Extracting prog: 20m28.894260458s
Minimizing prog: 1h46m12.77169179s
Simplifying prog options: 0s
Extracting C: 1m24.18995217s
Simplifying C: 11m58.911094145s


extracting reproducer from 42 programs
testing a last program of every proc
single: executing 12 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-socket$inet_tcp-socket-getsockname$packet-sendmsg$nl_route_sched-sendmsg$IPCTNL_MSG_CT_NEW-sendmsg$nl_route_sched-openat$cgroup_ro-ioctl$FS_IOC_RESVSP-socket$netlink-sendmmsg-socket-connect$netlink-sendmsg$nl_route_sched-socket$packet-unshare-recvmmsg-socket$inet6_mptcp-getsockopt$inet6_tcp_int-socket$inet_udp-setsockopt$packet_int-setsockopt$packet_rx_ring-openat$tun-ioctl$TUNSETIFF-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-setsockopt$inet_tcp_TCP_MD5SIG-setsockopt$inet_tcp_TCP_MD5SIG-close
detailed listing:
executing program 0:
socket(0x2000000000000021, 0x2, 0x10000000000002) (async, rerun: 32)
r0 = socket$inet_tcp(0x2, 0x1, 0x0) (rerun: 32)
r1 = socket(0x2a, 0x2, 0x0)
getsockname$packet(r1, &(0x7f0000000200)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000400)=@newqdisc={0x24, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, r2, {}, {0xffff, 0xffff}, {0x0, 0xfff1}}}, 0x24}}, 0x44884) (async)
sendmsg$IPCTNL_MSG_CT_NEW(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000000c0)={0x0}}, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@newtfilter={0x3c, 0x2c, 0xd27, 0x70bd2d, 0x25dfdbfc, {0x0, 0x0, 0x0, r2, {0xd}, {}, {0x6, 0x10}}, [@filter_kind_options=@f_flower={{0xb}, {0xc, 0x2, [@TCA_FLOWER_KEY_CT_STATE={0x6, 0x5b, 0x9}]}}]}, 0x3c}}, 0x2000c800)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.controllers\x00', 0x275a, 0x0)
ioctl$FS_IOC_RESVSP(r3, 0x40305839, &(0x7f00000002c0)={0x0, 0x7, 0xefff, 0xfa64}) (async)
r4 = socket$netlink(0x10, 0x3, 0x0)
sendmmsg(r4, &(0x7f00000002c0), 0x40000000000009f, 0x0) (async)
r5 = socket(0x10, 0x3, 0x0)
connect$netlink(r5, &(0x7f00000014c0)=@proc={0x10, 0x0, 0x1}, 0xc)
sendmsg$nl_route_sched(r5, &(0x7f0000000080)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000040)={&(0x7f0000000180)=@newtaction={0x18, 0x30, 0x829, 0x20000, 0x0, {}, [{0x4}]}, 0x18}}, 0x0) (async, rerun: 64)
r6 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
unshare(0x22020600)
recvmmsg(r6, &(0x7f000000a400)=[{{&(0x7f0000000500)=@nfc, 0x80, &(0x7f0000000600)=[{&(0x7f0000000140)}, {&(0x7f0000000580)=""/119, 0x77}], 0x2, &(0x7f0000000640)=""/156, 0x9c}, 0x7}, {{&(0x7f0000000700)=@x25={0x9, @remote}, 0x80, &(0x7f0000000940)=[{&(0x7f0000000780)=""/171, 0xab}, {&(0x7f0000000840)=""/60, 0x3c}, {&(0x7f0000000880)=""/136, 0x88}], 0x3, &(0x7f0000000980)=""/10, 0xa}, 0x8}, {{&(0x7f00000009c0)=@l2tp6={0xa, 0x0, 0x0, @empty}, 0x80, &(0x7f0000000ec0)=[{&(0x7f0000000a40)=""/195, 0xc3}, {&(0x7f0000001500)=""/4096, 0x1000}, {&(0x7f0000000b40)=""/240, 0xf0}, {&(0x7f0000002500)=""/4096, 0x1000}, {&(0x7f0000000c40)=""/236, 0xec}, {&(0x7f0000000d40)=""/41, 0x29}, {&(0x7f0000000d80)=""/83, 0x53}, {&(0x7f0000000e00)=""/135, 0x87}, {&(0x7f0000003500)=""/4096, 0x1000}], 0x9, &(0x7f0000004500)=""/4096, 0x1000}, 0x29}, {{&(0x7f0000000f80)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000005500)=[{&(0x7f0000001000)=""/143, 0x8f}, {&(0x7f00000010c0)=""/157, 0x9d}, {&(0x7f0000001180)=""/163, 0xa3}, {&(0x7f0000001240)=""/2, 0x2}, {&(0x7f0000001280)=""/29, 0x1d}, {&(0x7f00000012c0)=""/244, 0xf4}, {&(0x7f00000013c0)=""/89, 0x59}], 0x7, &(0x7f0000005580)=""/213, 0xd5}, 0x6}, {{&(0x7f0000005680)=@phonet, 0x80, &(0x7f0000005ac0)=[{&(0x7f0000005700)=""/204, 0xcc}, {&(0x7f0000005800)=""/228, 0xe4}, {&(0x7f0000001440)=""/36, 0x24}, {&(0x7f0000005900)=""/83, 0x53}, {&(0x7f0000005980)=""/146, 0x92}, {&(0x7f0000005a40)=""/115, 0x73}], 0x6, &(0x7f0000005b40)=""/17, 0x11}, 0x1ff}, {{&(0x7f0000005b80)=@rxrpc=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x0, @loopback}}, 0x80, &(0x7f0000008f00)=[{&(0x7f0000005c00)=""/94, 0x5e}, {&(0x7f0000005c80)=""/4096, 0x1000}, {&(0x7f0000006c80)=""/155, 0x9b}, {&(0x7f0000006d40)=""/136, 0x88}, {&(0x7f0000006e00)=""/4096, 0x1000}, {&(0x7f0000007e00)=""/15, 0xf}, {&(0x7f0000007e40)=""/126, 0x7e}, {&(0x7f0000007ec0)=""/4096, 0x1000}, {&(0x7f0000008ec0)=""/30, 0x1e}], 0x9, &(0x7f0000008fc0)=""/146, 0x92}, 0x80000001}, {{&(0x7f0000009080)=@nfc_llcp, 0x80, &(0x7f000000a380)=[{&(0x7f0000009100)=""/105, 0x69}, {&(0x7f0000009180)=""/209, 0xd1}, {&(0x7f0000009280)=""/127, 0x7f}, {&(0x7f0000009300)=""/115, 0x73}, {&(0x7f0000009380)=""/4096, 0x1000}], 0x5}, 0xfff}], 0x7, 0x40000120, 0x0) (async)
r7 = socket$inet6_mptcp(0xa, 0x1, 0x106)
getsockopt$inet6_tcp_int(r7, 0x6, 0x5, 0x0, 0x0) (async)
socket$inet_udp(0x2, 0x2, 0x0) (async)
setsockopt$packet_int(r6, 0x107, 0xf, &(0x7f0000000240)=0x2, 0x4)
setsockopt$packet_rx_ring(r6, 0x107, 0x5, &(0x7f0000000000)=@req3={0x1000, 0x3a, 0x1000, 0x3a}, 0x1c) (async, rerun: 32)
r8 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) (rerun: 32)
ioctl$TUNSETIFF(r8, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32})
r9 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r9, 0x8914, 0x0) (async, rerun: 32)
write$tun(r8, &(0x7f0000000200)=ANY=[@ANYRES16=r9], 0x4a) (rerun: 32)
setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in={{0x2, 0x4e22, @multicast2}}, 0x0, 0x0, 0xb, 0x0, "f6a7346a1ca3caf66200f0e70b995efa20d5ddc09c0bc0c88e00bdea5e6998967d569964c8b68dae57dea91c0e3ef03a96483bcaaa5ab222d1993083e8e3619fbbff30da0288a8b78a3f921c40fdc06a"}, 0xd8)
setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000400)={@in={{0x2, 0x4e20, @multicast2}}, 0x0, 0x0, 0x0, 0x0, "698e86252c563a2eb894ac1de863c527984bfa5ff139aeeef086eed112e6f0ffba88c7d0888990f99dc2416c1cbccf99d18464a65c3587c97aee9217b992893cebfc606ada5e14e782e63da22a6fe97d"}, 0xd8) (async)
close(0x4)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-socket$inet_tcp-socket-getsockname$packet-sendmsg$nl_route_sched-sendmsg$IPCTNL_MSG_CT_NEW-sendmsg$nl_route_sched-openat$cgroup_ro-ioctl$FS_IOC_RESVSP-socket$netlink-sendmmsg-socket-connect$netlink-sendmsg$nl_route_sched-socket$packet-unshare-recvmmsg-socket$inet6_mptcp-getsockopt$inet6_tcp_int-socket$inet_udp-setsockopt$packet_int-setsockopt$packet_rx_ring-openat$tun-ioctl$TUNSETIFF-socket$kcm-ioctl$SIOCSIFHWADDR-write$tun-setsockopt$inet_tcp_TCP_MD5SIG-setsockopt$inet_tcp_TCP_MD5SIG-close
detailed listing:
executing program 0:
socket(0x2000000000000021, 0x2, 0x10000000000002) (async, rerun: 32)
r0 = socket$inet_tcp(0x2, 0x1, 0x0) (rerun: 32)
r1 = socket(0x2a, 0x2, 0x0)
getsockname$packet(r1, &(0x7f0000000200)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000400)=@newqdisc={0x24, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, r2, {}, {0xffff, 0xffff}, {0x0, 0xfff1}}}, 0x24}}, 0x44884) (async)
sendmsg$IPCTNL_MSG_CT_NEW(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000000c0)={0x0}}, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@newtfilter={0x3c, 0x2c, 0xd27, 0x70bd2d, 0x25dfdbfc, {0x0, 0x0, 0x0, r2, {0xd}, {}, {0x6, 0x10}}, [@filter_kind_options=@f_flower={{0xb}, {0xc, 0x2, [@TCA_FLOWER_KEY_CT_STATE={0x6, 0x5b, 0x9}]}}]}, 0x3c}}, 0x2000c800)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.controllers\x00', 0x275a, 0x0)
ioctl$FS_IOC_RESVSP(r3, 0x40305839, &(0x7f00000002c0)={0x0, 0x7, 0xefff, 0xfa64}) (async)
r4 = socket$netlink(0x10, 0x3, 0x0)
sendmmsg(r4, &(0x7f00000002c0), 0x40000000000009f, 0x0) (async)
r5 = socket(0x10, 0x3, 0x0)
connect$netlink(r5, &(0x7f00000014c0)=@proc={0x10, 0x0, 0x1}, 0xc)
sendmsg$nl_route_sched(r5, &(0x7f0000000080)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000000}, 0xc, &(0x7f0000000040)={&(0x7f0000000180)=@newtaction={0x18, 0x30, 0x829, 0x20000, 0x0, {}, [{0x4}]}, 0x18}}, 0x0) (async, rerun: 64)
r6 = socket$packet(0x11, 0x3, 0x300) (rerun: 64)
unshare(0x22020600)
recvmmsg(r6, &(0x7f000000a400)=[{{&(0x7f0000000500)=@nfc, 0x80, &(0x7f0000000600)=[{&(0x7f0000000140)}, {&(0x7f0000000580)=""/119, 0x77}], 0x2, &(0x7f0000000640)=""/156, 0x9c}, 0x7}, {{&(0x7f0000000700)=@x25={0x9, @remote}, 0x80, &(0x7f0000000940)=[{&(0x7f0000000780)=""/171, 0xab}, {&(0x7f0000000840)=""/60, 0x3c}, {&(0x7f0000000880)=""/136, 0x88}], 0x3, &(0x7f0000000980)=""/10, 0xa}, 0x8}, {{&(0x7f00000009c0)=@l2tp6={0xa, 0x0, 0x0, @empty}, 0x80, &(0x7f0000000ec0)=[{&(0x7f0000000a40)=""/195, 0xc3}, {&(0x7f0000001500)=""/4096, 0x1000}, {&(0x7f0000000b40)=""/240, 0xf0}, {&(0x7f0000002500)=""/4096, 0x1000}, {&(0x7f0000000c40)=""/236, 0xec}, {&(0x7f0000000d40)=""/41, 0x29}, {&(0x7f0000000d80)=""/83, 0x53}, {&(0x7f0000000e00)=""/135, 0x87}, {&(0x7f0000003500)=""/4096, 0x1000}], 0x9, &(0x7f0000004500)=""/4096, 0x1000}, 0x29}, {{&(0x7f0000000f80)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000005500)=[{&(0x7f0000001000)=""/143, 0x8f}, {&(0x7f00000010c0)=""/157, 0x9d}, {&(0x7f0000001180)=""/163, 0xa3}, {&(0x7f0000001240)=""/2, 0x2}, {&(0x7f0000001280)=""/29, 0x1d}, {&(0x7f00000012c0)=""/244, 0xf4}, {&(0x7f00000013c0)=""/89, 0x59}], 0x7, &(0x7f0000005580)=""/213, 0xd5}, 0x6}, {{&(0x7f0000005680)=@phonet, 0x80, &(0x7f0000005ac0)=[{&(0x7f0000005700)=""/204, 0xcc}, {&(0x7f0000005800)=""/228, 0xe4}, {&(0x7f0000001440)=""/36, 0x24}, {&(0x7f0000005900)=""/83, 0x53}, {&(0x7f0000005980)=""/146, 0x92}, {&(0x7f0000005a40)=""/115, 0x73}], 0x6, &(0x7f0000005b40)=""/17, 0x11}, 0x1ff}, {{&(0x7f0000005b80)=@rxrpc=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x0, @loopback}}, 0x80, &(0x7f0000008f00)=[{&(0x7f0000005c00)=""/94, 0x5e}, {&(0x7f0000005c80)=""/4096, 0x1000}, {&(0x7f0000006c80)=""/155, 0x9b}, {&(0x7f0000006d40)=""/136, 0x88}, {&(0x7f0000006e00)=""/4096, 0x1000}, {&(0x7f0000007e00)=""/15, 0xf}, {&(0x7f0000007e40)=""/126, 0x7e}, {&(0x7f0000007ec0)=""/4096, 0x1000}, {&(0x7f0000008ec0)=""/30, 0x1e}], 0x9, &(0x7f0000008fc0)=""/146, 0x92}, 0x80000001}, {{&(0x7f0000009080)=@nfc_llcp, 0x80, &(0x7f000000a380)=[{&(0x7f0000009100)=""/105, 0x69}, {&(0x7f0000009180)=""/209, 0xd1}, {&(0x7f0000009280)=""/127, 0x7f}, {&(0x7f0000009300)=""/115, 0x73}, {&(0x7f0000009380)=""/4096, 0x1000}], 0x5}, 0xfff}], 0x7, 0x40000120, 0x0) (async)
r7 = socket$inet6_mptcp(0xa, 0x1, 0x106)
getsockopt$inet6_tcp_int(r7, 0x6, 0x5, 0x0, 0x0) (async)
socket$inet_udp(0x2, 0x2, 0x0) (async)
setsockopt$packet_int(r6, 0x107, 0xf, &(0x7f0000000240)=0x2, 0x4)
setsockopt$packet_rx_ring(r6, 0x107, 0x5, &(0x7f0000000000)=@req3={0x1000, 0x3a, 0x1000, 0x3a}, 0x1c) (async, rerun: 32)
r8 = openat$tun(0xffffffffffffff9c, &(0x7f00000001c0), 0xa2f01, 0x0) (rerun: 32)
ioctl$TUNSETIFF(r8, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32})
r9 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r9, 0x8914, 0x0) (async, rerun: 32)
write$tun(r8, &(0x7f0000000200)=ANY=[@ANYRES16=r9], 0x4a) (rerun: 32)
setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000300)={@in={{0x2, 0x4e22, @multicast2}}, 0x0, 0x0, 0xb, 0x0, "f6a7346a1ca3caf66200f0e70b995efa20d5ddc09c0bc0c88e00bdea5e6998967d569964c8b68dae57dea91c0e3ef03a96483bcaaa5ab222d1993083e8e3619fbbff30da0288a8b78a3f921c40fdc06a"}, 0xd8)
setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000400)={@in={{0x2, 0x4e20, @multicast2}}, 0x0, 0x0, 0x0, 0x0, "698e86252c563a2eb894ac1de863c527984bfa5ff139aeeef086eed112e6f0ffba88c7d0888990f99dc2416c1cbccf99d18464a65c3587c97aee9217b992893cebfc606ada5e14e782e63da22a6fe97d"}, 0xd8) (async)
close(0x4)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-openat$tun-close-socket$nl_generic-syz_genetlink_get_family_id$tipc-sendmsg$nl_generic-socket$nl_generic-syz_genetlink_get_family_id$ethtool-sendmsg$ETHTOOL_MSG_LINKMODES_SET-sendmsg$ETHTOOL_MSG_LINKMODES_SET-sendmsg$TIPC_CMD_ENABLE_BEARER-ioctl$SIOCSIFHWADDR-openat$tun-close-socket$unix-socket$nl_route-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route_sched-socket-socket$inet6_udp-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route_sched-ioctl$SIOCSIFHWADDR
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) (async)
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r1)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000300), r2) (async)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB='D\x00\x00'], 0x44}, 0x1, 0x0, 0x0, 0x42804}, 0x84)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000000), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r4, &(0x7f00000000c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYBLOB='D\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="0100000000000000000005000000180001801400020073797a5f74756e00000008000000000018000380140003801000018004000300080001"], 0x44}}, 0x0) (async, rerun: 64)
sendmsg$ETHTOOL_MSG_LINKMODES_SET(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000004c0)={0x38, r5, 0x7, 0x0, 0x0, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'syz_tun\x00'}]}, @ETHTOOL_A_LINKMODES_OURS={0xc, 0x3, 0x0, 0x1, [@ETHTOOL_A_BITSET_BITS={0x4}, @ETHTOOL_A_BITSET_NOMASK={0x4}]}]}, 0x38}}, 0x0) (rerun: 64)
sendmsg$TIPC_CMD_ENABLE_BEARER(r2, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000680)=ANY=[@ANYBLOB='8\x00\x00\x00', @ANYRES16=r3, @ANYBLOB="010000000d0000000000010000000000000001410000001c001700000000000000006574683a73797a6b616c6c657230"], 0x38}}, 0x0)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast})
r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x100, 0x0)
close(r6)
r7 = socket$unix(0x1, 0x1, 0x0)
r8 = socket$nl_route(0x10, 0x3, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r9=>0x0})
sendmsg$nl_route_sched(r8, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000006c0)=@newqdisc={0x64, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, r9, {0x0, 0xb}, {0xffff, 0xffff}, {0x0, 0xf}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x38, 0x2, [@TCA_TBF_RATE64={0xc, 0x4, 0x51cf8d4f258ee1a4}, @TCA_TBF_PARMS={0x28, 0x1, {{0x4, 0x2, 0x3, 0x1, 0x6, 0x40}, {0x9e, 0x0, 0x2, 0x401, 0x1}, 0xd73, 0xb29, 0x400372}}]}}]}, 0x64}, 0x1, 0x0, 0x0, 0x24000011}, 0x0) (async)
r10 = socket(0x10, 0x80003, 0x0) (async)
r11 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r11, 0x8933, &(0x7f0000000040)={'lo\x00', <r12=>0x0})
sendmsg$nl_route_sched(r10, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, r12, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_prio={{0x9}, {0x18, 0x2, {0xf, "0000000000000000000100000e00"}}}]}, 0x48}, 0x1, 0x0, 0x0, 0x2000000}, 0x0)
ioctl$SIOCSIFHWADDR(r6, 0x8922, &(0x7f0000002280)={'syzkaller0\x00', @random="2b0100004ec6"})

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic-sendmsg$nl_generic-socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH-socket$inet_udp-socket$xdp-setsockopt$XDP_UMEM_REG-sendmmsg$inet
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000004300090000000000040000000300000008000200030005"], 0x1c}}, 0x24000044)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r4, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a3200000000140000001100"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000026c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a58000000060a09040000000000000000020000090b00020073797a32000000000900010073797a30000000002c0004802800e97f07000100637400001c000280080001400000001308000240000000150500030000000000140000001100010000000000000000000000000a"], 0x80}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
r5 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_UMEM_REG(r5, 0x11b, 0x4, &(0x7f00000000c0)={0x0, 0xffffdfffffffffff, 0x800, 0xfffffffc, 0x1}, 0x20)
sendmmsg$inet(0xffffffffffffffff, &(0x7f0000005240), 0x4000095, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
single: successfully extracted reproducer
found reproducer with 29 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic-sendmsg$nl_generic-socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH-socket$inet_udp-socket$xdp-setsockopt$XDP_UMEM_REG
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000004300090000000000040000000300000008000200030005"], 0x1c}}, 0x24000044)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r4, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a3200000000140000001100"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000026c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a58000000060a09040000000000000000020000090b00020073797a32000000000900010073797a30000000002c0004802800e97f07000100637400001c000280080001400000001308000240000000150500030000000000140000001100010000000000000000000000000a"], 0x80}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
r5 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_UMEM_REG(r5, 0x11b, 0x4, &(0x7f00000000c0)={0x0, 0xffffdfffffffffff, 0x800, 0xfffffffc, 0x1}, 0x20)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic-sendmsg$nl_generic-socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH-socket$inet_udp-socket$xdp
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000004300090000000000040000000300000008000200030005"], 0x1c}}, 0x24000044)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r4, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a3200000000140000001100"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000026c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a58000000060a09040000000000000000020000090b00020073797a32000000000900010073797a30000000002c0004802800e97f07000100637400001c000280080001400000001308000240000000150500030000000000140000001100010000000000000000000000000a"], 0x80}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
socket$xdp(0x2c, 0x3, 0x0)

program crashed: KFENCE: use-after-free read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic-sendmsg$nl_generic-socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH-socket$inet_udp
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000004300090000000000040000000300000008000200030005"], 0x1c}}, 0x24000044)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r4, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a3200000000140000001100"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000026c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a58000000060a09040000000000000000020000090b00020073797a32000000000900010073797a30000000002c0004802800e97f07000100637400001c000280080001400000001308000240000000150500030000000000140000001100010000000000000000000000000a"], 0x80}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic-sendmsg$nl_generic-socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$NFT_BATCH
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000004300090000000000040000000300000008000200030005"], 0x1c}}, 0x24000044)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r4, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a3200000000140000001100"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000026c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a58000000060a09040000000000000000020000090b00020073797a32000000000900010073797a30000000002c0004802800e97f07000100637400001c000280080001400000001308000240000000150500030000000000140000001100010000000000000000000000000a"], 0x80}, 0x1, 0x0, 0x0, 0x4000}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic-sendmsg$nl_generic-socket$nl_netfilter-sendmsg$NFT_BATCH
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000004300090000000000040000000300000008000200030005"], 0x1c}}, 0x24000044)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r4, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a3200000000140000001100"], 0x7c}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic-sendmsg$nl_generic-socket$nl_netfilter
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000004300090000000000040000000300000008000200030005"], 0x1c}}, 0x24000044)
socket$nl_netfilter(0x10, 0x3, 0xc)

program crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic-sendmsg$nl_generic
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000004300090000000000040000000300000008000200030005"], 0x1c}}, 0x24000044)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX-socket$nl_generic
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg-ioctl$sock_SIOCGIFINDEX
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)

program crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-sendmsg
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)
sendmsg(0xffffffffffffffff, 0x0, 0x844)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000440)={0x11, 0x8, &(0x7f0000000080)=ANY=[@ANYBLOB="18080000003f930000000000000000001810ff00", @ANYRES32, @ANYBLOB="0000a200000000001800000000000000000000000000000095000000000000009500000000000000"], &(0x7f0000000000)='GPL\x00', 0x2, 0xde, &(0x7f0000000340)=""/222}, 0x94)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route-socket$packet
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)
socket$packet(0x11, 0x2, 0x300)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING-sendmsg$nl_route
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)
sendmsg$nl_route(r2, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)=ANY=[@ANYBLOB="280000001200375f3fbd70000000000007"], 0x28}, 0x1, 0x0, 0x0, 0x40010}, 0x8000)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket-setsockopt$netlink_NETLINK_TX_RING
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
r2 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r2, 0x10e, 0xc, &(0x7f0000000000)={0xfffffffb}, 0x10)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR-socket
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)
socket(0x10, 0x3, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm-bpf$MAP_UPDATE_CONST_STR
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000100)={{}, 0x0, &(0x7f00000000c0)='%+9llu \x00'}, 0x20)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-socket$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
socket$nl_xfrm(0x10, 0x3, 0x6)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-unshare-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
unshare(0x6a040000)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-syz_open_procfs$namespace-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00')
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-close-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
close(0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-shutdown-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
shutdown(r0, 0x1)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-sendto$inet6-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
sendto$inet6(r0, &(0x7f00000001c0)="ad", 0x1, 0x0, &(0x7f000005ffe4)={0xa, 0x0, 0x0, @loopback={0x0, 0x1c9ae7fffe9a6f34}}, 0x1c)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-setsockopt$inet_sctp6_SCTP_INITMSG-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
setsockopt$inet_sctp6_SCTP_INITMSG(r0, 0x84, 0x2, &(0x7f0000000000)={0x8001, 0x5, 0xde, 0xffff}, 0x8)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$inet6_sctp-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
socket$inet6_sctp(0xa, 0x1, 0x84)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-syz_init_net_socket$bt_hci-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$inet_icmp_raw-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
bpf$PROG_LOAD(0x5, &(0x7f0000000240)={0x16, 0x0, 0x0, &(0x7f0000000600)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @flow_dissector=0x11, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={0x0, 0x120}}, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[], 0x120}}, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB], 0x120}}, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
program crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program did not crash
validation run: crashed=false
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000004c0)=ANY=[@ANYBLOB="200100001600010000000000ffdbdf2500000000000000000000000000000000ff01000000000000000000000000000100000000000000000000000033000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc02000000000000000000000000000100000001320000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000002000000000008547e9aafb963862b592d2eb4b000000000000000000000000000000000000000000000000000000000000000000000005350000000000000100000000000000000000f7fffffff727001a00ac1414294f0000000000000000000000ac1414bb000000"], 0x120}}, 0x0)

program crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete
validation run: crashed=true
reproducing took 2h32m36.864160162s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:980 [inline]
BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:560 [inline]
BUG: KASAN: slab-use-after-free in __xfrm_state_delete+0x666/0xca0 net/xfrm/xfrm_state.c:830
Write of size 8 at addr ffff88802e995568 by task kworker/u8:1/13

CPU: 0 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __hlist_del include/linux/list.h:980 [inline]
 hlist_del_rcu include/linux/rculist.h:560 [inline]
 __xfrm_state_delete+0x666/0xca0 net/xfrm/xfrm_state.c:830
 xfrm_state_delete net/xfrm/xfrm_state.c:856 [inline]
 xfrm_state_flush+0x45f/0x770 net/xfrm/xfrm_state.c:939
 xfrm6_tunnel_net_exit+0x3c/0x100 net/ipv6/xfrm6_tunnel.c:337
 ops_exit_list net/core/net_namespace.c:198 [inline]
 ops_undo_list+0x497/0x990 net/core/net_namespace.c:251
 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:682
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 7220:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:330 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:356
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
 xfrm_state_alloc+0x24/0x2f0 net/xfrm/xfrm_state.c:733
 __find_acq_core+0x8a7/0x1c00 net/xfrm/xfrm_state.c:1833
 xfrm_find_acq+0x78/0xa0 net/xfrm/xfrm_state.c:2353
 xfrm_alloc_userspi+0x6b3/0xc90 net/xfrm/xfrm_user.c:1863
 xfrm_user_rcv_msg+0x7a0/0xab0 net/xfrm/xfrm_user.c:3501
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 121:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4782
 xfrm_state_free net/xfrm/xfrm_state.c:591 [inline]
 xfrm_state_gc_destroy net/xfrm/xfrm_state.c:618 [inline]
 xfrm_state_gc_task+0x52d/0x6b0 net/xfrm/xfrm_state.c:634
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88802e995540
 which belongs to the cache xfrm_state of size 928
The buggy address is located 40 bytes inside of
 freed 928-byte region [ffff88802e995540, ffff88802e9958e0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2e994
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801af8b500 ffffea0000c0bb00 0000000000000004
raw: 0000000000000000 00000000000f000f 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801af8b500 ffffea0000c0bb00 0000000000000004
head: 0000000000000000 00000000000f000f 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0000ba6501 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6643, tgid 6643 (syz.0.607), ts 322721257081, free_ts 315414996241
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4236
 xfrm_state_alloc+0x24/0x2f0 net/xfrm/xfrm_state.c:733
 __find_acq_core+0x8a7/0x1c00 net/xfrm/xfrm_state.c:1833
 xfrm_find_acq+0x78/0xa0 net/xfrm/xfrm_state.c:2353
 xfrm_alloc_userspi+0x6b3/0xc90 net/xfrm/xfrm_user.c:1863
 xfrm_user_rcv_msg+0x7a0/0xab0 net/xfrm/xfrm_user.c:3501
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
page last free pid 6006 tgid 6006 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 __slab_free+0x303/0x3c0 mm/slub.c:4591
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4248
 sock_alloc_inode+0x28/0xc0 net/socket.c:309
 alloc_inode+0x6a/0x1b0 fs/inode.c:346
 new_inode_pseudo include/linux/fs.h:3391 [inline]
 sock_alloc net/socket.c:624 [inline]
 __sock_create+0x12d/0x9f0 net/socket.c:1553
 sock_create net/socket.c:1647 [inline]
 __sys_socket_create net/socket.c:1684 [inline]
 __sys_socket+0xd7/0x1b0 net/socket.c:1731
 __do_sys_socket net/socket.c:1745 [inline]
 __se_sys_socket net/socket.c:1743 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1743
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802e995400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802e995480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802e995500: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                                                          ^
 ffff88802e995580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802e995600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:980 [inline]
BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:560 [inline]
BUG: KASAN: slab-use-after-free in __xfrm_state_delete+0x666/0xca0 net/xfrm/xfrm_state.c:830
Write of size 8 at addr ffff88802e995568 by task kworker/u8:1/13

CPU: 0 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __hlist_del include/linux/list.h:980 [inline]
 hlist_del_rcu include/linux/rculist.h:560 [inline]
 __xfrm_state_delete+0x666/0xca0 net/xfrm/xfrm_state.c:830
 xfrm_state_delete net/xfrm/xfrm_state.c:856 [inline]
 xfrm_state_flush+0x45f/0x770 net/xfrm/xfrm_state.c:939
 xfrm6_tunnel_net_exit+0x3c/0x100 net/ipv6/xfrm6_tunnel.c:337
 ops_exit_list net/core/net_namespace.c:198 [inline]
 ops_undo_list+0x497/0x990 net/core/net_namespace.c:251
 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:682
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 7220:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:330 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:356
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4236
 xfrm_state_alloc+0x24/0x2f0 net/xfrm/xfrm_state.c:733
 __find_acq_core+0x8a7/0x1c00 net/xfrm/xfrm_state.c:1833
 xfrm_find_acq+0x78/0xa0 net/xfrm/xfrm_state.c:2353
 xfrm_alloc_userspi+0x6b3/0xc90 net/xfrm/xfrm_user.c:1863
 xfrm_user_rcv_msg+0x7a0/0xab0 net/xfrm/xfrm_user.c:3501
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 121:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4782
 xfrm_state_free net/xfrm/xfrm_state.c:591 [inline]
 xfrm_state_gc_destroy net/xfrm/xfrm_state.c:618 [inline]
 xfrm_state_gc_task+0x52d/0x6b0 net/xfrm/xfrm_state.c:634
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88802e995540
 which belongs to the cache xfrm_state of size 928
The buggy address is located 40 bytes inside of
 freed 928-byte region [ffff88802e995540, ffff88802e9958e0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2e994
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801af8b500 ffffea0000c0bb00 0000000000000004
raw: 0000000000000000 00000000000f000f 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801af8b500 ffffea0000c0bb00 0000000000000004
head: 0000000000000000 00000000000f000f 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0000ba6501 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6643, tgid 6643 (syz.0.607), ts 322721257081, free_ts 315414996241
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 kmem_cache_alloc_noprof+0x283/0x3c0 mm/slub.c:4236
 xfrm_state_alloc+0x24/0x2f0 net/xfrm/xfrm_state.c:733
 __find_acq_core+0x8a7/0x1c00 net/xfrm/xfrm_state.c:1833
 xfrm_find_acq+0x78/0xa0 net/xfrm/xfrm_state.c:2353
 xfrm_alloc_userspi+0x6b3/0xc90 net/xfrm/xfrm_user.c:1863
 xfrm_user_rcv_msg+0x7a0/0xab0 net/xfrm/xfrm_user.c:3501
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
page last free pid 6006 tgid 6006 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 __slab_free+0x303/0x3c0 mm/slub.c:4591
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4248
 sock_alloc_inode+0x28/0xc0 net/socket.c:309
 alloc_inode+0x6a/0x1b0 fs/inode.c:346
 new_inode_pseudo include/linux/fs.h:3391 [inline]
 sock_alloc net/socket.c:624 [inline]
 __sock_create+0x12d/0x9f0 net/socket.c:1553
 sock_create net/socket.c:1647 [inline]
 __sys_socket_create net/socket.c:1684 [inline]
 __sys_socket+0xd7/0x1b0 net/socket.c:1731
 __do_sys_socket net/socket.c:1745 [inline]
 __se_sys_socket net/socket.c:1743 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1743
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802e995400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802e995480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802e995500: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                                                          ^
 ffff88802e995580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802e995600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================