Extracting prog: 3m23.856839742s
Minimizing prog: 13m34.41877282s
Simplifying prog options: 0s
Extracting C: 33.564029297s
Simplifying C: 3m38.831146454s


extracting reproducer from 66 programs
testing a last program of every proc
single: executing 19 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-syz_mount_image$vfat-openat$vhost_vsock-ioctl$VHOST_SET_VRING_BASE-eventfd-sendmsg$WG_CMD_SET_DEVICE-sched_setscheduler-chdir-openat-ioctl$FS_IOC_SET_ENCRYPTION_POLICY-creat-ioctl$BLKTRACESETUP-ioctl$KVM_SET_VCPU_EVENTS
detailed listing:
executing program 0:
syz_mount_image$ext4(&(0x7f0000000200)='ext4\x00', &(0x7f0000000740)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0xc000, &(0x7f00000006c0), 0x2, 0x246, &(0x7f0000000ac0)="$eJzs3T9oM2UcB/DvXRJf+75BXnURxD8gIloor5vg8rooFKQUEUGFioiL0gq1xa1xcnHQWaWTSxE3q6N0KS6K4FS1Q10ELQ4WBx0iybVS24ja1Jz0Ph+43l3vee73HLnvkyyXBGisq0muJ2klmU7SSVIcb3B3tVw93F2f2l5I+v0nfiqG7ar9ylG/K0l6SR5KslUWeamdrG4+s/fLzmP3vbnSuff9zaenJnqRh/b3dh8/eG/ujY9mH1z94qsf5opcT/dP13X+ihH/axfJLf9Fsf+Jol33CPgn5l/78OtB7m9Ncs8w/52UqV68t5Zv2OrkgXf/qu/bP355+yTHCpy/fr8zeA/s9YHGKZN0U5QzSartspyZqT7Df9O6XL68tPzq9ItLK4sv1D1TAeelm+w++smlj6+cyP/3rSr/wMU1yP+T8xvfDrYPWnWPBpiIO6rVIP/Tz63dH/mHxpF/aC75h+aSf2gu+Yfmkn9oLvmHC6xztNEbeVj+obnkH5pL/qG5jucfAGiW/qW6n0AG6lL3/AMAAAAAAAAAAAAAAAAAAJy2PrW9cLRMquZn7yT7jyRpj6rfGv4ecXLj8O/ln4tBsz8UVbexPHvXmCcY0wc1P31903f11v/8znrrry0mvdeTXGu3T99/xeH9d3Y3/83xzvNjFviXihP7Dz812fon/bZRb/3ZneTTwfxzbdT8U+a24Xr0/NM9/hXLZ/TKr2OeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgIn5PQAA//8PK23M")
syz_mount_image$vfat(&(0x7f00000024c0), &(0x7f00000001c0)='./bus\x00', 0x204b82f, 0x0, 0x3, 0x0, &(0x7f0000000240))
r0 = openat$vhost_vsock(0xffffffffffffff9c, 0x0, 0x2, 0x0)
ioctl$VHOST_SET_VRING_BASE(r0, 0xaf01, 0x0)
eventfd(0x1)
sendmsg$WG_CMD_SET_DEVICE(0xffffffffffffffff, &(0x7f0000001000)={0x0, 0x0, &(0x7f0000000fc0)={&(0x7f0000000000)=ANY=[@ANYBLOB="ec000000", @ANYRES16, @ANYBLOB="0100000000000000000001"], 0xec}, 0x1, 0x0, 0x0, 0x4084}, 0x80)
sched_setscheduler(0x0, 0x1, 0x0)
chdir(&(0x7f00000003c0)='./bus\x00')
r1 = openat(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0, 0x83)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(r1, 0x800c6613, &(0x7f0000000040)=@v1={0x0, @aes128, 0x2, @auto="72d88fc09bcb9489"})
creat(&(0x7f0000000400)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x116)
ioctl$BLKTRACESETUP(0xffffffffffffffff, 0x1263, 0x0)
ioctl$KVM_SET_VCPU_EVENTS(0xffffffffffffffff, 0x4400ae8f, &(0x7f0000000140)=@arm64={0x8, 0x4, 0x62})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): sendmsg$nl_xfrm-prlimit64-sched_setscheduler-sched_setaffinity-getpid-sched_setscheduler-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-getrlimit-unshare-socket$inet_udp-setsockopt$inet_MCAST_MSFILTER-socket$inet_tcp-ioctl$sock_inet_SIOCADDRT-ioctl$sock_inet_SIOCDELRT-sched_setaffinity-socket$inet6-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-syz_mount_image$vfat-socket-setsockopt$netlink_NETLINK_TX_RING-write
detailed listing:
executing program 0:
sendmsg$nl_xfrm(0xffffffffffffffff, 0x0, 0x44000)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
r0 = getpid()
sched_setscheduler(r0, 0x1, &(0x7f0000000100)=0x5)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000001480)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f00000004c0)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
getrlimit(0x0, 0x0)
unshare(0x10000000)
r3 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_MCAST_MSFILTER(r3, 0x0, 0x30, &(0x7f00000007c0)=ANY=[], 0x210)
r4 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r4, 0x890b, &(0x7f0000000000)={0x4000000, {}, {0x2, 0x0, @empty}, {0x2, 0x0, @empty}, 0x2a0, 0x0, 0x0, 0x0, 0x20})
ioctl$sock_inet_SIOCDELRT(r4, 0x890c, &(0x7f0000000080)={0x0, {0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, {0x2, 0x0, @local}, {0x2, 0x0, @local}, 0xab852ebbeefbd6b1, 0x0, 0x0, 0x0, 0x20, 0x0, 0x20, 0x3ff, 0x7})
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
socket$inet6(0xa, 0x3, 0xff)
r5 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f00000000c0)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0006}]})
syz_mount_image$vfat(&(0x7f0000000080), &(0x7f0000001380)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x2048c5, &(0x7f0000001400)=ANY=[@ANYRES16=r5, @ANYRESHEX=0xee00, @ANYBLOB="2c73686f72746e616d653d77696e6e742c726f6469722c757365667265652c756e695f786c6174653d312c756e695f786c6174653d302c757365667265652c73686f72746e616d651cb452969e69f07760a6127eba3d6d697865642c64656275672c73686f72746e616d653d6d697865642c726f6469722c757466383d302c73686f72746e616d653d77696e6e742c00"], 0x1, 0x2b4, &(0x7f0000000e40)="$eJzs3cFr024YwPFn7bZ2HVt7GIPfD8QHveglbPUvKLKBWFDmOqYHIXOplsZmNLVSEbeb1/0dw6MnBfUf2GU38SpeiiB42UGsrEm2rqu4ztVM8/1Aydv3fZ/kTd60PAk0bS5vPiwXXaNo1iSWVImJbMiuSGav5Bvyl7F2eVQ6bcjl8a/vz926fed6Lp+fW1Cdzy1eyarq5Pk3j5++uPCuNr70cvJ1QrYzd5tfsh+3p7f/a35fDNbuiJi64jg1c8W2dLXklg3Vm7ZlupaWKq5VrWlHe9F21tYaalZWJ1JrVct11aw0tGw1tOZordpQ875ZqqhhGDqRkqiJ9x1R2FpYMHMDGQzCMNarslrNmfGejYWtPzEoAABwtjSXN+Nh5P8PSq6WXK04h/L7o/l/TPrI/0Uinf/3j/w/Cvby/5T/+T2M/B8AAAAAAAAAAAAAAAAAAAAAgL/BbquVbrVa6WAZvBIikhSR4H3Y48RgMP/R1vHDvaSI/bxeqBe8pdeeK0pJbLFkZkTkW/t88Hnl+Wv5uRltm5a39rofv14vxCURxAcyveNnvXjtjF+XEUl1bj8raZnqHZ/tEV8vjMqli62Ev2VLDEnLzj1xxJbV9nl9EP9sVvXqjXxX/Fi7HwAAAAAA/wJD92W6r9/b7YYGjw3pavcqD+4PSPoX9we6rq+H5f/h8PYbAAAAAIAocRtPyqZtW9UIFIL/PziVFYZ/6JLH7TwsIn7Nq7MyFweFoQ1vVo42xUTkpGuO/94sfxaRQzVToU/3aRQ+PfKO9X7Nh593XpoI7UsJAAAAwEAESf9Q35GFnYEMCAAAAAAAAAAAAAAAAAAAAAAAAAAAAACACDruw8OC/id59ljH5uLh7CUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwNvwIAAD//5jbFjk=")
r6 = socket(0x10, 0x2, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r6, 0x10e, 0xc, &(0x7f0000000080)={0x8, 0x6, 0x2}, 0x10)
write(r6, &(0x7f0000000480)="1c0000001a009b8a140000003b000000000000000002000000000000fda350657331", 0x22)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$ext4-openat-pwrite64-lseek-syz_open_dev$usbmon-syz_open_dev$usbfs-dup3-read$hiddev
detailed listing:
executing program 0:
syz_mount_image$ext4(&(0x7f0000000100)='ext4\x00', &(0x7f0000000280)='./file0\x00', 0x280440e, &(0x7f0000000040)={[{@debug}, {@jqfmt_vfsv0}, {@inlinecrypt}, {@errors_remount}, {@test_dummy_encryption_v1}, {@norecovery}, {@delalloc}, {@nogrpid}, {@minixdf}]}, 0x1, 0xbdb, &(0x7f0000001000)="$eJzs3M1rHOcZAPBnRqsP23JXLqXUvVilFBtK17KLTG0KtYtLLz0U2mvBQl4ZofUHkoorWdBV8g+EJP9ALjkkJsGH+OxLArnmkjjXmBwCJihWAiEkCrMfkiztSpa1q1Hk3w9ezfsxM+/zaKSdeWF3A3hhDWc/0ojjEXEliSg2+tOI6KvVBiKq9f2WlxbGv1laGE9iZeVfXyaRRMSTpYXx5rmSxvZIozEQER/9NYmfv7x53pm5+amxSqU83Wifnr1+6/TM3PwfJq+PXStfK984c+5Po2dHz42cH+1Yrt9+dvH+17/5++fV7976/u5Xr72ZxMUYbIytz6OR9a4Nx/Dq72S9QkSMdeD8+0FPI5/1eSaFbQ5KuxwUAABtpeue4X4ZxeiJtYe3Yrz/ca7BAQAAAB2x0hOxAgAAABxwifU/AAAAHHDN9wE8WVoYb5Z835Gwtx5fioihev7LjVIfKUS1th2I3og4/CSJ9R9rTeqH7dpwRDz69Py7WYkWn0PutupiRPyq1fVPavkPNT4JvTH/NCJGOjD/8Ib2Tyn/ix2YP+/8AXgxPbhUv5Ftvv+lq88/0eL+V2hx73oeed//ms9/y5ue/9by72nz/PfPZ5zjTiFutxvL8v/z/b+90yzZ/Nl2V0ntwOPFiF8XWuWfrOaftMn/yjbnTqJ+iuIPt8vt9sk7/5U3Ik5G6/ybkq2/n+j0xGSlPFL/2XKOxQ9H3243f975Z9f/cJv8t7j+A1nfrafO1P5Lff5z+fK9TZ2N3bfPP/2iL/l3rdbX6Pnf2Ozs9JmIvuQfm/vPbp1vc5/mObL8T/126///Vn//2WtCtfG3kaWy2Nhm7Zc2zPmXu3feaxdPc/2X5/W/uvPrX+t75Rnn+N0Hr57a2Nf8fq3169+sZPM/SuprYQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoSiNiMJK0FBFJrZ6mpVLEkYj4RRxOKzdnZn8/cfO/N65mYxFD0ZtOTFbKIxFRrLeTrH2mVl9rn93Q/mNEHIuI14uHau3S+M3K1byTBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYNWRiBiMJC1FRBoRy8U0LZXyjgoAAADouKG8AwAAAAC6zvofAAAADj7rfwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALrs2IkHD5OIqF44VCuZvsZYb66RAd2W5h0AkJuevAMAclPIOwAgNztc43tcgAMo2WZ8oGVv9urR35V4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANifTh5/8DCJiOqFQ7WS6WuM9bY84sQeRgd0U5p3AEBuerYaLOxdHMDee+5/8aOdjQPYe63X+MCLJNlmfGBtn+rTI/1diwkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACA/WewVpK0FBFprZ6mpVLE0YgYit5kYrJSHomIn0XEJ8Xe/qzdn3fQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdNzM3PzUWKVSnn6eSrK7w1VU2lX+vz/C2NtKUqsM5B1GvZL3KxMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHmYmZufGqtUytMzeUcCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA5G1mbn5qrFIpTz9D5d5Odl5XyTtHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADy82MAAAD//1sCDDY=") (async, rerun: 64)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) (rerun: 64)
pwrite64(r0, &(0x7f0000000140)='2', 0x1, 0x8000c61) (async)
lseek(r0, 0x595e, 0x3)
r1 = syz_open_dev$usbmon(&(0x7f0000000080), 0x4000000, 0x101c41) (async)
r2 = syz_open_dev$usbfs(&(0x7f0000000000), 0x20000007d, 0x0)
r3 = dup3(r1, r2, 0x80000)
read$hiddev(r3, &(0x7f0000002080)=""/4096, 0x1000)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-getsockopt-close-close-socket$xdp-socket$pptp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE-ioctl$INCFS_IOC_READ_FILE_SIGNATURE-mount$9p_fd
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
r0 = creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r2, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r3 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
getsockopt(r3, 0x111, 0x4, 0x0, &(0x7f0000000080))
close(r0) (async)
close(r0)
socket$xdp(0x2c, 0x3, 0x0)
r4 = socket$pptp(0x18, 0x1, 0x2)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r1, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r1, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f})
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0x200400, &(0x7f0000000400)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r0, @ANYBLOB=',wfdno=', @ANYRESHEX=r4])

program crashed: KASAN: use-after-free Read in l2tp_tunnel_del_work
single: successfully extracted reproducer
found reproducer with 16 syscalls
minimizing guilty program
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-getsockopt-close-close-socket$xdp-socket$pptp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
r0 = creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r2, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r3 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
getsockopt(r3, 0x111, 0x4, 0x0, &(0x7f0000000080))
close(r0) (async)
close(r0)
socket$xdp(0x2c, 0x3, 0x0)
socket$pptp(0x18, 0x1, 0x2)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r1, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r1, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f})

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-getsockopt-close-close-socket$xdp-socket$pptp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
r0 = creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r2, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r3 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
getsockopt(r3, 0x111, 0x4, 0x0, &(0x7f0000000080))
close(r0) (async)
close(r0)
socket$xdp(0x2c, 0x3, 0x0)
socket$pptp(0x18, 0x1, 0x2)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r1, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-getsockopt-close-close-socket$xdp-socket$pptp
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
r0 = creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r2, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r3 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
getsockopt(r3, 0x111, 0x4, 0x0, &(0x7f0000000080))
close(r0) (async)
close(r0)
socket$xdp(0x2c, 0x3, 0x0)
socket$pptp(0x18, 0x1, 0x2)

program did not crash
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-getsockopt-close-close-socket$xdp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
r0 = creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r2, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r3 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
getsockopt(r3, 0x111, 0x4, 0x0, &(0x7f0000000080))
close(r0) (async)
close(r0)
socket$xdp(0x2c, 0x3, 0x0)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r1, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-getsockopt-close-close-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
r0 = creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r2, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r3 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
getsockopt(r3, 0x111, 0x4, 0x0, &(0x7f0000000080))
close(r0) (async)
close(r0)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r1, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-getsockopt-close-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
r0 = creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r1 = socket$pppl2tp(0x18, 0x1, 0x1)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r1, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r2, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r3 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r3, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
getsockopt(r3, 0x111, 0x4, 0x0, &(0x7f0000000080))
close(r0) (async)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r1, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-getsockopt-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r2 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r2, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
getsockopt(r2, 0x111, 0x4, 0x0, &(0x7f0000000080))
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
r2 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r2, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x18}}, 0x2, 0x1}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-socket$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
socket$pppl2tp(0x18, 0x1, 0x1)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-socket$inet6_udp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program did not crash
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$pppl2tp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, 0xffffffffffffffff, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program did not crash
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
creat(&(0x7f0000000140)='./file0\x00', 0x182)
socket$pppl2tp(0x18, 0x1, 0x1) (async)
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r0, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(0xffffffffffffffff, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program did not crash
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-creat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
creat(&(0x7f0000000140)='./file0\x00', 0x182)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): creat-socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
creat(&(0x7f0000000140)='./file0\x00', 0x182) (async)
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Write in pppol2tp_release
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f}) (async)

program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f})

VM was preempted during syz execution: failed to run command in VM: instance is preempted, retrying
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, 0x0, 0x0)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, &(0x7f0000000180)={&(0x7f00000000c0)=""/127, 0x7f})

program did not crash
testing program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
extracting C reproducer
testing compiled C program (duration=32.634790842s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
program crashed: KASAN: use-after-free Write in pppol2tp_release
simplifying C reproducer
testing compiled C program (duration=32.634790842s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=32.634790842s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=32.634790842s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing compiled C program (duration=32.634790842s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
program crashed: KASAN: use-after-free Read in pppol2tp_sock_to_session
testing compiled C program (duration=32.634790842s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
program crashed: KASAN: use-after-free Write in pppol2tp_release
testing compiled C program (duration=32.634790842s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
program did not crash
testing program (duration=32.634790842s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
testing program (duration=32.634790842s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, 0x0)

program crashed: KASAN: use-after-free Read in rcu_cblist_dequeue
validation run: crashed=true
testing program (duration=32.634790842s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$pppl2tp-socket$inet6_udp-connect$pppl2tp-ioctl$INCFS_IOC_READ_FILE_SIGNATURE
detailed listing:
executing program 0:
r0 = socket$pppl2tp(0x18, 0x1, 0x1)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
connect$pppl2tp(r0, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x3, r1, {0x2, 0x0, @dev}, 0x2}}, 0x2e)
ioctl$INCFS_IOC_READ_FILE_SIGNATURE(r0, 0x8010671f, 0x0)

program crashed: KASAN: use-after-free Write in pppol2tp_release
validation run: crashed=true
reproducing took 22m25.241429712s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:1515 [inline]
BUG: KASAN: use-after-free in atomic_long_try_cmpxchg_acquire include/asm-generic/atomic-long.h:443 [inline]
BUG: KASAN: use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:173 [inline]
BUG: KASAN: use-after-free in mutex_lock+0x85/0xf0 kernel/locking/mutex.c:298
Write of size 8 at addr ffff88812648c550 by task syz.2.17/401

CPU: 1 PID: 401 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x100/0x140 mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic64_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:1515 [inline]
 atomic_long_try_cmpxchg_acquire include/asm-generic/atomic-long.h:443 [inline]
 __mutex_trylock_fast kernel/locking/mutex.c:173 [inline]
 mutex_lock+0x85/0xf0 kernel/locking/mutex.c:298
 pppol2tp_release+0x178/0x2b0 net/l2tp/l2tp_ppp.c:442
 __sock_release net/socket.c:597 [inline]
 sock_close+0xb8/0x200 net/socket.c:1286
 __fput+0x2dc/0x730 fs/file_table.c:281
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fcfff2b9e59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc2ac2bb8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffc2ac2ca0 RCX: 00007fcfff2b9e59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000057d3 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b32b20000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcfff532fac R14: 00007fcfff532fa8 R15: 00007fcfff532fa0

Allocated by task 401:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:430 [inline]
 ____kasan_kmalloc mm/kasan/common.c:509 [inline]
 __kasan_kmalloc+0xd4/0x100 mm/kasan/common.c:518
 kasan_kmalloc include/linux/kasan.h:254 [inline]
 __kmalloc+0x19f/0x330 mm/slub.c:4038
 kmalloc include/linux/slab.h:560 [inline]
 kzalloc include/linux/slab.h:667 [inline]
 l2tp_session_create+0x39/0xb60 net/l2tp/l2tp_core.c:1616
 pppol2tp_connect+0xbf5/0x1640 net/l2tp/l2tp_ppp.c:772
 __sys_connect_file net/socket.c:1866 [inline]
 __sys_connect+0x3ce/0x450 net/socket.c:1883
 __do_sys_connect net/socket.c:1893 [inline]
 __se_sys_connect net/socket.c:1890 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:1890
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 401:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4a/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x125/0x160 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
 kasan_slab_free include/linux/kasan.h:220 [inline]
 slab_free_hook mm/slub.c:1600 [inline]
 slab_free_freelist_hook+0xc5/0x190 mm/slub.c:1626
 slab_free mm/slub.c:3208 [inline]
 kfree+0xc0/0x270 mm/slub.c:4196
 l2tp_session_free net/l2tp/l2tp_core.c:168 [inline]
 l2tp_session_put+0xb2/0x1a0 net/l2tp/l2tp_core.c:193
 l2tp_session_delete+0x3a9/0x4a0 net/l2tp/l2tp_core.c:1589
 pppol2tp_release+0x169/0x2b0 net/l2tp/l2tp_ppp.c:439
 __sock_release net/socket.c:597 [inline]
 sock_close+0xb8/0x200 net/socket.c:1286
 __fput+0x2dc/0x730 fs/file_table.c:281
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff88812648c400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 336 bytes inside of
 512-byte region [ffff88812648c400, ffff88812648c600)
The buggy address belongs to the page:
page:ffffea0004992300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12648c
head:ffffea0004992300 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 364, ts 22495718847, free_ts 22493472241
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x176/0x190 mm/page_alloc.c:2462
 get_page_from_freelist+0x225f/0x23f0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x29a/0x640 mm/page_alloc.c:5384
 alloc_slab_page mm/slub.c:-1 [inline]
 allocate_slab mm/slub.c:1813 [inline]
 new_slab+0x84/0x3f0 mm/slub.c:1874
 new_slab_objects mm/slub.c:2632 [inline]
 ___slab_alloc+0x2f8/0x4c0 mm/slub.c:2796
 __slab_alloc+0x63/0xa0 mm/slub.c:2836
 slab_alloc_node mm/slub.c:2918 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 kmem_cache_alloc_trace+0x1a8/0x2e0 mm/slub.c:2977
 kmalloc include/linux/slab.h:555 [inline]
 kmalloc_array include/linux/slab.h:594 [inline]
 rtnl_newlink+0x14b/0x1830 net/core/rtnetlink.c:3530
 rtnetlink_rcv_msg+0x9e9/0xca0 net/core/rtnetlink.c:5614
 netlink_rcv_skb+0x1e9/0x430 net/netlink/af_netlink.c:2503
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5632
 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
 netlink_unicast+0x86c/0xa30 net/netlink/af_netlink.c:1340
 netlink_sendmsg+0x949/0xb70 net/netlink/af_netlink.c:1914
 sock_sendmsg_nosec net/socket.c:652 [inline]
 __sock_sendmsg net/socket.c:664 [inline]
 __sys_sendto+0x467/0x620 net/socket.c:2006
 __do_sys_sendto net/socket.c:2018 [inline]
 __se_sys_sendto net/socket.c:2014 [inline]
 __x64_sys_sendto+0xe5/0x100 net/socket.c:2014
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 __free_pages_ok+0x80b/0x830 mm/page_alloc.c:1629
 free_the_page mm/page_alloc.c:5445 [inline]
 __free_pages+0xd8/0x390 mm/page_alloc.c:5454
 kfree+0x1e4/0x270 mm/slub.c:4193
 tipc_nametbl_stop+0x120b/0x1270 net/tipc/name_table.c:917
 tipc_exit_net+0x99/0x150 net/tipc/core.c:118
 ops_exit_list net/core/net_namespace.c:185 [inline]
 cleanup_net+0x589/0xb80 net/core/net_namespace.c:609
 process_one_work+0x6fd/0xbc0 kernel/workqueue.c:2301
 worker_thread+0xa8e/0x13c0 kernel/workqueue.c:2447
 kthread+0x324/0x3b0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

Memory state around the buggy address:
 ffff88812648c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812648c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88812648c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88812648c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812648c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:1515 [inline]
BUG: KASAN: use-after-free in atomic_long_try_cmpxchg_acquire include/asm-generic/atomic-long.h:443 [inline]
BUG: KASAN: use-after-free in __mutex_trylock_fast kernel/locking/mutex.c:173 [inline]
BUG: KASAN: use-after-free in mutex_lock+0x85/0xf0 kernel/locking/mutex.c:298
Write of size 8 at addr ffff88812648c550 by task syz.2.17/401

CPU: 1 PID: 401 Comm: syz.2.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x100/0x140 mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x249/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic64_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:1515 [inline]
 atomic_long_try_cmpxchg_acquire include/asm-generic/atomic-long.h:443 [inline]
 __mutex_trylock_fast kernel/locking/mutex.c:173 [inline]
 mutex_lock+0x85/0xf0 kernel/locking/mutex.c:298
 pppol2tp_release+0x178/0x2b0 net/l2tp/l2tp_ppp.c:442
 __sock_release net/socket.c:597 [inline]
 sock_close+0xb8/0x200 net/socket.c:1286
 __fput+0x2dc/0x730 fs/file_table.c:281
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fcfff2b9e59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc2ac2bb8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fffc2ac2ca0 RCX: 00007fcfff2b9e59
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000057d3 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b32b20000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcfff532fac R14: 00007fcfff532fa8 R15: 00007fcfff532fa0

Allocated by task 401:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:430 [inline]
 ____kasan_kmalloc mm/kasan/common.c:509 [inline]
 __kasan_kmalloc+0xd4/0x100 mm/kasan/common.c:518
 kasan_kmalloc include/linux/kasan.h:254 [inline]
 __kmalloc+0x19f/0x330 mm/slub.c:4038
 kmalloc include/linux/slab.h:560 [inline]
 kzalloc include/linux/slab.h:667 [inline]
 l2tp_session_create+0x39/0xb60 net/l2tp/l2tp_core.c:1616
 pppol2tp_connect+0xbf5/0x1640 net/l2tp/l2tp_ppp.c:772
 __sys_connect_file net/socket.c:1866 [inline]
 __sys_connect+0x3ce/0x450 net/socket.c:1883
 __do_sys_connect net/socket.c:1893 [inline]
 __se_sys_connect net/socket.c:1890 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:1890
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 401:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4a/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x125/0x160 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
 kasan_slab_free include/linux/kasan.h:220 [inline]
 slab_free_hook mm/slub.c:1600 [inline]
 slab_free_freelist_hook+0xc5/0x190 mm/slub.c:1626
 slab_free mm/slub.c:3208 [inline]
 kfree+0xc0/0x270 mm/slub.c:4196
 l2tp_session_free net/l2tp/l2tp_core.c:168 [inline]
 l2tp_session_put+0xb2/0x1a0 net/l2tp/l2tp_core.c:193
 l2tp_session_delete+0x3a9/0x4a0 net/l2tp/l2tp_core.c:1589
 pppol2tp_release+0x169/0x2b0 net/l2tp/l2tp_ppp.c:439
 __sock_release net/socket.c:597 [inline]
 sock_close+0xb8/0x200 net/socket.c:1286
 __fput+0x2dc/0x730 fs/file_table.c:281
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x127/0x190 kernel/task_work.c:189
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop+0xcb/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x76/0xa0 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:274
 do_syscall_64+0x3d/0x40 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff88812648c400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 336 bytes inside of
 512-byte region [ffff88812648c400, ffff88812648c600)
The buggy address belongs to the page:
page:ffffea0004992300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12648c
head:ffffea0004992300 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100043080
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 364, ts 22495718847, free_ts 22493472241
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x176/0x190 mm/page_alloc.c:2462
 get_page_from_freelist+0x225f/0x23f0 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x29a/0x640 mm/page_alloc.c:5384
 alloc_slab_page mm/slub.c:-1 [inline]
 allocate_slab mm/slub.c:1813 [inline]
 new_slab+0x84/0x3f0 mm/slub.c:1874
 new_slab_objects mm/slub.c:2632 [inline]
 ___slab_alloc+0x2f8/0x4c0 mm/slub.c:2796
 __slab_alloc+0x63/0xa0 mm/slub.c:2836
 slab_alloc_node mm/slub.c:2918 [inline]
 slab_alloc mm/slub.c:2960 [inline]
 kmem_cache_alloc_trace+0x1a8/0x2e0 mm/slub.c:2977
 kmalloc include/linux/slab.h:555 [inline]
 kmalloc_array include/linux/slab.h:594 [inline]
 rtnl_newlink+0x14b/0x1830 net/core/rtnetlink.c:3530
 rtnetlink_rcv_msg+0x9e9/0xca0 net/core/rtnetlink.c:5614
 netlink_rcv_skb+0x1e9/0x430 net/netlink/af_netlink.c:2503
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5632
 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
 netlink_unicast+0x86c/0xa30 net/netlink/af_netlink.c:1340
 netlink_sendmsg+0x949/0xb70 net/netlink/af_netlink.c:1914
 sock_sendmsg_nosec net/socket.c:652 [inline]
 __sock_sendmsg net/socket.c:664 [inline]
 __sys_sendto+0x467/0x620 net/socket.c:2006
 __do_sys_sendto net/socket.c:2018 [inline]
 __se_sys_sendto net/socket.c:2014 [inline]
 __x64_sys_sendto+0xe5/0x100 net/socket.c:2014
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 __free_pages_ok+0x80b/0x830 mm/page_alloc.c:1629
 free_the_page mm/page_alloc.c:5445 [inline]
 __free_pages+0xd8/0x390 mm/page_alloc.c:5454
 kfree+0x1e4/0x270 mm/slub.c:4193
 tipc_nametbl_stop+0x120b/0x1270 net/tipc/name_table.c:917
 tipc_exit_net+0x99/0x150 net/tipc/core.c:118
 ops_exit_list net/core/net_namespace.c:185 [inline]
 cleanup_net+0x589/0xb80 net/core/net_namespace.c:609
 process_one_work+0x6fd/0xbc0 kernel/workqueue.c:2301
 worker_thread+0xa8e/0x13c0 kernel/workqueue.c:2447
 kthread+0x324/0x3b0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

Memory state around the buggy address:
 ffff88812648c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812648c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88812648c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88812648c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812648c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================