Extracting prog: 3m17.213116539s
Minimizing prog: 27m16.356647942s
Simplifying prog options: 3m43.120233357s
Extracting C: 1m6.592367106s
Simplifying C: 0s


extracting reproducer from 37 programs
testing a last program of every proc
single: executing 7 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_mount_image$ext4-openat$vcsu-lstat-chmod-syz_usb_connect$uac1
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000000000010ac0559820000000000010902240001000000000904000001030000000921000000012205000905810300"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000040)='./file2\x00', 0x10050, &(0x7f0000000740)={[{@resgid}]}, 0x3, 0x51e, &(0x7f0000000100)="$eJzs3dFrJHcdAPDvTLLX5C41qfqgBWuxlUvV2ySN1wYfqoLoU0Gt+HrGZBNCNtkj2bSXUGyKf4AgogVf9MkXwT9AkL74LkJB30VFkXrVB4X2RmZ29u6y2U1yuJuB5POBX3Z+M7Pz/f427G9/v51hJ4BL6+mImI2IsYh4LiKmy/VpWeKwU/L93rv7+kpeksiyV95NIinXdY/1WPl4rXzaRER882sR302Ox93dP9hcbjYbO2V9rr2VvJ9lBzc2tpbXG+uN7cXFhReWXly6uTQ/lHbORMRLX/nrj3/wi6++9JvPvfanW3+f/V6e1n+z7I3oaccwdZpeK16LrvGI2BlFsIqMFy3suFlxLgAAnCwf7384Ij5VjP+nY6wYzQEAAAAXSfbFqXg/icgAAACACyuNiKlI0np5ve9UpGm93rmG96NxNW22dtufXWvtba/m2yJmopaubTQb8+W1AzNRS/L6QnmNbbf+fE99MSKeiIgfTU8W9fpKq7la9ZcfAAAAcElc65n//3u6M/8vHFacHAAAADA8M1UnAAAAAIyc+T8AAABcfOb/AAAAcKF9/eWX85J173+9+ur+3mbr1Rurjd3N+tbeSn2ltXO7vt5qrRe/2bd12vGardbtz8f23p25dmO3Pbe7f3Brq7W33b61ceQW2AAAAMA5euKTb/8xiYjDL0wWJXel3FaLyMYe3nm8igyBUUkfZee/jC4P4Pw9/Pk+WWEewPkzpIfLq1Z1AkDlklO2D7x453fDzwUAABiN6x8ffP7/3bVKUwNGrDz/n5w2/wcunrGqEwAq0zn/dy/rqDob4DzVThoBmBTAhZcO5/z/KZcSJjoUAACo2FRRkrRezgOmIk3r9YjHi9sC1JK1jWZjPiI+FBF/mK49ltcXimcmRvMAAAAAAAAAAAAAAAAAAAAAAAAAcEZZlkQGAAAAXGgR6d+6d+a6Pv3sVO/3A1eS/0wXjxHx2k9f+cmd5XZ7ZyFf/8/769tvleufr+IbDAAAAKBXd57enccDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDC9d/f1lW45z7j/+HJEzPSLPx4TxeNE1CLi6r+SGH/oeUlEjA0h/uGbEfGxfvGTPK2YKbM4Ev9KRBoRk8OK3/f1PyF+dOJfG0J8uMzezvufL/V7/6XxdPHY//03Xpb/1+D+L73f/40N6P8eH3TQ2tHqk+/8am5g/Dcjnhzv3/904yf58frEf+aMbfzOtw4OBm3Lfh5xvV//lxyNNdfeuj23u39wY2Nreb2x3theXFx4YenFpZtL83NrG81G+bdvjB9+4tf3HtQ+ONb+qyf0v0X7B7z+z56x/R+8c+fuRzqLPf+ZqMXPsmz2mf7//8JnjsfvfvZ9utwrr+evYfrWt/vGf+qXv39qUG55+1cHtH/ilPbPnrH9z33j+38+464AwDnY3T/YXG42GzsWLDzCQj7urDyNJJI4vmm5+sQ6C2+U77HlZvfdNqQj/7acHI0y+Yr6IwAAYHQeDPp7tyTVJAQAAAAAAAAAAAAAAAAAAACX0Kk/AzZoUxoRZ/w5sd6Yh9U0FQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgRP8LAAD//0mN1e4=")
openat$vcsu(0xffffffffffffff9c, 0x0, 0x202, 0x0)
lstat(&(0x7f0000000680)='./file2\x00', 0x0)
chmod(&(0x7f0000000080)='./file2\x00', 0x37f869c7a34e4d30)
syz_usb_connect$uac1(0x1, 0xdc, &(0x7f0000000140)={{0x12, 0x1, 0x201, 0x0, 0x0, 0x0, 0xff, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xca, 0x3, 0x1, 0x4, 0x10, 0x9, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x28, 0xb1}, [@input_terminal={0xc, 0x24, 0x2, 0x5, 0x204, 0x3, 0x4, 0x7, 0x1, 0xe6}, @output_terminal={0x9, 0x24, 0x3, 0x5, 0x104, 0x2, 0x4, 0x8}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0xe, 0x24, 0x2, 0x1, 0xf, 0x4, 0x44, 0x9, "96b234", "cf0f7a"}, @as_header={0x7, 0x24, 0x1, 0x9, 0xb5, 0x3}]}, {{0x9, 0x5, 0x1, 0x9, 0x8, 0x8, 0x10, 0x6, {0x7, 0x25, 0x1, 0x2, 0x97, 0x2}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_i_continuous={0x9, 0x24, 0x2, 0x1, 0x9, 0x4, 0x0, 0x7, "85"}, @as_header={0x7, 0x24, 0x1, 0xff, 0x9, 0x5}, @format_type_i_continuous={0xc, 0x24, 0x2, 0x1, 0x8, 0x1, 0xa5, 0x6d, "bb6f", "0ac7"}, @format_type_i_discrete={0xd, 0x24, 0x2, 0x1, 0x8, 0x2, 0x7f, 0x9, "8ad1f1f993"}, @format_type_i_continuous={0xb, 0x24, 0x2, 0x1, 0x8, 0x1, 0x8f, 0x0, "", "ece4d4"}, @format_type_i_continuous={0xd, 0x24, 0x2, 0x1, 0x4, 0x4, 0xfc, 0xaa, 'I7q', '=.'}]}, {{0x9, 0x5, 0x82, 0x9, 0x40, 0x3, 0x2, 0x9, {0x7, 0x25, 0x1, 0x80, 0x2, 0xfff}}}}}}}]}}, &(0x7f0000000440)={0xa, &(0x7f0000000000)={0xa, 0x6, 0x200, 0x6, 0xa7, 0x75, 0x40, 0xc1}, 0x2e, &(0x7f0000000080)={0x5, 0xf, 0x2e, 0x3, [@ssp_cap={0x14, 0x10, 0xa, 0x1, 0x2, 0x2d, 0xf00f, 0x3, [0x3ff0, 0xc00f]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x0, 0x81, 0x8, 0xa}, @wireless={0xb, 0x10, 0x1, 0xc, 0x84, 0x0, 0x7, 0x0, 0x40}]}, 0x5, [{0x2f, &(0x7f00000000c0)=@string={0x2f, 0x3, "b7e7a5560c15d47684b7b40dacf397864ceb87deca3b4bb627ba1ecbeec52b5390ede67972d9d906fee202a7a7"}}, {0x4, &(0x7f0000000240)=@lang_id={0x4, 0x3, 0x412}}, {0x4, &(0x7f0000000280)=@lang_id={0x4, 0x3, 0x413}}, {0xd6, &(0x7f00000002c0)=@string={0xd6, 0x3, "7b47dca4dedb23e224160f99d52ee9d4c4a6c04240f69315805d7cdded6aa4ae553ab955448bf4312b3c9004881a9e797858ff9294b126c37611d111c0e8ff108c5d33917787f453bac8915fab17794f082b8fa392c90d65df6aa8bf2a3b18e37f0fc5e59c9a4017722771080d688c50b422592978406948ac72311803c193e8aa2c6a2062d2bdf4f44b819b8417c28be407fa72ec61e4b27d25b298fc81155ea1432527c72eb6ce5fe57fe87493a23d31f6697cd6000c25c4224930b37f9dd2c5d054e0256046e4fa0871530ccb96780f90a04e"}}, {0x6, &(0x7f0000000400)=@string={0x6, 0x3, "aa5542d1"}}]})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$fuse-mount$tmpfs-chdir-connect$unix-sendmsg$key-write$binfmt_script-mmap-mlockall-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_IRQCHIP-ioctl$KVM_CREATE_VCPU-socket$inet6-bind$inet6-socket$unix-bind$unix-socket$unix-connect$unix-getpeername$packet-syz_emit_ethernet-mremap-socket$inet_udplite-socket$inet_udplite-socket$inet_udplite-ioctl$sock_SIOCGIFINDEX-socket$netlink-sendmsg$nl_route-setsockopt$IPT_SO_SET_REPLACE-socket$inet_udplite-ioctl$sock_SIOCGIFINDEX
detailed listing:
executing program 0:
syz_mount_image$fuse(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
mount$tmpfs(0x0, &(0x7f00000003c0)='./file0\x00', &(0x7f0000000400), 0x0, &(0x7f0000000440)=ANY=[@ANYBLOB='huge=always'])
chdir(&(0x7f0000000140)='./file0\x00')
connect$unix(0xffffffffffffffff, &(0x7f0000000080)=@file={0x0, './file0\x00'}, 0x6e)
sendmsg$key(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000008c0)=ANY=[@ANYBLOB="0217a8028400000029bd7000fedbdf25170018000501aa00ff880c23baf910bf989a2e9899049aea9e19fc7617833d8880065d1a38c6d6a563e924e4cb2e4a89e3d969d5b99d3c5a58b19de0223c8e851226fc2c063fb313c06f4a8fb29a2b2df01e973719d96f01497cc6fae2e3aecf595a3d9ab89482ab36341e96d43474a381dc8f531de2c87519ee42aa65e70388a98aa461e84639c22d6a030f1bdeadbd64764c4cef268a23177543fb1f831cc72da324aa361cd038fa6361f563bd273d3a0e0000000000001d0018000806de00009d4d535c04c41630ed29a34bf69324a6a2a77773c3b1a18d9a87c8eeeb61e60defaf0048a3e9d2801bcf731d2f5c2ed82589a1a8d90ac4cec0dd05f5d52446f5ffea203c07b9c37361046e968de5fcb74acc41bea69f06db691a27ab1deeab7499cacdc787b457400ad1beeede36351cb2da7f0f2cbc1123c27d7b9fc5286a01875146989fc5fdf4fedd4feafe13d6755aacb603869d2c1dd9a69cbb0a1995cee451cb75b3c4e2bb494a1495babe23ec949513354a15a09d7228af2e48514739098e1f1daae193d4d151d8e8b2780186c6a1105c36af9b04d3e2af901f000004000200020000000800000000000000ff03009a55328c2f39a753bbb90000000000010000000000008021000900e0070000262973c5067afbfc453ae05a0b045329cbf2a8392a325d00541514517c89876a8c9905f74c51a3af3187f562353331c7d10c06615556fefdaa9cc01a8f40025a55ccced9dfb8f8ff07000000000000a1929242e8f8d9b204b83da0910308152f37971869514c32fbc3fab0529e510584363ee24f3ae213525a12d1233d61de6b47ac8603b5119b89236ded7746dbc6ba8646f35586c9bad00981b37917978bbd567b99d19bc8d82ea8dfc412a68d7debfa0d4dc87da5e763110cd2416175159c715083db7743d612d412137f91c2ec6789f2647fd02e2a0276c9d4b58f0bd8c80d883cef4f179351f920d12be10b15de0742ef1e9b9f000000000200090040000000d306da60f69eb928010014008d00000005001a00fe800000000000000000000000000013ac141436000000000000000000000000250014042000090098070000a2f7bd12f40c13eebf667f53ffc9fd9dfdfc80932f903c54de771be82ac9344fffa854de39c0e0c8c50fe49c3e2ebbb0849a25e1be424e514e281f11626b09563181b641a949c6038645527154c39217915f48b3e27731fb03c13f0a67b78b38505eee7d6bc3e4d84963f581743bb5f0844c978a38ab705a4473ae648ed34e63d6424742eff43cf525c82d61a79ef5be76d8fd7c1506e30985064fef587dae7d1401899f4a0f3cc1dc4eabb55ac8f5b44f5c12b5a01033d78b91cb24aa68e6b47aaeb80253d09de63b2575973c2c51a0828da1a20a642c36648debe2eef9542e5dacbfff147897413eeb865aed6e31850f061d4c0000000000010016004e2400"], 0x420}}, 0x20000000)
write$binfmt_script(0xffffffffffffffff, &(0x7f0000000000), 0x208e24b)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000004, 0x28011, 0xffffffffffffffff, 0x0)
mlockall(0x2)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r2 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r2, &(0x7f0000f5dfe4)={0xa, 0x4e20}, 0x1c)
r3 = socket$unix(0x1, 0x2, 0x0)
bind$unix(r3, &(0x7f0000000080)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e)
r4 = socket$unix(0x1, 0x2, 0x0)
connect$unix(r4, &(0x7f0000000180)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e)
getpeername$packet(r4, 0x0, &(0x7f0000000e80))
syz_emit_ethernet(0x32, &(0x7f0000000100)=ANY=[@ANYBLOB="0180c2000000ffffffffffff0800450000240000000000119078ac1414bbe000000100004e20041090780200000200000000"], 0x0)
mremap(&(0x7f0000097000/0x2000)=nil, 0x2000, 0x400000, 0x3, &(0x7f0000bff000/0x400000)=nil)
socket$inet_udplite(0x2, 0x2, 0x88)
r5 = socket$inet_udplite(0x2, 0x2, 0x88)
r6 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000340)={'bridge_slave_0\x00', <r7=>0x0})
r8 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route(r8, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000001900)=@bridge_setlink={0x34, 0x13, 0xa29, 0x0, 0x0, {0x7, 0x0, 0x0, r7}, [@IFLA_AF_SPEC={0x8, 0xc, 0x0, 0x0, [@AF_BRIDGE={0x4}]}, @IFLA_AF_SPEC={0xc, 0x1a, 0x0, 0x1, [@AF_INET={0x8, 0x2, 0x0, 0x1, {0x4}}]}]}, 0x34}}, 0x0)
setsockopt$IPT_SO_SET_REPLACE(r5, 0x0, 0x40, &(0x7f0000000340)=@raw={'raw\x00', 0x8, 0x3, 0x2d0, 0x160, 0xa, 0x148, 0x160, 0x10, 0x238, 0x2a8, 0x2a8, 0x238, 0x2a8, 0x3, 0x0, {[{{@ip={@multicast2=0xe000000b, @multicast2, 0x0, 0x0, 'bridge0\x00', 'rose0\x00', {}, {}, 0x0, 0x1}, 0x0, 0xf0, 0x160, 0x0, {0x200003ae, 0x7f00}, [@common=@inet=@hashlimit1={{0x58}, {'veth1_to_team\x00', {0x7a, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x7, 0x0, 0x58}}}, @common=@icmp={{0x28}, {0x12, "ae1e", 0x1}}]}, @common=@unspec=@NFLOG={0x70, 'NFLOG\x00', 0x0, {0x0, 0x0, 0xfffd, 0x0, 0x0, "f2f7b9f28413d9d8ad470ad2b60845fe339287158d66ec2ff8a9304d9f655c746adc0bdc773506378bc2d2fefd6abb05175089830cc46186074d7de46d5af300"}}}, {{@ip={@remote, @broadcast, 0xff, 0x0, 'ip_vti0\x00', 'veth0_to_team\x00', {}, {}, 0x32, 0x0, 0x20}, 0x0, 0xb8, 0xd8, 0x0, {}, [@common=@socket0={{0x20}}, @inet=@rpfilter={{0x28}}]}, @unspec=@NOTRACK={0x20}}], {{'\x00', 0xc8, 0x70, 0x98}, {0x28}}}}, 0x330)
socket$inet_udplite(0x2, 0x2, 0x88)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000100)={'bridge_slave_0\x00'})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$procfs-io_setup-io_submit-openat$cgroup_ro-prctl$PR_SET_SECCOMP-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD-ftruncate
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
r3 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/timer_list\x00', 0x0, 0x0)
io_setup(0x202, &(0x7f0000000200)=<r4=>0x0)
io_submit(r4, 0x1, &(0x7f0000000140)=[&(0x7f0000000180)={0x0, 0x0, 0x0, 0x5, 0x0, r3, 0x0}])
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
prctl$PR_SET_SECCOMP(0x16, 0x1, &(0x7f0000000100)={0x8, &(0x7f0000000040)=[{0x2, 0x6, 0x4, 0x362}, {0x4, 0x1, 0xfa, 0x2c397898}, {0x800, 0x6, 0x1, 0x1b}, {0x5, 0x2, 0x5, 0x1}, {0x7fff, 0x4, 0x40, 0x6}, {0x6, 0xfe, 0x89, 0x7fffffff}, {0x4, 0x0, 0x7, 0x8}, {0xff, 0x4, 0x1, 0x10000}]})
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r5)
ftruncate(r2, 0x0)

program crashed: KASAN: use-after-free Read in lo_open
single: successfully extracted reproducer
found reproducer with 25 syscalls
minimizing guilty program
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$procfs-io_setup-io_submit-openat$cgroup_ro-prctl$PR_SET_SECCOMP-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
r3 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/timer_list\x00', 0x0, 0x0)
io_setup(0x202, &(0x7f0000000200)=<r4=>0x0)
io_submit(r4, 0x1, &(0x7f0000000140)=[&(0x7f0000000180)={0x0, 0x0, 0x0, 0x5, 0x0, r3, 0x0}])
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
prctl$PR_SET_SECCOMP(0x16, 0x1, &(0x7f0000000100)={0x8, &(0x7f0000000040)=[{0x2, 0x6, 0x4, 0x362}, {0x4, 0x1, 0xfa, 0x2c397898}, {0x800, 0x6, 0x1, 0x1b}, {0x5, 0x2, 0x5, 0x1}, {0x7fff, 0x4, 0x40, 0x6}, {0x6, 0xfe, 0x89, 0x7fffffff}, {0x4, 0x0, 0x7, 0x8}, {0xff, 0x4, 0x1, 0x10000}]})
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r5)

program crashed: KASAN: use-after-free Read in lo_release
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$procfs-io_setup-io_submit-openat$cgroup_ro-prctl$PR_SET_SECCOMP-ioctl$LOOP_CONFIGURE
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
r3 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/timer_list\x00', 0x0, 0x0)
io_setup(0x202, &(0x7f0000000200)=<r4=>0x0)
io_submit(r4, 0x1, &(0x7f0000000140)=[&(0x7f0000000180)={0x0, 0x0, 0x0, 0x5, 0x0, r3, 0x0}])
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
prctl$PR_SET_SECCOMP(0x16, 0x1, &(0x7f0000000100)={0x8, &(0x7f0000000040)=[{0x2, 0x6, 0x4, 0x362}, {0x4, 0x1, 0xfa, 0x2c397898}, {0x800, 0x6, 0x1, 0x1b}, {0x5, 0x2, 0x5, 0x1}, {0x7fff, 0x4, 0x40, 0x6}, {0x6, 0xfe, 0x89, 0x7fffffff}, {0x4, 0x0, 0x7, 0x8}, {0xff, 0x4, 0x1, 0x10000}]})
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})

program did not crash
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$procfs-io_setup-io_submit-openat$cgroup_ro-prctl$PR_SET_SECCOMP-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
r3 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/timer_list\x00', 0x0, 0x0)
io_setup(0x202, &(0x7f0000000200)=<r4=>0x0)
io_submit(r4, 0x1, &(0x7f0000000140)=[&(0x7f0000000180)={0x0, 0x0, 0x0, 0x5, 0x0, r3, 0x0}])
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
prctl$PR_SET_SECCOMP(0x16, 0x1, &(0x7f0000000100)={0x8, &(0x7f0000000040)=[{0x2, 0x6, 0x4, 0x362}, {0x4, 0x1, 0xfa, 0x2c397898}, {0x800, 0x6, 0x1, 0x1b}, {0x5, 0x2, 0x5, 0x1}, {0x7fff, 0x4, 0x40, 0x6}, {0x6, 0xfe, 0x89, 0x7fffffff}, {0x4, 0x0, 0x7, 0x8}, {0xff, 0x4, 0x1, 0x10000}]})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r5)

program did not crash
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$procfs-io_setup-io_submit-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
r3 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/timer_list\x00', 0x0, 0x0)
io_setup(0x202, &(0x7f0000000200)=<r4=>0x0)
io_submit(r4, 0x1, &(0x7f0000000140)=[&(0x7f0000000180)={0x0, 0x0, 0x0, 0x5, 0x0, r3, 0x0}])
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r5)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$procfs-io_setup-io_submit-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
r3 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/timer_list\x00', 0x0, 0x0)
io_setup(0x202, &(0x7f0000000200)=<r4=>0x0)
io_submit(r4, 0x1, &(0x7f0000000140)=[&(0x7f0000000180)={0x0, 0x0, 0x0, 0x5, 0x0, r3, 0x0}])
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={0xffffffffffffffff, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, 0xffffffffffffffff)

program did not crash
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$procfs-io_setup-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/timer_list\x00', 0x0, 0x0)
io_setup(0x202, &(0x7f0000000200))
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r3)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$procfs-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/timer_list\x00', 0x0, 0x0)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r3)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-prctl$PR_GET_SPECULATION_CTRL-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
prctl$PR_GET_SPECULATION_CTRL(0x22, 0x0, 0x0)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r3)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-lseek-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
lseek(r2, 0x0, 0x1)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r3)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-mount$overlay-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x10000, &(0x7f00000002c0)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './bus'}}], [], 0x2c})
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-mkdirat-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
mkdirat(0xffffffffffffff9c, &(0x7f0000000440)='./bus\x00', 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-syz_mount_image$ext4-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
syz_mount_image$ext4(&(0x7f0000000580)='ext4\x00', &(0x7f00000005c0)='./bus\x00', 0x0, &(0x7f0000000200), 0x1, 0x545, &(0x7f0000000bc0)="$eJzs3c9rHOUbAPBnNkl/pd8mXxT8cQootFC7aZqqFQTr3WJBPddlsw0lm0zJbkoTCrUHz3qoJ0+exZNnQfwfPCh48iK1RYpQvUVmM5tuk910m26y1fl8YLbvO+9s33l25nl5Z2eWBFBYU9lLKeKliPg8iZjoaBuNvHFqY7sH929U/7p/o5rE+voHfySR5Ova2yf5v+N55cWI+OHTiJOl7f02VtcWKvV6bTmvTzcXr043VtdOXVmszNfma0uz52ZfPzszc+bsuYHFWr5ZOXT3i/fv3l7+9dRHnz04nsT5OJq3dcYxKFMxlX8mY3F+S9vMoDsbsmTYO8CujOR5PhbZGDARI3nWA/99NyNiHSioRP5DQbXnAdn1b3sZ7oxkf917d+MCaHv8oxvfjcTEenZtdOTP5JEro+x6d3IA/Wd9nD958fdsiT36HgKgm09uRcTp0dHt41+Sj3+7d7qPbbb2YfyD/fN9Nv95rdv8p5Tn5qHW69b5z3iX3N2Nx+d/6c4Auukpm/+93XX+u3nTanIkr/2vNecbSy5fqdeyse1YRJyIsYNZfaf7OT8dfmuiV1vn/C9bsv7bc8F8P+6MHnz0PXOVZuVpYu5071bEy13nv8nm8U+6HP/s87jYZx/Hnnvj515tj49/b61/FXG86/F/eEcr2fn+5HTrfJhunxXbzY6svdCr/2HHnx3/IzvHP5l03q9tPHkfr34z/mOvtt2e/weSD1vlA/m665Vmc3km4kDy3vb1Zx6+t11vb5/Ff+KVnce/buf/4Yj4uM/4v5v9+pfdx7+3svjnnuj4P3nhy/Tbd3r139/xP9sqncjX9DP+9buDT/PZAQAAAAAAwLOmFBFHIymVN8ulUrm88XzH83GkVE8bzZOX05WluWj9VnYyxkrtO90THc9DzOTPw7brZ7bUZyPi/xFxe+Rwq16upvW5YQcPAAAAAAAAAAAAAAAAAAAAz4jxHr//z/w2Muy9A/acP/kNxSX/objkPxSX/Ifikv9QXPIfikv+Q3HJfygu+Q/FJf8BAAAAAAAAAAAAAAAAAAAAAAAAAABgoC5euJAt63/fv1HN6nPXVlcW0mun5mqNhfLiSrVcTZevlufTdL5eK1fTxcf9f/U0vfpmLK1cn27WGs3pxurapcV0Zal56cpiZb52qTa2L1EBAAAAAAAAAAAAAAAAAADAv0tjdW2hUq/XlhUUFBQ2C8MemQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgoX8CAAD//z8IGNY=")
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-prctl$PR_MCE_KILL-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
prctl$PR_MCE_KILL(0x21, 0x1, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-socketpair$unix-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
socketpair$unix(0x1, 0x2, 0x0, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-capset-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
capset(0x0, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_emit_ethernet-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
syz_emit_ethernet(0xfed7, &(0x7f00000000c0)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd6002adf700383a00fe880004000000000000000000000001ff020000000000000000000000000001"], 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000080)={&(0x7f0000000380)='kmem_cache_free\x00', r1}, 0x10)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r2)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1800000000000000000000004b64ffeca50000006d000000850000000f00000095"], &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-socket$inet6_icmp_raw-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-socket$inet6_icmp_raw-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-capset-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280))
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-ioctl$SIOCSIFHWADDR-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000300)={'netpci0\x00'})
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(0xffffffffffffffff, 0x4c0a, &(0x7f0000000180)={r0, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c03, r0)

program did not crash
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(0x0, 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, 0x0)
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
extracting C reproducer
testing compiled C program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
program did not crash
simplifying guilty program options
testing program (duration=57.230922267s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=57.230922267s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffc, 0x0, 0x1, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
extracting C reproducer
testing compiled C program (duration=57.230922267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
program did not crash
reproducing took 35m22.583714224s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:973 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 kernel/locking/mutex.c:1114
Read of size 4 at addr ffff8881eafe9fb8 by task syz-executor/464

CPU: 1 PID: 464 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
 mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
 __mutex_lock_common kernel/locking/mutex.c:973 [inline]
 __mutex_lock+0xcd7/0x1060 kernel/locking/mutex.c:1114
 mutex_lock_killable+0xd8/0x110 kernel/locking/mutex.c:1348
 lo_open+0x18/0xc0 drivers/block/loop.c:1899
 __blkdev_get+0x3c8/0x1160 fs/block_dev.c:1581
 blkdev_get+0x2de/0x3a0 fs/block_dev.c:1714
 do_dentry_open+0x964/0x1130 fs/open.c:806
 do_last fs/namei.c:3565 [inline]
 path_openat+0x29bf/0x34b0 fs/namei.c:3683
 do_filp_open+0x20b/0x450 fs/namei.c:3713
 do_sys_open+0x39c/0x810 fs/open.c:1123
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f9bbc0ffa51
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007ffdaf884b70 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f9bbc0ffa51
RDX: 0000000000000002 RSI: 00007ffdaf884c80 RDI: 00000000ffffff9c
RBP: 00007ffdaf884c80 R08: 000000000000000a R09: 00007ffdaf884937
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f9bbc2ea260 R14: 0000000000000003 R15: 00007ffdaf884c80

Allocated by task 445:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x4f/0x600 kernel/fork.c:882
 copy_process+0x56d/0x3230 kernel/fork.c:1889
 _do_fork+0x197/0x900 kernel/fork.c:2399
 __do_sys_clone3 kernel/fork.c:2688 [inline]
 __se_sys_clone3 kernel/fork.c:2675 [inline]
 __x64_sys_clone3+0x2da/0x300 kernel/fork.c:2675
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 17:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x492/0xa00 kernel/rcu/tree.c:2167
 rcu_core+0x4c8/0xcb0 kernel/rcu/tree.c:2387
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881eafe9f80
 which belongs to the cache task_struct of size 3904
The buggy address is located 56 bytes inside of
 3904-byte region [ffff8881eafe9f80, ffff8881eafeaec0)
The buggy address belongs to the page:
page:ffffea0007abfa00 refcount:1 mapcount:0 mapping:ffff8881f5cf0c80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0c80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x4f/0x600 kernel/fork.c:882
 copy_process+0x56d/0x3230 kernel/fork.c:1889
 _do_fork+0x197/0x900 kernel/fork.c:2399
 __do_sys_clone3 kernel/fork.c:2688 [inline]
 __se_sys_clone3 kernel/fork.c:2675 [inline]
 __x64_sys_clone3+0x2da/0x300 kernel/fork.c:2675
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4955 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4961
 __free_slab+0x221/0x2e0 mm/slub.c:1774
 free_slab mm/slub.c:1789 [inline]
 discard_slab mm/slub.c:1795 [inline]
 unfreeze_partials+0x14e/0x180 mm/slub.c:2288
 put_cpu_partial+0x44/0x180 mm/slub.c:2324
 __slab_free+0x297/0x360 mm/slub.c:2971
 qlist_free_all+0x43/0xb0 mm/kasan/quarantine.c:167
 quarantine_reduce+0x1d9/0x210 mm/kasan/quarantine.c:260
 __kasan_kmalloc+0x41/0x210 mm/kasan/common.c:507
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 __alloc_skb+0x7a/0x4d0 net/core/skbuff.c:198
 alloc_skb include/linux/skbuff.h:1080 [inline]
 nlmsg_new include/net/netlink.h:888 [inline]
 inet6_netconf_notify_devconf+0xc9/0x180 net/ipv6/addrconf.c:573
 __addrconf_sysctl_unregister net/ipv6/addrconf.c:6997 [inline]
 addrconf_sysctl_unregister net/ipv6/addrconf.c:7021 [inline]
 addrconf_ifdown+0x17cc/0x1a90 net/ipv6/addrconf.c:3927
 addrconf_notify+0x375/0xe50 net/ipv6/addrconf.c:3698
 notifier_call_chain kernel/notifier.c:98 [inline]
 __raw_notifier_call_chain kernel/notifier.c:399 [inline]
 raw_notifier_call_chain+0x95/0x110 kernel/notifier.c:406
 call_netdevice_notifiers_info net/core/dev.c:1670 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1682 [inline]
 call_netdevice_notifiers net/core/dev.c:1696 [inline]
 rollback_registered_many+0xce5/0x1330 net/core/dev.c:8650

Memory state around the buggy address:
 ffff8881eafe9e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881eafe9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881eafe9f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8881eafea000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881eafea080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:973 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 kernel/locking/mutex.c:1114
Read of size 4 at addr ffff8881eafe9fb8 by task syz-executor/464

CPU: 1 PID: 464 Comm: syz-executor Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
 mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
 __mutex_lock_common kernel/locking/mutex.c:973 [inline]
 __mutex_lock+0xcd7/0x1060 kernel/locking/mutex.c:1114
 mutex_lock_killable+0xd8/0x110 kernel/locking/mutex.c:1348
 lo_open+0x18/0xc0 drivers/block/loop.c:1899
 __blkdev_get+0x3c8/0x1160 fs/block_dev.c:1581
 blkdev_get+0x2de/0x3a0 fs/block_dev.c:1714
 do_dentry_open+0x964/0x1130 fs/open.c:806
 do_last fs/namei.c:3565 [inline]
 path_openat+0x29bf/0x34b0 fs/namei.c:3683
 do_filp_open+0x20b/0x450 fs/namei.c:3713
 do_sys_open+0x39c/0x810 fs/open.c:1123
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f9bbc0ffa51
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 1a 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007ffdaf884b70 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f9bbc0ffa51
RDX: 0000000000000002 RSI: 00007ffdaf884c80 RDI: 00000000ffffff9c
RBP: 00007ffdaf884c80 R08: 000000000000000a R09: 00007ffdaf884937
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f9bbc2ea260 R14: 0000000000000003 R15: 00007ffdaf884c80

Allocated by task 445:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x4f/0x600 kernel/fork.c:882
 copy_process+0x56d/0x3230 kernel/fork.c:1889
 _do_fork+0x197/0x900 kernel/fork.c:2399
 __do_sys_clone3 kernel/fork.c:2688 [inline]
 __se_sys_clone3 kernel/fork.c:2675 [inline]
 __x64_sys_clone3+0x2da/0x300 kernel/fork.c:2675
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 17:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x492/0xa00 kernel/rcu/tree.c:2167
 rcu_core+0x4c8/0xcb0 kernel/rcu/tree.c:2387
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881eafe9f80
 which belongs to the cache task_struct of size 3904
The buggy address is located 56 bytes inside of
 3904-byte region [ffff8881eafe9f80, ffff8881eafeaec0)
The buggy address belongs to the page:
page:ffffea0007abfa00 refcount:1 mapcount:0 mapping:ffff8881f5cf0c80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf0c80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x4f/0x600 kernel/fork.c:882
 copy_process+0x56d/0x3230 kernel/fork.c:1889
 _do_fork+0x197/0x900 kernel/fork.c:2399
 __do_sys_clone3 kernel/fork.c:2688 [inline]
 __se_sys_clone3 kernel/fork.c:2675 [inline]
 __x64_sys_clone3+0x2da/0x300 kernel/fork.c:2675
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4955 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4961
 __free_slab+0x221/0x2e0 mm/slub.c:1774
 free_slab mm/slub.c:1789 [inline]
 discard_slab mm/slub.c:1795 [inline]
 unfreeze_partials+0x14e/0x180 mm/slub.c:2288
 put_cpu_partial+0x44/0x180 mm/slub.c:2324
 __slab_free+0x297/0x360 mm/slub.c:2971
 qlist_free_all+0x43/0xb0 mm/kasan/quarantine.c:167
 quarantine_reduce+0x1d9/0x210 mm/kasan/quarantine.c:260
 __kasan_kmalloc+0x41/0x210 mm/kasan/common.c:507
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 __alloc_skb+0x7a/0x4d0 net/core/skbuff.c:198
 alloc_skb include/linux/skbuff.h:1080 [inline]
 nlmsg_new include/net/netlink.h:888 [inline]
 inet6_netconf_notify_devconf+0xc9/0x180 net/ipv6/addrconf.c:573
 __addrconf_sysctl_unregister net/ipv6/addrconf.c:6997 [inline]
 addrconf_sysctl_unregister net/ipv6/addrconf.c:7021 [inline]
 addrconf_ifdown+0x17cc/0x1a90 net/ipv6/addrconf.c:3927
 addrconf_notify+0x375/0xe50 net/ipv6/addrconf.c:3698
 notifier_call_chain kernel/notifier.c:98 [inline]
 __raw_notifier_call_chain kernel/notifier.c:399 [inline]
 raw_notifier_call_chain+0x95/0x110 kernel/notifier.c:406
 call_netdevice_notifiers_info net/core/dev.c:1670 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1682 [inline]
 call_netdevice_notifiers net/core/dev.c:1696 [inline]
 rollback_registered_many+0xce5/0x1330 net/core/dev.c:8650

Memory state around the buggy address:
 ffff8881eafe9e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881eafe9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881eafe9f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8881eafea000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881eafea080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================