Extracting prog: 3m25.27063246s
Minimizing prog: 20m55.433245924s
Simplifying prog options: 3m30.886781691s
Extracting C: 1m2.004250582s
Simplifying C: 0s


extracting reproducer from 82 programs
testing a last program of every proc
single: executing 32 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-capset-socket$inet6_udplite-syz_mount_image$vfat-creat-mmap-close-openat$fuse-syz_open_procfs-io_setup-io_submit-bpf$PROG_LOAD-socket-capset-socket$inet6_udplite-syz_mount_image$vfat-creat-mmap-close-openat$fuse-syz_open_procfs-io_setup-io_submit-bpf$PROG_LOAD
detailed listing:
executing program 0:
socket(0x10, 0x3, 0x9)
capset(&(0x7f0000000300)={0x20080522}, &(0x7f0000000340))
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
syz_mount_image$vfat(&(0x7f00000000c0), &(0x7f00000002c0)='./file1\x00', 0x2018000, &(0x7f0000000300)={[{@numtail}, {@fat=@check_strict}, {@iocharset={'iocharset', 0x3d, 'cp865'}}, {@shortname_win95}, {@fat=@codepage={'codepage', 0x3d, '949'}}, {@rodir}, {@fat=@fmask={'fmask', 0x3d, 0x4}}, {@shortname_mixed}, {@shortname_lower}, {@iocharset={'iocharset', 0x3d, 'koi8-r'}}, {@numtail}, {@utf8no}]}, 0x25, 0x34c, &(0x7f0000001740)="$eJzs3T9oJGUUAPC3mU12EziTQji0Wu0EOS4RC21MOE44TKEni/8aFy7nn+wqZHEhFtlLo1gqNoJWdldoebVYiNhZ2HqCnIqN1x3c4cjuTHY3mcn9EbOn3u9XhJf3fW++byZDdhKSt6+uxua52Th/9eqVqNcrUV09tRrXKrEUM5FE5kIAAP8n19I0/kgzw8RTN5v90ULMZtHcVHYHAByF4ev/a8fGidrd3A0AMA2Fn//LPVuaffvItgUAHKHC6//D+4YP/Jq/OvqbAADgv+v5l15+Zm094myjUY/ovN9r9prx5Hh87Xy8Ee3YiJOxGDcisgeF7Glh8PHpM+unTzYGflmK5qCi14zo9HvN7ElhLRnW12I5FmMpr09H9cmgfnlY34iIC/3h+tGp9JqzsZCv/+NCbMRKLMb9hfqIM+unVxr5AZqdvfp+xG7U905isP8TsRjfzww/OReD2uxYg8zOcqNxKl3fV9+7WBvOAwAAAAAAAAAAAAAAAAAAAACAo3BiPvLuOY2lUf+btNPvvXc2n9Aojg/7+2TDeX+g3aw/UFrb687zQXKwP9D+/jy9ZjVm7uqZAwAAAAAAAAAAAAAAAAAAwL9Hd3suWu32xlZ3+93NcTDX7k9k3vr2i6/n4+CcN5NxJqrZ4fbNyXMxUZXEqDwdlafJvjl5kETkkyvRunhptOPJObXRWRTKB0GtMFTJ99Rqt4899POnZVV/jjNJjIbqpUtU8vUnhjr3Zamy/dw8qHS3V24x53KapoeV73xSrIp6RLXwhfsngm+uvP7AY93jj3cr1c3WV3nTh0ceXXzh8sef/7bZakd+adrtua3ujfRvr5VM3D+V/DpXSu6E8mB3nNnd6m63kh9+f/HBD787MDkpv3/Sycw7h6/15cHMXBYMtnk7ZzpbcvOXB69cH929d34xj3+22rq089OvexfzVlUT3yQ06gAAAAAAAAAAAAAAAAAAgKmY+F/xO/DEc0e3IwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYvvH7/08Eu4XM7QTX+1Ecqm1sdQ9dfH6qpwoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD3srwAAAP//JT9zjQ==")
creat(&(0x7f0000000040)='./file0\x00', 0x0)
mmap(&(0x7f000000d000/0x1000)=nil, 0x1000, 0x0, 0x11, r0, 0x0)
close(0xffffffffffffffff)
openat$fuse(0xffffffffffffff9c, &(0x7f0000002080), 0x42, 0x0)
r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00')
io_setup(0x6, &(0x7f0000001380)=<r2=>0x0)
io_submit(r2, 0x1, &(0x7f0000000340)=[&(0x7f0000000100)={0x1000000, 0x0, 0x0, 0x5, 0x8001, r1, 0x0}])
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x8, 0x4, &(0x7f0000000040)=ANY=[@ANYBLOB="b400000000000200611300000000000062000000000000009500000c00000100"], &(0x7f0000003ff6)='GPL\x00', 0x2, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_skb, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x1f2, 0x10, &(0x7f0000000000), 0xfffffe51, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
socket(0x10, 0x3, 0x9) (async)
capset(&(0x7f0000000300)={0x20080522}, &(0x7f0000000340)) (async)
socket$inet6_udplite(0xa, 0x2, 0x88) (async)
syz_mount_image$vfat(&(0x7f00000000c0), &(0x7f00000002c0)='./file1\x00', 0x2018000, &(0x7f0000000300)={[{@numtail}, {@fat=@check_strict}, {@iocharset={'iocharset', 0x3d, 'cp865'}}, {@shortname_win95}, {@fat=@codepage={'codepage', 0x3d, '949'}}, {@rodir}, {@fat=@fmask={'fmask', 0x3d, 0x4}}, {@shortname_mixed}, {@shortname_lower}, {@iocharset={'iocharset', 0x3d, 'koi8-r'}}, {@numtail}, {@utf8no}]}, 0x25, 0x34c, &(0x7f0000001740)="$eJzs3T9oJGUUAPC3mU12EziTQji0Wu0EOS4RC21MOE44TKEni/8aFy7nn+wqZHEhFtlLo1gqNoJWdldoebVYiNhZ2HqCnIqN1x3c4cjuTHY3mcn9EbOn3u9XhJf3fW++byZDdhKSt6+uxua52Th/9eqVqNcrUV09tRrXKrEUM5FE5kIAAP8n19I0/kgzw8RTN5v90ULMZtHcVHYHAByF4ev/a8fGidrd3A0AMA2Fn//LPVuaffvItgUAHKHC6//D+4YP/Jq/OvqbAADgv+v5l15+Zm094myjUY/ovN9r9prx5Hh87Xy8Ee3YiJOxGDcisgeF7Glh8PHpM+unTzYGflmK5qCi14zo9HvN7ElhLRnW12I5FmMpr09H9cmgfnlY34iIC/3h+tGp9JqzsZCv/+NCbMRKLMb9hfqIM+unVxr5AZqdvfp+xG7U905isP8TsRjfzww/OReD2uxYg8zOcqNxKl3fV9+7WBvOAwAAAAAAAAAAAAAAAAAAAACAo3BiPvLuOY2lUf+btNPvvXc2n9Aojg/7+2TDeX+g3aw/UFrb687zQXKwP9D+/jy9ZjVm7uqZAwAAAAAAAAAAAAAAAAAAwL9Hd3suWu32xlZ3+93NcTDX7k9k3vr2i6/n4+CcN5NxJqrZ4fbNyXMxUZXEqDwdlafJvjl5kETkkyvRunhptOPJObXRWRTKB0GtMFTJ99Rqt4899POnZVV/jjNJjIbqpUtU8vUnhjr3Zamy/dw8qHS3V24x53KapoeV73xSrIp6RLXwhfsngm+uvP7AY93jj3cr1c3WV3nTh0ceXXzh8sef/7bZakd+adrtua3ujfRvr5VM3D+V/DpXSu6E8mB3nNnd6m63kh9+f/HBD787MDkpv3/Sycw7h6/15cHMXBYMtnk7ZzpbcvOXB69cH929d34xj3+22rq089OvexfzVlUT3yQ06gAAAAAAAAAAAAAAAAAAgKmY+F/xO/DEc0e3IwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACYvvH7/08Eu4XM7QTX+1Ecqm1sdQ9dfH6qpwoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD3srwAAAP//JT9zjQ==") (async)
creat(&(0x7f0000000040)='./file0\x00', 0x0) (async)
mmap(&(0x7f000000d000/0x1000)=nil, 0x1000, 0x0, 0x11, r0, 0x0) (async)
close(0xffffffffffffffff) (async)
openat$fuse(0xffffffffffffff9c, &(0x7f0000002080), 0x42, 0x0) (async)
syz_open_procfs(0x0, &(0x7f00000000c0)='fd/3\x00') (async)
io_setup(0x6, &(0x7f0000001380)) (async)
io_submit(r2, 0x1, &(0x7f0000000340)=[&(0x7f0000000100)={0x1000000, 0x0, 0x0, 0x5, 0x8001, r1, 0x0}]) (async)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x8, 0x4, &(0x7f0000000040)=ANY=[@ANYBLOB="b400000000000200611300000000000062000000000000009500000c00000100"], &(0x7f0000003ff6)='GPL\x00', 0x2, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_skb, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x1f2, 0x10, &(0x7f0000000000), 0xfffffe51, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48) (async)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$evdev-ioctl$EVIOCGKEYCODE_V2-ioctl$KVM_CREATE_VM-ioctl$KVM_CAP_MSR_PLATFORM_INFO-ioctl$HIDIOCGREPORT-poll-ioctl$FAT_IOCTL_GET_ATTRIBUTES-ioctl$KVM_PPC_ALLOCATE_HTAB-ioctl$int_in-socket$inet6-ioctl$F2FS_IOC_FLUSH_DEVICE-syz_kvm_add_vcpu$x86-ioctl$KVM_SET_REGS-syz_open_dev$tty20-ioctl$TCXONC-openat$vhost_vsock-ioctl$VHOST_SET_VRING_KICK-ioctl$BTRFS_IOC_QUOTA_RESCAN-pipe2-syz_mount_image$fuse-renameat2-ioctl$EVIOCREVOKE-syz_usb_connect$uac1-bpf$BPF_LINK_CREATE-unshare-ioctl$IOC_WATCH_QUEUE_SET_SIZE-fgetxattr-sendmsg$DEVLINK_CMD_RATE_DEL-openat$ppp-ioctl$PPPIOCUNBRIDGECHAN
detailed listing:
executing program 0:
r0 = syz_open_dev$evdev(&(0x7f0000000000), 0x8dd, 0x51b100)
ioctl$EVIOCGKEYCODE_V2(r0, 0x80284504, &(0x7f0000000040)=""/252)
r1 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0)
ioctl$KVM_CAP_MSR_PLATFORM_INFO(r1, 0x4068aea3, &(0x7f0000000140)={0x9f, 0x0, 0x1})
ioctl$HIDIOCGREPORT(0xffffffffffffffff, 0x400c4807, &(0x7f00000001c0)={0x1, 0x100, 0x9})
poll(&(0x7f0000000200)=[{r1, 0x1000}], 0x1, 0x9)
ioctl$FAT_IOCTL_GET_ATTRIBUTES(r0, 0x80047210, &(0x7f0000000240))
ioctl$KVM_PPC_ALLOCATE_HTAB(r1, 0xc004aea7, &(0x7f0000000280))
ioctl$int_in(r1, 0x5452, &(0x7f00000002c0)=0x8000)
socket$inet6(0xa, 0x5, 0x6)
ioctl$F2FS_IOC_FLUSH_DEVICE(r1, 0x4008f50a, &(0x7f0000000300)={0x7f, 0x3})
r2 = syz_kvm_add_vcpu$x86(0x0, &(0x7f00000006c0)={0x0, &(0x7f0000000340)=[@code={0x1, 0x7b, {"f3440fc7b500400000b92d0b0000b86a000000ba000000000f30260fc7aa925100000f01cbc4a2f5df7eb2b9800000c00f3235008000000f30c744240000400000c74424027830e53fc7442406000000000f011c2426430f0766b845008ec80f20e035000001000f22e0"}}, @code={0x1, 0x5a, {"66baf80cb8a440fc89ef66bafc0cb839000000ef66460f3880716c3e0fc71b66ba400066ed0f40eff32e640f08440f20c03506000000440f22c0660f3a08595a4e3e0f01c8420f01c3"}}, @code={0x1, 0x76, {"0253000f01ca450fc76cec23663e26653e0f3048b8f3000000000000000f23c00f21f83502000e000f23f866bad104b808000000efc74424003c000000c744240249000000ff1c2466baf80cb8889d3284ef66bafc0ced440f0057cd450f449413c1c00000"}}, @uexit={0x0, 0x18, 0xffffffffffff11d3}, @uexit={0x0, 0x18, 0x800}, @code={0x1, 0x52, {"0f2378c4c3dd5ff700d9fe65e3ed40de6a006742e20048b800400000000000000f23d00f21f835000000000f23f8420f2330c4218d62aba5e6000066b852008ec0"}}, @code={0x1, 0x5a, {"0f20df48b800900000000000000f23c00f21f835010000000f23f866bad004b87472fed2efc4e219df94298000c0fec4a3c569310cf30f1ac83e420f01d10f08460f01cbc48105f1e9"}}, @uexit={0x0, 0x18, 0x1}, @code={0x1, 0x56, {"66b874008ed83e2edcfbf3400f019aa8000000b8010000000f01c1c461e85683fe040000b9a60b0000b800700000ba000000000f30f20faef1640f09430f01c4c4e2f18e01"}}, @code={0x1, 0x56, {"b805000000b9039d00000f01c1660fc7b7b9170000c4228dbdb6020000000f233166baa100b02aee3e400f00144a470f00d8b8010000000f01c1c4e3fd016d0ac6420fc73f"}}, @uexit={0x0, 0x18, 0x7}, @code={0x1, 0x50, {"36f30fc730420f01c9c4e1f17dbe00800000b9840800000f32460f01d1660fd2909f870000470f00900200000065470f01d16566460f38030366b814018ed8"}}], 0x353})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000700)={[0x0, 0xfffffffffffffffc, 0x81, 0xe, 0x9, 0x0, 0x8, 0x2, 0xfffffffffffffffb, 0x3, 0x0, 0x9, 0x4, 0x80000001, 0x4, 0x2], 0x80a0000, 0x54041})
r3 = syz_open_dev$tty20(0xc, 0x4, 0x1)
ioctl$TCXONC(r3, 0x540a, 0x2)
r4 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000007c0), 0x2, 0x0)
ioctl$VHOST_SET_VRING_KICK(r4, 0x4008af20, &(0x7f0000000800)={0x19872aca3cc1aafa})
ioctl$BTRFS_IOC_QUOTA_RESCAN(r1, 0x4040942c, &(0x7f0000000840)={0x0, 0x0, [0x906, 0x73, 0xd5c, 0x4, 0x7fffffffffffffff, 0xffffffff7fffffff]})
pipe2(&(0x7f0000000880)={<r5=>0xffffffffffffffff, <r6=>0xffffffffffffffff}, 0x100)
r7 = syz_mount_image$fuse(&(0x7f0000000900), &(0x7f0000000940)='./file0\x00', 0x1009012, &(0x7f0000000980)={{}, 0x2c, {}, 0x2c, {}, 0x2c, {'group_id', 0x3d, 0xee00}, 0x2c, {[{@default_permissions}, {@default_permissions}, {@default_permissions}, {@blksize={'blksize', 0x3d, 0x400}}, {@default_permissions}, {@allow_other}, {@allow_other}], [{@smackfstransmute={'smackfstransmute', 0x3d, '}'}}, {@measure}, {@smackfsfloor={'smackfsfloor', 0x3d, '\\'}}, {@fowner_lt={'fowner<', 0xee01}}, {@fscontext={'fscontext', 0x3d, 'root'}}]}}, 0x0, 0x0, &(0x7f0000000b00)="81d8d4b79ad6110779c7e5c52a7a0797857cbeb655f734b0e8391f8a9da84f948286f97ae691f485879d44dea5")
renameat2(r5, &(0x7f00000008c0)='./file0\x00', r7, &(0x7f0000000b40)='./file0\x00', 0x4)
ioctl$EVIOCREVOKE(r5, 0x40044591, &(0x7f0000000b80)=0xff)
syz_usb_connect$uac1(0x0, 0xcf, &(0x7f0000000bc0)={{0x12, 0x1, 0x300, 0x0, 0x0, 0x0, 0x20, 0x1d6b, 0x101, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xbd, 0x3, 0x1, 0x9, 0x10, 0x5, {{0x9, 0x4, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, {{0xa, 0x24, 0x1, 0x0, 0x5}, [@extension_unit={0x8, 0x24, 0x8, 0x1, 0x1ff, 0x2, "93"}, @extension_unit={0xa, 0x24, 0x8, 0x4, 0x1, 0x40, "be75aa"}, @processing_unit={0xa, 0x24, 0x7, 0x5, 0x5, 0x0, "939dc8"}, @processing_unit={0x8, 0x24, 0x7, 0x1, 0x2, 0x4, "e3"}, @mixer_unit={0xb, 0x24, 0x4, 0x4, 0xa3, "9a42d2104e22"}]}}, {}, {0x9, 0x4, 0x1, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@as_header={0x7, 0x24, 0x1, 0xf6, 0x3, 0x2}, @as_header={0x7, 0x24, 0x1, 0x8, 0x80, 0x1001}, @format_type_ii_discrete={0xa, 0x24, 0x2, 0x2, 0x7, 0x2, 0xe0, "1a"}]}, {{0x9, 0x5, 0x1, 0x9, 0x200, 0x0, 0xff, 0x4, {0x7, 0x25, 0x1, 0x5, 0x8, 0x6}}}}, {}, {0x9, 0x4, 0x2, 0x1, 0x1, 0x1, 0x2, 0x0, 0x0, {[@format_type_ii_discrete={0x10, 0x24, 0x2, 0x2, 0x5, 0x33e, 0xa, "07c504f3b68270"}, @as_header={0x7, 0x24, 0x1, 0x6, 0x8, 0x1001}]}, {{0x9, 0x5, 0x82, 0x9, 0x200, 0x5, 0x5e, 0x4, {0x7, 0x25, 0x1, 0x0, 0x7, 0xe3e6}}}}}}}]}}, &(0x7f0000001140)={0xa, &(0x7f0000000cc0)={0xa, 0x6, 0x201, 0x5b, 0x7f, 0x10, 0x8, 0x5}, 0x5, &(0x7f0000000d00)={0x5, 0xf, 0x5}, 0x9, [{0x4, &(0x7f0000000d40)=@lang_id={0x4, 0x3, 0x41c}}, {0x4, &(0x7f0000000d80)=@lang_id={0x4, 0x3, 0x430}}, {0xd9, &(0x7f0000000dc0)=@string={0xd9, 0x3, "3e1b2087bddc2685d9307509af4774177436508ca4a113d27d017929861d07e7808aeeee002132c1b9690809850acb0de8d3472231fe09b4fbeb8bb01f86f9d102ebe57ac9d9d9bbc6db6692490b3f0ab955c79b493bd5d0cd7d4411d2559ef6dd2e09cd2d1a215d5822a1de15cf33859039260303628cdce11f623a575423d5a7a0f20ef916eee05167d8c78510dca2169f1d68a6f43e38cfc0de7ba0a69e353cc34b313327b17ab704bf48a481bef2de17649069eea649842a0bce31c4180d1e3f63da5f7b5660b7992b2459c5f1004c16c590b49522"}}, {0x4, &(0x7f0000000ec0)=@lang_id={0x4, 0x3, 0x860}}, {0xd9, &(0x7f0000000f00)=@string={0xd9, 0x3, "0925a860e044f19a673f2ed00db359e4c233f81fea0616aaa49a8ff8b2ef2cfed5487efa59aca196767b87f3bf35f764b943bf38e8ae977120219d4c0f59bfed93d48e62b2cc071abdeccf7ebdd9bc64f102acc61ae2d541c2d20577aebe811697a5217f35a3f7cefcd9d35fa1a25feee1f99f7a840123920c4c238bcec52e12cb57e7f91e0654dbb1ad64b3042b0dadfe5c24863fc02ccdb548baf44835111e0c17651492fd2efb47f50913e224d0d9ba50d8cb67a7c6e20e07f1ad74af0db61333a6cc33bd696c7333fc15599ebc311baeb7ba6ecca3"}}, {0x4, &(0x7f0000001000)=@lang_id={0x4, 0x3, 0x80a}}, {0x4, &(0x7f0000001040)=@lang_id={0x4, 0x3, 0x1c0a}}, {0x5b, &(0x7f0000001080)=@string={0x5b, 0x3, "62d6545e1c237ca63fffe2add839b1e1db5c5c4116c812c42b3e68928a45c1ab555e172aab288a2fad091f1975d1ddae26b65023a47efeb93508985f5a6f6528fdb60605aa0d0e0155fbaeb75c0ba3599809273b2d5fec7fb7"}}, {0xd, &(0x7f0000001100)=@string={0xd, 0x3, "8bdd43b308dd2a985e15a8"}}]})
bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000001200)={0xffffffffffffffff, r6, 0x13, 0x0, @val=@perf_event={0x5aa}}, 0x18)
unshare(0x42000600)
ioctl$IOC_WATCH_QUEUE_SET_SIZE(r5, 0x5760, 0x34)
fgetxattr(r7, &(0x7f0000001240)=@known='user.syz\x00', &(0x7f0000001280)=""/48, 0x30)
sendmsg$DEVLINK_CMD_RATE_DEL(r6, &(0x7f00000013c0)={&(0x7f00000012c0)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f0000001380)={&(0x7f0000001300)={0x74, 0x0, 0x1, 0x70bd26, 0x25dfdbfc, {}, [@DEVLINK_ATTR_PORT_INDEX={0x8, 0x3, 0x1}, @DEVLINK_ATTR_PORT_INDEX={0x8}, @handle=@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, @DEVLINK_ATTR_RATE_NODE_NAME={0xe}, @handle=@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}]}, 0x74}, 0x1, 0x0, 0x0, 0x20040010}, 0x4800)
r8 = openat$ppp(0xffffffffffffff9c, &(0x7f0000001400), 0x129080, 0x0)
ioctl$PPPIOCUNBRIDGECHAN(r8, 0x7434)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-write$FUSE_IOCTL-ioctl$LOOP_CHANGE_FD-bpf$BPF_GET_PROG_INFO-open-pwritev2-bpf$PROG_LOAD-syz_usb_connect
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
r2 = open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r3 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r3, 0x4c0a, &(0x7f0000000180)={r4, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
write$FUSE_IOCTL(r4, &(0x7f0000000000)={0x20, 0x0, 0x0, {0x7, 0x4, 0x9, 0x2}}, 0x20)
ioctl$LOOP_CHANGE_FD(r3, 0x4c03, r4)
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={0xffffffffffffffff, 0xe0, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, &(0x7f0000000340)=[0x0, 0x0, 0x0, 0x0], ""/16, 0x0, 0x0, 0x0, 0x0, 0x2, 0x2, &(0x7f0000000380)=[0x0, 0x0], &(0x7f00000003c0)=[0x0, 0x0], <r5=>0x0, 0x43, &(0x7f0000000400)=[{}, {}, {}, {}], 0x20, 0x10, &(0x7f0000000440), &(0x7f0000000480), 0x8, 0x76, 0x8, 0x8, &(0x7f00000004c0)}}, 0x10)
r6 = open(&(0x7f0000000140)='./file1\x00', 0x64842, 0x21)
pwritev2(r6, &(0x7f0000000240), 0x10000000000000ab, 0x0, 0xffffffff, 0x3)
bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x15, 0x1d, &(0x7f0000000140)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0x211, 0x0, 0x0, 0x0, 0x7}, {{0x18, 0x1, 0x1, 0x0, r0}}, {}, [@ringbuf_query={{0x18, 0x1, 0x1, 0x0, r1}}, @map_idx={0x18, 0x3, 0x5, 0x0, 0xd}, @map_idx_val={0x18, 0x1, 0x6, 0x0, 0x5, 0x0, 0x0, 0x0, 0xffff}, @jmp={0x5, 0x0, 0xa, 0x8, 0x5, 0xfffffffffffffffe, 0x8}, @cb_func={0x18, 0x1, 0x4, 0x0, 0xfffffffffffffffe}, @ldst={0x2, 0x0, 0x1, 0x6, 0x2, 0x18, 0xfffffffffffffff0}, @map_fd={0x18, 0xf, 0x1, 0x0, r2}], {{}, {0x7, 0x0, 0xb, 0x2, 0x0, 0x0, 0x2}, {0x85, 0x0, 0x0, 0x85}}}, &(0x7f0000000240)='GPL\x00', 0x8000, 0x0, &(0x7f0000000280), 0x41000, 0x60, '\x00', 0x0, @fallback=0x14, r4, 0x8, &(0x7f00000002c0)={0x11d, 0x2}, 0x8, 0x10, &(0x7f0000000300)={0x4, 0x0, 0x7, 0x4}, 0x10, r5, r6, 0x0, &(0x7f0000000640)=[0x1], 0x0, 0x10, 0x0, @void, @value}, 0x94)
syz_usb_connect(0x2, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="12011001581c2908570b2a85396d0102030109021b00010001000b0904c8020103010203090504"], 0x0)

program crashed: KASAN: use-after-free Read in lo_open
single: successfully extracted reproducer
found reproducer with 13 syscalls
minimizing guilty program
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-write$FUSE_IOCTL-ioctl$LOOP_CHANGE_FD-bpf$BPF_GET_PROG_INFO-open-pwritev2-bpf$PROG_LOAD
detailed listing:
executing program 0:
r0 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
r2 = open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r3 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r3, 0x4c0a, &(0x7f0000000180)={r4, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
write$FUSE_IOCTL(r4, &(0x7f0000000000)={0x20, 0x0, 0x0, {0x7, 0x4, 0x9, 0x2}}, 0x20)
ioctl$LOOP_CHANGE_FD(r3, 0x4c03, r4)
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={0xffffffffffffffff, 0xe0, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, &(0x7f0000000340)=[0x0, 0x0, 0x0, 0x0], ""/16, 0x0, 0x0, 0x0, 0x0, 0x2, 0x2, &(0x7f0000000380)=[0x0, 0x0], &(0x7f00000003c0)=[0x0, 0x0], <r5=>0x0, 0x43, &(0x7f0000000400)=[{}, {}, {}, {}], 0x20, 0x10, &(0x7f0000000440), &(0x7f0000000480), 0x8, 0x76, 0x8, 0x8, &(0x7f00000004c0)}}, 0x10)
r6 = open(&(0x7f0000000140)='./file1\x00', 0x64842, 0x21)
pwritev2(r6, &(0x7f0000000240), 0x10000000000000ab, 0x0, 0xffffffff, 0x3)
bpf$PROG_LOAD(0x5, &(0x7f0000000680)={0x15, 0x1d, &(0x7f0000000140)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0x211, 0x0, 0x0, 0x0, 0x7}, {{0x18, 0x1, 0x1, 0x0, r0}}, {}, [@ringbuf_query={{0x18, 0x1, 0x1, 0x0, r1}}, @map_idx={0x18, 0x3, 0x5, 0x0, 0xd}, @map_idx_val={0x18, 0x1, 0x6, 0x0, 0x5, 0x0, 0x0, 0x0, 0xffff}, @jmp={0x5, 0x0, 0xa, 0x8, 0x5, 0xfffffffffffffffe, 0x8}, @cb_func={0x18, 0x1, 0x4, 0x0, 0xfffffffffffffffe}, @ldst={0x2, 0x0, 0x1, 0x6, 0x2, 0x18, 0xfffffffffffffff0}, @map_fd={0x18, 0xf, 0x1, 0x0, r2}], {{}, {0x7, 0x0, 0xb, 0x2, 0x0, 0x0, 0x2}, {0x85, 0x0, 0x0, 0x85}}}, &(0x7f0000000240)='GPL\x00', 0x8000, 0x0, &(0x7f0000000280), 0x41000, 0x60, '\x00', 0x0, @fallback=0x14, r4, 0x8, &(0x7f00000002c0)={0x11d, 0x2}, 0x8, 0x10, &(0x7f0000000300)={0x4, 0x0, 0x7, 0x4}, 0x10, r5, r6, 0x0, &(0x7f0000000640)=[0x1], 0x0, 0x10, 0x0, @void, @value}, 0x94)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-write$FUSE_IOCTL-ioctl$LOOP_CHANGE_FD-bpf$BPF_GET_PROG_INFO-open-pwritev2
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
write$FUSE_IOCTL(r1, &(0x7f0000000000)={0x20, 0x0, 0x0, {0x7, 0x4, 0x9, 0x2}}, 0x20)
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={0xffffffffffffffff, 0xe0, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, &(0x7f0000000340)=[0x0, 0x0, 0x0, 0x0], ""/16, 0x0, 0x0, 0x0, 0x0, 0x2, 0x2, &(0x7f0000000380)=[0x0, 0x0], &(0x7f00000003c0)=[0x0, 0x0], 0x0, 0x43, &(0x7f0000000400)=[{}, {}, {}, {}], 0x20, 0x10, &(0x7f0000000440), &(0x7f0000000480), 0x8, 0x76, 0x8, 0x8, &(0x7f00000004c0)}}, 0x10)
r2 = open(&(0x7f0000000140)='./file1\x00', 0x64842, 0x21)
pwritev2(r2, &(0x7f0000000240), 0x10000000000000ab, 0x0, 0xffffffff, 0x3)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-write$FUSE_IOCTL-ioctl$LOOP_CHANGE_FD-bpf$BPF_GET_PROG_INFO-open
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
write$FUSE_IOCTL(r1, &(0x7f0000000000)={0x20, 0x0, 0x0, {0x7, 0x4, 0x9, 0x2}}, 0x20)
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={0xffffffffffffffff, 0xe0, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, &(0x7f0000000340)=[0x0, 0x0, 0x0, 0x0], ""/16, 0x0, 0x0, 0x0, 0x0, 0x2, 0x2, &(0x7f0000000380)=[0x0, 0x0], &(0x7f00000003c0)=[0x0, 0x0], 0x0, 0x43, &(0x7f0000000400)=[{}, {}, {}, {}], 0x20, 0x10, &(0x7f0000000440), &(0x7f0000000480), 0x8, 0x76, 0x8, 0x8, &(0x7f00000004c0)}}, 0x10)
open(&(0x7f0000000140)='./file1\x00', 0x64842, 0x21)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-write$FUSE_IOCTL-ioctl$LOOP_CHANGE_FD-bpf$BPF_GET_PROG_INFO
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
write$FUSE_IOCTL(r1, &(0x7f0000000000)={0x20, 0x0, 0x0, {0x7, 0x4, 0x9, 0x2}}, 0x20)
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={0xffffffffffffffff, 0xe0, &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, &(0x7f0000000340)=[0x0, 0x0, 0x0, 0x0], ""/16, 0x0, 0x0, 0x0, 0x0, 0x2, 0x2, &(0x7f0000000380)=[0x0, 0x0], &(0x7f00000003c0)=[0x0, 0x0], 0x0, 0x43, &(0x7f0000000400)=[{}, {}, {}, {}], 0x20, 0x10, &(0x7f0000000440), &(0x7f0000000480), 0x8, 0x76, 0x8, 0x8, &(0x7f00000004c0)}}, 0x10)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-write$FUSE_IOCTL-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
write$FUSE_IOCTL(r1, &(0x7f0000000000)={0x20, 0x0, 0x0, {0x7, 0x4, 0x9, 0x2}}, 0x20)
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-write$FUSE_IOCTL
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
write$FUSE_IOCTL(r1, &(0x7f0000000000)={0x20, 0x0, 0x0, {0x7, 0x4, 0x9, 0x2}}, 0x20)

program did not crash
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-syz_open_dev$loop-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={0xffffffffffffffff, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, 0xffffffffffffffff)

program did not crash
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-open_tree-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
open_tree(0xffffffffffffffff, &(0x7f0000000100)='./file0\x00', 0x181d01)
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(0xffffffffffffffff, 0x4c0a, &(0x7f0000000180)={r0, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c03, r0)

program did not crash
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_procfs-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
syz_open_procfs(0xffffffffffffffff, &(0x7f00000000c0)='net/kcm\x00')
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000040)={0x1b, 0x0, 0x0, 0x2aa48fa5, 0x0, 0xffffffffffffffff, 0xfffffff7, '\x00', 0x0, 0xffffffffffffffff, 0x7, 0x4, 0x4, 0x0, @void, @value, @void, @value}, 0x50)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(0x0, 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, 0x0)
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
extracting C reproducer
testing compiled C program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
program did not crash
simplifying guilty program options
testing program (duration=53.835625773s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=53.835625773s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program did not crash
testing program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000011, 0xfffffffffffffffd, 0x0, 0x1, 0x2, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a01000000000000000003001af56be600", "2809e8dbe108598948224ad58b55e6ef875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd499288100", "91be8b000000000000000000ee0000000021000000000000000000000300", [0x9, 0x8000000000000077]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)

program crashed: KASAN: use-after-free Read in lo_open
extracting C reproducer
testing compiled C program (duration=53.835625773s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
program did not crash
reproducing took 28m54.885162068s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:973 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0xace/0xe30 kernel/locking/mutex.c:1114
Read of size 4 at addr ffff8881ee9e6e78 by task syz-executor/442

CPU: 1 PID: 442 Comm: syz-executor Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 __dump_stack+0x1e/0x20 lib/dump_stack.c:77
 dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
 print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
 __kasan_report+0xef/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
 mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
 __mutex_lock_common kernel/locking/mutex.c:973 [inline]
 __mutex_lock+0xace/0xe30 kernel/locking/mutex.c:1114
 __mutex_lock_killable_slowpath+0xe/0x10 kernel/locking/mutex.c:1381
 mutex_lock_killable+0xd3/0xe0 kernel/locking/mutex.c:1348
 lo_open+0x1d/0xc0 drivers/block/loop.c:1899
 __blkdev_get+0x610/0x1560 fs/block_dev.c:1581
 blkdev_get+0x68/0x380 fs/block_dev.c:1714
 blkdev_open+0x1cb/0x2b0 fs/block_dev.c:1856
 do_dentry_open+0x8b5/0x1030 fs/open.c:806
 vfs_open+0x73/0x80 fs/open.c:920
 do_last fs/namei.c:3565 [inline]
 path_openat+0x2a5e/0x35c0 fs/namei.c:3683
 do_filp_open+0x1ae/0x3f0 fs/namei.c:3713
 do_sys_open+0x2bb/0x5d0 fs/open.c:1123
 __do_sys_openat fs/open.c:1150 [inline]
 __se_sys_openat fs/open.c:1144 [inline]
 __x64_sys_openat+0xa2/0xb0 fs/open.c:1144
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f0229120251
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 72 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007ffd73e4ecd0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f0229120251
RDX: 0000000000000002 RSI: 00007ffd73e4ede0 RDI: 00000000ffffff9c
RBP: 00007ffd73e4ede0 R08: 000000000000000a R09: 00007ffd73e4ea97
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f0229310260 R14: 0000000000000003 R15: 00007ffd73e4ede0

Allocated by task 424:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x162/0x200 mm/kasan/common.c:529
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xe2/0x270 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x57/0x640 kernel/fork.c:882
 copy_process+0x503/0x2cf0 kernel/fork.c:1889
 _do_fork+0x190/0x860 kernel/fork.c:2399
 __do_sys_clone3 kernel/fork.c:2688 [inline]
 __se_sys_clone3 kernel/fork.c:2675 [inline]
 __x64_sys_clone3+0x1de/0x1f0 kernel/fork.c:2675
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 10:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1c3/0x280 mm/kasan/common.c:487
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:496
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook+0xb7/0x180 mm/slub.c:1494
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10c/0x2c0 mm/slub.c:3096
 free_task_struct kernel/fork.c:176 [inline]
 free_task+0xe9/0x150 kernel/fork.c:480
 __put_task_struct+0x2b7/0x420 kernel/fork.c:755
 put_task_struct include/linux/sched/task.h:147 [inline]
 delayed_put_task_struct+0x71/0x210 kernel/exit.c:229
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x446/0x980 kernel/rcu/tree.c:2167
 rcu_core+0x4bd/0xbd0 kernel/rcu/tree.c:2387
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2396
 __do_softirq+0x236/0x660 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881ee9e6e40
 which belongs to the cache task_struct of size 3904
The buggy address is located 56 bytes inside of
 3904-byte region [ffff8881ee9e6e40, ffff8881ee9e7d80)
The buggy address belongs to the page:
page:ffffea0007ba7800 refcount:1 mapcount:0 mapping:ffff8881f5cf5180 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 ffffea0007b63e00 0000000200000002 ffff8881f5cf5180
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
 alloc_slab_page+0x3c/0x3b0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x93/0x420 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x29e/0x420 mm/slub.c:2667
 __slab_alloc+0x63/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x57/0x640 kernel/fork.c:882
 copy_process+0x503/0x2cf0 kernel/fork.c:1889
 _do_fork+0x190/0x860 kernel/fork.c:2399
 kernel_thread+0x6f/0x90 kernel/fork.c:2489
 create_kthread kernel/kthread.c:311 [inline]
 kthreadd+0x354/0x480 kernel/kthread.c:654
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881ee9e6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ee9e6d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8881ee9e6e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881ee9e6e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ee9e6f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:973 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0xace/0xe30 kernel/locking/mutex.c:1114
Read of size 4 at addr ffff8881ee9e6e78 by task syz-executor/442

CPU: 1 PID: 442 Comm: syz-executor Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 __dump_stack+0x1e/0x20 lib/dump_stack.c:77
 dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
 print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
 __kasan_report+0xef/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
 mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
 __mutex_lock_common kernel/locking/mutex.c:973 [inline]
 __mutex_lock+0xace/0xe30 kernel/locking/mutex.c:1114
 __mutex_lock_killable_slowpath+0xe/0x10 kernel/locking/mutex.c:1381
 mutex_lock_killable+0xd3/0xe0 kernel/locking/mutex.c:1348
 lo_open+0x1d/0xc0 drivers/block/loop.c:1899
 __blkdev_get+0x610/0x1560 fs/block_dev.c:1581
 blkdev_get+0x68/0x380 fs/block_dev.c:1714
 blkdev_open+0x1cb/0x2b0 fs/block_dev.c:1856
 do_dentry_open+0x8b5/0x1030 fs/open.c:806
 vfs_open+0x73/0x80 fs/open.c:920
 do_last fs/namei.c:3565 [inline]
 path_openat+0x2a5e/0x35c0 fs/namei.c:3683
 do_filp_open+0x1ae/0x3f0 fs/namei.c:3713
 do_sys_open+0x2bb/0x5d0 fs/open.c:1123
 __do_sys_openat fs/open.c:1150 [inline]
 __se_sys_openat fs/open.c:1144 [inline]
 __x64_sys_openat+0xa2/0xb0 fs/open.c:1144
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f0229120251
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 72 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007ffd73e4ecd0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f0229120251
RDX: 0000000000000002 RSI: 00007ffd73e4ede0 RDI: 00000000ffffff9c
RBP: 00007ffd73e4ede0 R08: 000000000000000a R09: 00007ffd73e4ea97
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f0229310260 R14: 0000000000000003 R15: 00007ffd73e4ede0

Allocated by task 424:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x162/0x200 mm/kasan/common.c:529
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xe2/0x270 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x57/0x640 kernel/fork.c:882
 copy_process+0x503/0x2cf0 kernel/fork.c:1889
 _do_fork+0x190/0x860 kernel/fork.c:2399
 __do_sys_clone3 kernel/fork.c:2688 [inline]
 __se_sys_clone3 kernel/fork.c:2675 [inline]
 __x64_sys_clone3+0x1de/0x1f0 kernel/fork.c:2675
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 10:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1c3/0x280 mm/kasan/common.c:487
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:496
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook+0xb7/0x180 mm/slub.c:1494
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10c/0x2c0 mm/slub.c:3096
 free_task_struct kernel/fork.c:176 [inline]
 free_task+0xe9/0x150 kernel/fork.c:480
 __put_task_struct+0x2b7/0x420 kernel/fork.c:755
 put_task_struct include/linux/sched/task.h:147 [inline]
 delayed_put_task_struct+0x71/0x210 kernel/exit.c:229
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x446/0x980 kernel/rcu/tree.c:2167
 rcu_core+0x4bd/0xbd0 kernel/rcu/tree.c:2387
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2396
 __do_softirq+0x236/0x660 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881ee9e6e40
 which belongs to the cache task_struct of size 3904
The buggy address is located 56 bytes inside of
 3904-byte region [ffff8881ee9e6e40, ffff8881ee9e7d80)
The buggy address belongs to the page:
page:ffffea0007ba7800 refcount:1 mapcount:0 mapping:ffff8881f5cf5180 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 ffffea0007b63e00 0000000200000002 ffff8881f5cf5180
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
 alloc_slab_page+0x3c/0x3b0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x93/0x420 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x29e/0x420 mm/slub.c:2667
 __slab_alloc+0x63/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x57/0x640 kernel/fork.c:882
 copy_process+0x503/0x2cf0 kernel/fork.c:1889
 _do_fork+0x190/0x860 kernel/fork.c:2399
 kernel_thread+0x6f/0x90 kernel/fork.c:2489
 create_kthread kernel/kthread.c:311 [inline]
 kthreadd+0x354/0x480 kernel/kthread.c:654
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881ee9e6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ee9e6d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8881ee9e6e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881ee9e6e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ee9e6f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================