmalloc.c:2740 kcov_put kernel/kcov.c:417 [inline] kcov_close+0x2b/0x50 kernel/kcov.c:519 __fput+0x22b/0x900 fs/file_table.c:311 ____fput+0x15/0x20 fs/file_table.c:339 task_work_run+0x127/0x190 kernel/task_work.c:188 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0xb70/0x29a0 kernel/exit.c:890 do_group_exit+0x149/0x310 kernel/exit.c:1004 get_signal+0x64f/0x1430 kernel/signal.c:2907 arch_do_signal_or_restart+0xe2/0x1100 arch/x86/kernel/signal.c:867 handle_signal_work kernel/entry/common.c:154 [inline] exit_to_user_mode_loop+0xa7/0xe0 kernel/entry/common.c:178 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:307 Memory state around the buggy address: ffff88812a9bb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88812a9bb780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88812a9bb800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88812a9bb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88812a9bb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ WARNING: CPU: 0 PID: 374 at net/l2tp/l2tp_ppp.c:156 pppol2tp_sock_to_session+0x167/0x1b0 net/l2tp/l2tp_ppp.c:156 Modules linked in: CPU: 0 PID: 374 Comm: syz.2.17 Tainted: G B syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 RIP: 0010:pppol2tp_sock_to_session+0x167/0x1b0 net/l2tp/l2tp_ppp.c:156 Code: 5d c3 e8 cc f2 0b fd be 02 00 00 00 eb 0a e8 c0 f2 0b fd be 01 00 00 00 4c 89 f7 e8 13 62 f2 fd e9 0f ff ff ff e8 a9 f2 0b fd <0f> 0b 48 89 df e8 ef 00 00 00 eb bd e8 98 f2 0b fd 4c 89 f7 be 03 RSP: 0018:ffffc90003fc7d10 EFLAGS: 00010293 RAX: ffffffff845db907 RBX: ffff8881112c0000 RCX: ffff88810ca64f00 RDX: 0000000000000000 RSI: 000000000ab07e20 RDI: 000000000c04eb7d RBP: ffffc90003fc7d30 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffffbfff0e18c4c R12: dffffc0000000000 R13: dffffc0000000000 R14: 000000000ab07e20 R15: ffff88812a9bb800 FS: 00005555874c6500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3da5aa3000 CR3: 000000011fd11000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: pppol2tp_release+0x150/0x2b0 net/l2tp/l2tp_ppp.c:435 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x200 net/socket.c:1335 __fput+0x22b/0x900 fs/file_table.c:311 ____fput+0x15/0x20 fs/file_table.c:339 task_work_run+0x127/0x190 kernel/task_work.c:188 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0xd0/0xe0 kernel/entry/common.c:181 exit_to_user_mode_prepare+0x87/0xd0 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:307 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7f3da4cfae59 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb0799a18 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007fffb0799b00 RCX: 00007f3da4cfae59 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 0000000000006f4e R08: 0000000000000001 R09: 0000000000000000 R10: 0000001b32f20000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3da4f73fac R14: 00007f3da4f73fa8 R15: 00007f3da4f73fa0 ---[ end trace 4b1593541c7a8dc6 ]---