Extracting prog: 37.531824929s Minimizing prog: 48m53.334030501s Simplifying prog options: 0s Extracting C: 39.292809347s Simplifying C: 9m12.2947618s extracting reproducer from 37 programs first checking the prog from the crash report single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route-ioctl$sock_SIOCGIFINDEX-syz_genetlink_get_family_id$mptcp-sendmsg$MPTCP_PM_CMD_SET_LIMITS-sendmsg$nl_route_sched-ioctl$FS_IOC_GET_ENCRYPTION_NONCE-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST-sendmsg$NFT_BATCH detailed listing: executing program 0: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r1 = socket$inet_sctp(0x2, 0x5, 0x84) close(r1) r2 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r4 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r3, r5, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r6 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r6, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r2, &(0x7f0000000340)=ANY=[], 0x4b) r7 = socket$inet6_sctp(0xa, 0x5, 0x84) r8 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f00000003c0)={'veth1_to_hsr\x00', 0x0}) r10 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000340), r4) sendmsg$MPTCP_PM_CMD_SET_LIMITS(r4, &(0x7f0000000600)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000380)={&(0x7f0000000400)={0x2c, r10, 0x400, 0x70bd27, 0x25dfdbfc, {}, [@MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x8}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x5}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xffc3}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4008000}, 0x24004000) sendmsg$nl_route_sched(r8, &(0x7f0000001200)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001240)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x70bd27, 0x4000000, {0x0, 0x0, 0x0, r9, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_fq={{0x7}, {0x4, 0x0}}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000040}, 0x854) ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r7, 0x8010661b, &(0x7f0000000100)) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r7, 0x84, 0x6f, &(0x7f0000000040)={0x0, 0x10, &(0x7f0000000000)=[@in={0x2, 0x0, @private=0xa010101}]}, &(0x7f0000000080)=0x10) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r7, 0x84, 0x1d, &(0x7f0000000140)={0x1, [0x0]}, &(0x7f0000000240)=0x8) sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x8, &(0x7f0000000000)={&(0x7f0000000200)={{0x14, 0x10, 0xc00e}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x3, 0x0, 0x4000000, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWSET={0x3c, 0x9, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_SET_ID={0x8}, @NFTA_SET_NAME={0x9, 0x2, 'syz2\x00'}, @NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_KEY_LEN={0x8, 0x5, 0x1, 0x0, 0x3}]}, @NFT_MSG_NEWSETELEM={0x78, 0xc, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz2\x00'}, @NFTA_SET_ELEM_LIST_ELEMENTS={0x4c, 0x3, 0x0, 0x1, [{0x48, 0x0, 0x0, 0x1, [@NFTA_SET_ELEM_FLAGS={0xb}, @NFTA_SET_ELEM_EXPRESSIONS={0x3c, 0xb, 0x0, 0x1, [{0x20, 0x7, 0x0, 0x1, @connlimit={{0xe}, @val={0xc, 0x2, 0x0, 0x1, [@NFTA_CONNLIMIT_COUNT={0x8}]}}}, {0x18, 0x1, 0x0, 0x1, @connlimit={{0x4, 0x2}, @val={0x4}}}]}]}]}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14, 0x10}}, 0xfc}}, 0x0) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags single: successfully extracted reproducer found reproducer with 23 syscalls minimizing guilty program testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route-ioctl$sock_SIOCGIFINDEX-syz_genetlink_get_family_id$mptcp-sendmsg$MPTCP_PM_CMD_SET_LIMITS-sendmsg$nl_route_sched-ioctl$FS_IOC_GET_ENCRYPTION_NONCE-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) r6 = socket$inet6_sctp(0xa, 0x5, 0x84) r7 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f00000003c0)={'veth1_to_hsr\x00', 0x0}) r9 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000340), r3) sendmsg$MPTCP_PM_CMD_SET_LIMITS(r3, &(0x7f0000000600)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000380)={&(0x7f0000000400)={0x2c, r9, 0x400, 0x70bd27, 0x25dfdbfc, {}, [@MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x8}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x5}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xffc3}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4008000}, 0x24004000) sendmsg$nl_route_sched(r7, &(0x7f0000001200)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001240)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x70bd27, 0x4000000, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_fq={{0x7}, {0x4, 0x0}}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000040}, 0x854) ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r6, 0x8010661b, &(0x7f0000000100)) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r6, 0x84, 0x6f, &(0x7f0000000040)={0x0, 0x10, &(0x7f0000000000)=[@in={0x2, 0x0, @private=0xa010101}]}, &(0x7f0000000080)=0x10) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r6, 0x84, 0x1d, &(0x7f0000000140)={0x1, [0x0]}, &(0x7f0000000240)=0x8) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route-ioctl$sock_SIOCGIFINDEX-syz_genetlink_get_family_id$mptcp-sendmsg$MPTCP_PM_CMD_SET_LIMITS-sendmsg$nl_route_sched-ioctl$FS_IOC_GET_ENCRYPTION_NONCE-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3 detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) r6 = socket$inet6_sctp(0xa, 0x5, 0x84) r7 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f00000003c0)={'veth1_to_hsr\x00', 0x0}) r9 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000340), r3) sendmsg$MPTCP_PM_CMD_SET_LIMITS(r3, &(0x7f0000000600)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000380)={&(0x7f0000000400)={0x2c, r9, 0x400, 0x70bd27, 0x25dfdbfc, {}, [@MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x8}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x5}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xffc3}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4008000}, 0x24004000) sendmsg$nl_route_sched(r7, &(0x7f0000001200)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001240)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x70bd27, 0x4000000, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_fq={{0x7}, {0x4, 0x0}}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000040}, 0x854) ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r6, 0x8010661b, &(0x7f0000000100)) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r6, 0x84, 0x6f, &(0x7f0000000040)={0x0, 0x10, &(0x7f0000000000)=[@in={0x2, 0x0, @private=0xa010101}]}, &(0x7f0000000080)=0x10) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route-ioctl$sock_SIOCGIFINDEX-syz_genetlink_get_family_id$mptcp-sendmsg$MPTCP_PM_CMD_SET_LIMITS-sendmsg$nl_route_sched-ioctl$FS_IOC_GET_ENCRYPTION_NONCE detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) r6 = socket$inet6_sctp(0xa, 0x5, 0x84) r7 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f00000003c0)={'veth1_to_hsr\x00', 0x0}) r9 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000340), r3) sendmsg$MPTCP_PM_CMD_SET_LIMITS(r3, &(0x7f0000000600)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000380)={&(0x7f0000000400)={0x2c, r9, 0x400, 0x70bd27, 0x25dfdbfc, {}, [@MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x8}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x5}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xffc3}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4008000}, 0x24004000) sendmsg$nl_route_sched(r7, &(0x7f0000001200)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001240)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x70bd27, 0x4000000, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_fq={{0x7}, {0x4, 0x0}}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000040}, 0x854) ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r6, 0x8010661b, &(0x7f0000000100)) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route-ioctl$sock_SIOCGIFINDEX-syz_genetlink_get_family_id$mptcp-sendmsg$MPTCP_PM_CMD_SET_LIMITS-sendmsg$nl_route_sched detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) socket$inet6_sctp(0xa, 0x5, 0x84) r6 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f00000003c0)={'veth1_to_hsr\x00', 0x0}) r8 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000340), r3) sendmsg$MPTCP_PM_CMD_SET_LIMITS(r3, &(0x7f0000000600)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000380)={&(0x7f0000000400)={0x2c, r8, 0x400, 0x70bd27, 0x25dfdbfc, {}, [@MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x8}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x5}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xffc3}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4008000}, 0x24004000) sendmsg$nl_route_sched(r6, &(0x7f0000001200)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000001240)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x70bd27, 0x4000000, {0x0, 0x0, 0x0, r7, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_fq={{0x7}, {0x4, 0x0}}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000040}, 0x854) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route-ioctl$sock_SIOCGIFINDEX-syz_genetlink_get_family_id$mptcp-sendmsg$MPTCP_PM_CMD_SET_LIMITS detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) socket$inet6_sctp(0xa, 0x5, 0x84) r6 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f00000003c0)={'veth1_to_hsr\x00'}) r7 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000340), r3) sendmsg$MPTCP_PM_CMD_SET_LIMITS(r3, &(0x7f0000000600)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000380)={&(0x7f0000000400)={0x2c, r7, 0x400, 0x70bd27, 0x25dfdbfc, {}, [@MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x8}, @MPTCP_PM_ATTR_RCV_ADD_ADDRS={0x8, 0x2, 0x5}, @MPTCP_PM_ATTR_TOKEN={0x8, 0x4, 0xffc3}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4008000}, 0x24004000) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route-ioctl$sock_SIOCGIFINDEX-syz_genetlink_get_family_id$mptcp detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) socket$inet6_sctp(0xa, 0x5, 0x84) r6 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f00000003c0)={'veth1_to_hsr\x00'}) syz_genetlink_get_family_id$mptcp(&(0x7f0000000340), r3) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route-ioctl$sock_SIOCGIFINDEX detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) socket$inet6_sctp(0xa, 0x5, 0x84) r6 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f00000003c0)={'veth1_to_hsr\x00'}) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp-socket$nl_route detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) socket$inet6_sctp(0xa, 0x5, 0x84) socket$nl_route(0x10, 0x3, 0x0) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-socket$inet6_sctp detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) socket$inet6_sctp(0xa, 0x5, 0x84) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) socket$kcm(0x2, 0xa, 0x2) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00'}) r3 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) socket$nl_generic(0x10, 0x3, 0x10) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, 0x0, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r3 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={0xffffffffffffffff, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-openat$tun-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) r1 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) r2 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r2, r4, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r5 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r1, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-close-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = socket$inet_sctp(0x2, 0x5, 0x84) close(r0) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(0xffffffffffffffff, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-socket$inet_sctp-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) socket$inet_sctp(0x2, 0x5, 0x84) r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-bpf$BPF_PROG_DETACH-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000240)={@cgroup, 0xffffffffffffffff, 0x1b, 0x0, 0x4000}, 0x20) r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: socket$nl_netfilter(0x10, 0x3, 0xc) r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, 0x0, 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, 0x0) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, 0x0, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, 0x0, &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, 0x0) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, 0x0, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r3 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r1 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00'}) bpf$BPF_LINK_CREATE_XDP(0x1c, 0x0, 0x0) r2 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r2, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, 0x0) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program did not crash testing program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, 0x0, 0x4b) program did not crash extracting C reproducer testing compiled C program (duration=47.120046168s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun program crashed: KASAN: slab-use-after-free Read in napi_gro_frags simplifying C reproducer testing compiled C program (duration=47.120046168s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing compiled C program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing compiled C program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing compiled C program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing compiled C program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing compiled C program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing compiled C program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun program crashed: KASAN: slab-use-after-free Read in napi_gro_frags testing program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags validation run: crashed=true testing program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags validation run: crashed=true testing program (duration=47.120046168s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-bpf$PROG_LOAD-socket$nl_generic-ioctl$sock_SIOCGIFINDEX-bpf$BPF_LINK_CREATE_XDP-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun detailed listing: executing program 0: r0 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000540)={0x6, 0x3, &(0x7f0000000480)=ANY=[@ANYBLOB="1800000002000000000000000000000095"], &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x27, '\x00', 0x0, @xdp=0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000004c0)={'syzkaller1\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000980)={r1, r3, 0x25, 0x4, @val=@uprobe_multi={0x0, 0x0, 0x0, 0x8}}, 0x40) r4 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r0, &(0x7f0000000340)=ANY=[], 0x4b) program crashed: KASAN: slab-use-after-free Read in napi_gro_frags validation run: crashed=true reproducing took 1h3m28.853926547s repro crashed as (corrupted=false): syz.0.17 uses obsolete (PF_INET,SOCK_PACKET) ================================================================== BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline] BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline] BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758 Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079 CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 skb_reset_mac_header include/linux/skbuff.h:3150 [inline] napi_frags_skb net/core/gro.c:723 [inline] napi_gro_frags+0x6e/0x1030 net/core/gro.c:758 tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2f9b98ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffe90190e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f2f9bbc5fa0 RCX: 00007f2f9b98ebe9 RDX: 000000000000004b RSI: 0000200000000340 RDI: 0000000000000003 RBP: 00007f2f9ba11e19 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f2f9bbc5fa0 R14: 00007f2f9bbc5fa0 R15: 0000000000000003 Allocated by task 6079: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:330 [inline] __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558 kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline] napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295 __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657 napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811 napi_get_frags+0x69/0x140 net/core/gro.c:673 tun_napi_alloc_frags drivers/net/tun.c:1404 [inline] tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6079: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2422 [inline] slab_free mm/slub.c:4695 [inline] kmem_cache_free+0x18f/0x400 mm/slub.c:4797 skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969 netif_skb_check_for_xdp net/core/dev.c:5390 [inline] netif_receive_generic_xdp net/core/dev.c:5431 [inline] do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499 tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802ef22b40 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 216 bytes inside of freed 240-byte region [ffff88802ef22b40, ffff88802ef22c30) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2ef22 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff88801e29ca00 ffffea0000a31b80 dead000000000004 raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 19816261324, free_ts 18915708978 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:2492 [inline] allocate_slab+0x8a/0x370 mm/slub.c:2660 new_slab mm/slub.c:2714 [inline] ___slab_alloc+0xbeb/0x1420 mm/slub.c:3901 __slab_alloc mm/slub.c:3992 [inline] __slab_alloc_node mm/slub.c:4067 [inline] slab_alloc_node mm/slub.c:4228 [inline] kmem_cache_alloc_node_noprof+0x280/0x3c0 mm/slub.c:4292 __alloc_skb+0x112/0x2d0 net/core/skbuff.c:659 alloc_skb include/linux/skbuff.h:1377 [inline] nlmsg_new include/net/netlink.h:1055 [inline] rtmsg_ifinfo_build_skb+0x84/0x260 net/core/rtnetlink.c:4392 rtmsg_ifinfo_event net/core/rtnetlink.c:4434 [inline] rtmsg_ifinfo+0x8c/0x1a0 net/core/rtnetlink.c:4443 register_netdevice+0x1712/0x1ae0 net/core/dev.c:11307 register_netdev+0x40/0x60 net/core/dev.c:11371 nr_proto_init+0x145/0x710 net/netrom/af_netrom.c:1424 do_one_initcall+0x233/0x820 init/main.c:1269 do_initcall_level+0x104/0x190 init/main.c:1331 do_initcalls+0x59/0xa0 init/main.c:1347 page last free pid 920 tgid 920 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895 vfree+0x25a/0x400 mm/vmalloc.c:3434 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3353 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88802ef22b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff88802ef22b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802ef22c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ^ ffff88802ef22c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802ef22d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ================================================================== final repro crashed as (corrupted=false): syz.0.17 uses obsolete (PF_INET,SOCK_PACKET) ================================================================== BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline] BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline] BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758 Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079 CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 skb_reset_mac_header include/linux/skbuff.h:3150 [inline] napi_frags_skb net/core/gro.c:723 [inline] napi_gro_frags+0x6e/0x1030 net/core/gro.c:758 tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2f9b98ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffe90190e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f2f9bbc5fa0 RCX: 00007f2f9b98ebe9 RDX: 000000000000004b RSI: 0000200000000340 RDI: 0000000000000003 RBP: 00007f2f9ba11e19 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f2f9bbc5fa0 R14: 00007f2f9bbc5fa0 R15: 0000000000000003 Allocated by task 6079: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:330 [inline] __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558 kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline] napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295 __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657 napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811 napi_get_frags+0x69/0x140 net/core/gro.c:673 tun_napi_alloc_frags drivers/net/tun.c:1404 [inline] tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6079: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2422 [inline] slab_free mm/slub.c:4695 [inline] kmem_cache_free+0x18f/0x400 mm/slub.c:4797 skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969 netif_skb_check_for_xdp net/core/dev.c:5390 [inline] netif_receive_generic_xdp net/core/dev.c:5431 [inline] do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499 tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802ef22b40 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 216 bytes inside of freed 240-byte region [ffff88802ef22b40, ffff88802ef22c30) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2ef22 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff88801e29ca00 ffffea0000a31b80 dead000000000004 raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 19816261324, free_ts 18915708978 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:2492 [inline] allocate_slab+0x8a/0x370 mm/slub.c:2660 new_slab mm/slub.c:2714 [inline] ___slab_alloc+0xbeb/0x1420 mm/slub.c:3901 __slab_alloc mm/slub.c:3992 [inline] __slab_alloc_node mm/slub.c:4067 [inline] slab_alloc_node mm/slub.c:4228 [inline] kmem_cache_alloc_node_noprof+0x280/0x3c0 mm/slub.c:4292 __alloc_skb+0x112/0x2d0 net/core/skbuff.c:659 alloc_skb include/linux/skbuff.h:1377 [inline] nlmsg_new include/net/netlink.h:1055 [inline] rtmsg_ifinfo_build_skb+0x84/0x260 net/core/rtnetlink.c:4392 rtmsg_ifinfo_event net/core/rtnetlink.c:4434 [inline] rtmsg_ifinfo+0x8c/0x1a0 net/core/rtnetlink.c:4443 register_netdevice+0x1712/0x1ae0 net/core/dev.c:11307 register_netdev+0x40/0x60 net/core/dev.c:11371 nr_proto_init+0x145/0x710 net/netrom/af_netrom.c:1424 do_one_initcall+0x233/0x820 init/main.c:1269 do_initcall_level+0x104/0x190 init/main.c:1331 do_initcalls+0x59/0xa0 init/main.c:1347 page last free pid 920 tgid 920 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1395 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895 vfree+0x25a/0x400 mm/vmalloc.c:3434 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3353 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88802ef22b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff88802ef22b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802ef22c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ^ ffff88802ef22c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802ef22d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ==================================================================