Extracting prog: 4m33.460374731s
Minimizing prog: 27m38.070586315s
Simplifying prog options: 3m45.084611937s
Extracting C: 1m21.120590691s
Simplifying C: 0s
extracting reproducer from 83 programs
testing a last program of every proc
single: executing 33 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$tipc-openat$ptmx-ioctl$TIOCSETD-ioctl$TCFLSH-syz_init_net_socket$bt_hci-ioctl$sock_bt_hci-bind$tipc-setsockopt$TIPC_GROUP_JOIN-close
detailed listing:
executing program 0:
r0 = socket$tipc(0x1e, 0x5, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r1, 0x5423, &(0x7f00000000c0)=0xf)
ioctl$TCFLSH(r1, 0x400455c8, 0x0)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x800448f0, &(0x7f00000007c0))
bind$tipc(r0, &(0x7f0000000180)=@nameseq={0x1e, 0x1, 0x3, {0x42, 0x0, 0x80}}, 0x10)
setsockopt$TIPC_GROUP_JOIN(r0, 0x10f, 0x87, &(0x7f0000000000)={0x42, 0x1}, 0x10)
close(r0)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): set_robust_list-getpgrp-get_robust_list-set_robust_list-get_robust_list-sched_setscheduler-set_robust_list-socket$inet-connect$inet-connect$inet-set_robust_list-set_robust_list-get_robust_list-socket$unix-connect$unix-socket$inet6-write$UHID_CREATE2-set_robust_list-get_robust_list-accept$unix-get_robust_list-shutdown-get_robust_list-socket$nl_route-sendmsg$nl_route-set_robust_list-openat$procfs-ioctl$UI_DEV_SETUP-syz_genetlink_get_family_id$fou-set_robust_list
detailed listing:
executing program 0:
set_robust_list(&(0x7f0000000100)={&(0x7f0000000040)={&(0x7f0000000000)}, 0x3, &(0x7f00000000c0)={&(0x7f0000000080)}}, 0x18)
r0 = getpgrp(0xffffffffffffffff)
get_robust_list(r0, &(0x7f0000000280)=&(0x7f0000000240)={&(0x7f0000000180)={&(0x7f0000000140)}, 0x0, &(0x7f0000000200)={&(0x7f00000001c0)}}, &(0x7f00000002c0)=0x18)
set_robust_list(&(0x7f0000000400)={&(0x7f0000000340)={&(0x7f0000000300)}, 0x2, &(0x7f00000003c0)={&(0x7f0000000380)}}, 0x18)
get_robust_list(r0, &(0x7f0000000540)=&(0x7f0000000500)={&(0x7f0000000480)={&(0x7f0000000440)}, 0x0, &(0x7f00000004c0)}, &(0x7f0000000580)=0x18)
sched_setscheduler(r0, 0x2, &(0x7f00000005c0)=0x4)
set_robust_list(&(0x7f0000000680)={0x0, 0x80, &(0x7f0000000640)={&(0x7f0000000600)}}, 0x18)
r1 = socket$inet(0x2, 0xa, 0x80)
connect$inet(r1, &(0x7f00000006c0)={0x2, 0x4e21, @empty}, 0x10)
connect$inet(r1, &(0x7f0000000700)={0x2, 0x4e20, @rand_addr=0x64010101}, 0x10)
set_robust_list(&(0x7f0000000840)={&(0x7f0000000780)={&(0x7f0000000740)}, 0x2, &(0x7f0000000800)={&(0x7f00000007c0)}}, 0x18)
set_robust_list(&(0x7f0000000900)={0x0, 0xe28, &(0x7f00000008c0)={&(0x7f0000000880)}}, 0x18)
get_robust_list(r0, &(0x7f0000000980)=&(0x7f0000000940)={0xfffffffffffffffe}, &(0x7f00000009c0)=0x18)
r2 = socket$unix(0x1, 0x1, 0x0)
connect$unix(r2, &(0x7f0000000a00)=@file={0x0, './file0\x00'}, 0x6e)
r3 = socket$inet6(0xa, 0xf, 0x1000)
write$UHID_CREATE2(r3, &(0x7f0000000a80)={0xb, {'syz0\x00', 'syz0\x00', 'syz0\x00', 0xc, 0x0, 0x1000, 0x7, 0x9, 0x400, "7b79e06b4147e0fd50268d16"}}, 0x124)
set_robust_list(&(0x7f0000000c40)={0x0, 0x9, &(0x7f0000000c00)={&(0x7f0000000bc0)}}, 0x18)
get_robust_list(r0, &(0x7f0000000d40)=&(0x7f0000000d00)={&(0x7f0000000cc0)={&(0x7f0000000c80)}}, &(0x7f0000000d80)=0x18)
accept$unix(r2, &(0x7f0000000dc0)=@abs, &(0x7f0000000e40)=0x6e)
get_robust_list(r0, &(0x7f0000000fc0)=&(0x7f0000000f80)={&(0x7f0000000ec0)={&(0x7f0000000e80)}, 0x0, &(0x7f0000000f40)={&(0x7f0000000f00)}}, &(0x7f0000001000)=0x18)
shutdown(r1, 0x1)
get_robust_list(0x0, &(0x7f0000001080)=&(0x7f0000001040), &(0x7f00000010c0)=0x18)
r4 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r4, &(0x7f0000001240)={&(0x7f0000001100)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000001200)={&(0x7f0000001140)=@can_delroute={0x8c, 0x19, 0x1, 0x70bd27, 0x25dfdbfb, {}, [@CGW_MOD_AND={0x15, 0x1, {{{0x2}, 0x5, 0x3, 0x0, 0x0, "84c0ec41edbfb579"}, 0x7}}, @CGW_FILTER={0xc, 0xb, {{0x2, 0x0, 0x1, 0x1}, {0x2, 0x1, 0x0, 0x1}}}, @CGW_FILTER={0xc, 0xb, {{0x2, 0x0, 0x1}, {0x2, 0x0, 0x0, 0x1}}}, @CGW_MOD_AND={0x15, 0x1, {{{0x2, 0x1, 0x1}, 0x2, 0x0, 0x0, 0x0, "ed3619f0b6f0fdfc"}}}, @CGW_MOD_OR={0x15, 0x2, {{{0x2, 0x0, 0x0, 0x1}, 0x0, 0x0, 0x0, 0x0, "2b3217be89bdc807"}, 0x4}}, @CGW_MOD_OR={0x15, 0x2, {{{0x4, 0x0, 0x1, 0x1}, 0x0, 0x0, 0x0, 0x0, "ddbf4cbdd0b8f8e3"}, 0x2}}]}, 0x8c}, 0x1, 0x0, 0x0, 0x40000}, 0x8814)
set_robust_list(&(0x7f0000001380)={&(0x7f00000012c0)={&(0x7f0000001280)}, 0x2, &(0x7f0000001340)={&(0x7f0000001300)}}, 0x18)
r5 = openat$procfs(0xffffffffffffff9c, &(0x7f00000013c0)='/proc/schedstat\x00', 0x0, 0x0)
ioctl$UI_DEV_SETUP(r5, 0x405c5503, &(0x7f0000001400)={{0xf, 0x87, 0x40, 0x5}, 'syz1\x00', 0x52})
syz_genetlink_get_family_id$fou(&(0x7f0000001480), r5)
set_robust_list(&(0x7f0000001580)={&(0x7f0000001500)={&(0x7f00000014c0)}, 0xffffffffffff6ef4, &(0x7f0000001540)}, 0x18)
program did not crash
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-chdir-socket$tipc-bind$tipc-syz_open_procfs-pread64-getdents64-setsockopt$TIPC_GROUP_JOIN-setsockopt$TIPC_MCAST_BROADCAST-sendmsg$tipc-munmap-open-lseek-getdents-ioctl$sock_SIOCGIFINDEX-socket$netlink-socket$packet-sendmsg$nl_route
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000100)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
chdir(&(0x7f0000000480)='./cgroup\x00')
r1 = socket$tipc(0x1e, 0x5, 0x0)
bind$tipc(r1, &(0x7f0000000340)=@nameseq={0x1e, 0x1, 0x3, {0x43}}, 0x10)
r2 = syz_open_procfs(0x0, &(0x7f0000000040)='mountinfo\x00')
pread64(r2, &(0x7f0000000380)=""/87, 0x57, 0x80000000000)
getdents64(r2, &(0x7f0000000180)=""/130, 0x82)
setsockopt$TIPC_GROUP_JOIN(r1, 0x10f, 0x87, &(0x7f0000000100)={0x43, 0x0, 0x3, 0x3}, 0x10)
setsockopt$TIPC_MCAST_BROADCAST(r1, 0x10f, 0x85)
sendmsg$tipc(r1, &(0x7f00000005c0)={&(0x7f0000000000), 0x10, 0x0}, 0x0)
munmap(&(0x7f0000002000/0x1000)=nil, 0x1000)
r3 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0)
lseek(r3, 0x4, 0x0)
getdents(r3, &(0x7f0000001fc0)=""/184, 0xb8)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000300)={'bridge_slave_0\x00', <r4=>0x0})
r5 = socket$netlink(0x10, 0x3, 0x0)
socket$packet(0x11, 0x3, 0x300)
sendmsg$nl_route(r5, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000240)=@newlink={0x5c, 0x10, 0xa9, 0xfffffffe, 0x25dfdbfc, {0x0, 0x0, 0x0, r4}, [@IFLA_MASTER={0x8, 0xa, r4}, @IFLA_LINKINFO={0x34, 0x12, 0x0, 0x1, @bridge_slave={{0x11}, {0x1c, 0x5, 0x0, 0x1, [@IFLA_BRPORT_NEIGH_SUPPRESS={0x5}, @IFLA_BRPORT_GROUP_FWD_MASK={0x6, 0x1f, 0x1c}, @IFLA_BRPORT_ISOLATED={0x5}]}}}]}, 0x5c}}, 0x0)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-sendmmsg$unix-recvmmsg-userfaultfd-close-bpf$PROG_LOAD-ioctl$GIO_UNIMAP-ioctl$LOOP_CHANGE_FD-write$UHID_INPUT
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
r6 = open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x2, 0x0)
r7 = userfaultfd(0x80801)
close(r7)
bpf$PROG_LOAD(0x5, 0x0, 0x61)
ioctl$GIO_UNIMAP(r6, 0x4b66, &(0x7f0000000040)={0xd, &(0x7f00000003c0)=[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}]})
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
write$UHID_INPUT(r3, &(0x7f0000002080)={0xf, {"a2e3ad21e08eeb661b5d520987f70e06d038e7ff7fc6e5539b0d650e8b089b3f353b6c090890e0878f0e1ac6e7049b3b46959b649a240d5b67f3988f7ef319520100ffe8d178708c523c921b1b5b31070d07410936cd3b78130daa61d8e8041800005802b77f07227227b7ba67e0e78657a6f5c2a874e62a9ccdc0d31a0c9f318c0da1993bd160e233df4a62179c6f30e065cd5b91cd0ae193973735b36d5b1b63dd1c00305d3f46635eb016d5b1dda98e2d749be7bd1df1fb3b231fdcdb5075a9aaa1b469c3090000000000000075271b286329d169934288fd789aa37d6e98b224fd44b65b31334ffc55cc82cd3ac32ecdb08ced6f9081b4dd0d8b38f3cd4498bee800490841bdb114f6b76383709d8f5c554336909fda039aec54a1236e80f6a8abadea7662496bddbb42be6bfb2f17959d1f416e56c71b1931870262f5e801119242ca026bfc821e7e7daf2451138e645bb80c617669314e2fbe70de98ec76a9e40dad47f36fd9f7d0d42a4b5f1185ccdcf16ff46295d8a0fa17713c5802630933a9a34af674f3f39fe23491237c08822dec110911e893d0a8c4f6777478bc360934b82910ff85bfd995083bba2987a67399eac427d145d546a40b9f6ff14ac488ec130fb3850a27af9544ae15ffffffffffffffff1243513f000000000000000a3621c56cea8d20fa911a0c41db6ebe8cac64f17679141d54b34bbc9963ac4f4bb3309603f1d4ab966203861b5b15a841f2b575a8bd0d78248ebe4d9a80002695104f674c2431dca141fae269cab70e9a66f3c3a9a63e9639e1f59c0ede26c6b5d74b078a5e15c31634e5ae098ce9ee70771aaa18119a867e14ffd9f9db2a7869d85864056526f889af43a6056080572286522449df466c632b3570243f989cce7cd9f465e41e610c20d80421d653a5520000008213b704c7fb082ff27590678ef9f190bae97909507041d860420c5664b27921b14dc1db8892fd32d0ad7bc946813591ad8deff4b05f60cea0da7710ac0000000000008000bea37ce0d0d4aa202f928f28381aab144a5dc29a04a6a2b83c7068ae949ed06e288e810bac9c76600025e19c907f6435f7590000008271a1f5f8528f227e79c1389dbdfffe492f21579d2c15b8c70cdb1c332d86d87341432750861ec2bc3451edca194b221cfec4603d276bbaa1dfa6d4fb8a48a76eafc9a9a0270e4c10d64cd5a62427264f2377fe763c43470833ac96c45f357cbbaba8f1b1fdcc7cbb61a7cdb9744ed7f9129aede2be21ccfdc4e9134f8684b3a4f354da9a795e96334e207dff70f1988037b2ed3aaf575c0b88d8f146684078416d59fdee5325928974d12dad99dac44c3f0008047096a44002bebc2420aed92fa9b6578b4779415d4ac01b75d5495c118045651cf41c2fc48b778efa5ea5677747430af4162b987b80c3e001cd34e5c92f76cc4c24eeb8bc4e9ac2aed9a53803ed0ca4ae3a9737d214060005ea6f1783e287b3bee96e3a726eafe2fdfaa78d1f48c13b64df07847754b8400daaa69bf5c8f4350aeae9ca1207e78283cd0b20ceb360c7e658828163e2d25c4aa348561f927e88f63aa70e73a5e69b3df3495903f06572e1e007fa55a2999f596d067312f5779e8dbfdcf3427138f3d444d2639a10477f9bec4b0bbb6e3c04be68981f392203dd0ee3ef478e16dacfc5e3e03cf7ab8e3902f1b0ff034ef655b253ca509383815b1b6fc6522d4e4fdc11a48cf42d48604675fde2b94cf00500a2690891abf8ab9c015073014d9e08d4338b8780bdecd436cf0541359bafffa45237f104b96210403b2de9efed496f423500c7872c827467cfa5c4e72730d56bd068ed211cf847535edecb7b373f78b095b68441a34cb51682a8ae4d24ad0465f3927f889b813076a882e8020f06c4c2ba1dd5cac7c18876da865d258734dd73583df292892448039ef799cf0630becdcce04579b5561dc825ab829827945e020c1f67ee615feb6243378e0610060f02da93aec92a5de203717aa49c2d284acfabe262fccfcbb2b75a2183c46eb65ca8104e1b4da7fbb77ab2fc043aead87c32ab875ee7c2e7b7019c982cd3b43eaeb1a5fb135c0c7dcee8fe6516a328032f88c042891824659e9e94265c803b35ee5f83a2b210520106b8a358b50ab7a1fa89af9c251fe5294b3d1802d5676d95f160ec97b1ad94872cb2044642c37b4a6cc6c04effc1672db7e4b68d787d9a7a508ae54b3cd7369dde50e8c77d95a3d361c040babb171607caac2a3559ad4f75465f49c0d0ae3716db6e00cb11db4a5fade2a57c10238e204a67737c3b42aae501b20f7694a00f16e2d0174035a2c22656dc29880acebdbe8ddbd75c2f998d8ac2dfad2ba3a504767b6b45a45957f24d758ed024b3849c11d412a2a03b4047497022d9c30e23ef4df5c89644f48bb536f7945b59d7bcddff754413d135273ea8e75f22f216c6b9990ae71806f2c00b4025c48b75c0f73cdb9a7b8fa367b50028067e7f16f4dd569d462f4f19eacdb3ed70eeebb4e8b40427db6fe29068c0ca3d2414442e8f3a154704b0e51bc664a137b26be719f4f7c9a5678a674dfc95df80b9ce375dd649c8c704e509bd88c8e63d8c7dd67071115c8982ba46af4d6adcc9f68a75b9397b035153faf46366e7205dd8d6f37525c1a0e94610dd94323f6c15d085197149bfd6655548cfd9c52c9711937f79abb1a124f1210465483cd3b2d78378cfb85ed82e7da0f6eb6d279f2ae455925d0f6f1ba571eba281f2a654fb39ddff3b484439ff158e7c5419e037f3e3ad038f2211f1033195563c7f93cd54b9094f226e783271e1e5a2a2c10712eab625d64931cd4ffe6738d97b9b5ef828ee9fb059fc01af0e79c1e14b1d25988c69a399567c1d93768f7971d31488b8658a20878b7c1dd7ba02fc42939dde3d4a3339a65d507dc59c51097b40517705da56e9ebf0afa53282bf86dbb58c548069ff6eb95aade7cc66d7bbef724779ca1f731b3346ff177050373d79ff7b3e7f9bc0c1b4b266a8878b90baaa039d3e3b63979ac3df6e6f4859afd50238c7547a39b60810938044ae185d2ba3e00a4e73676864ae090d0300000000000000b378dd4dd891e937c2ea5410e0513005000000000000003911fab964c271550027697b52160687461602f88df165d884b36ec2b6c25a2f33c715687e9d4afb96d6861aca47da73d6f3144345f48843dd014e5c5ad8fe995754bd9cf32fce1e31919c4b2082fb0a30b9deae84bed4b28045634073c9c58c89d9e99c81769177c6d594f88a4facfd4c735a20307c737afa2d60399473296b831dbd933d93994ba3064279b10ea0c5833f41f157ea2302993dbe433b1aa3a3766d5439020484f4113c4c859465c3b415c3432f81db8719539d5bf372aaaea1cc43a6c5cbe59758bfee2916580dac4b008e595f437491d87abed02cefcd9db53d94d02daee67918e5d678746383074c6bc1050000002f7809959bc048850613d17ca51055f2f416a44fe180d2d50c312cca7cb14a2bdc331f57a9817139a206fc76957227ffff2de20a4b8e3737fbb42913777c06376f799eba367e21f94ca598705f5dcb767d6f0900d6b0f6095e53c4c4234d0c1fbe434f6ab8f43c0013ee93b83946ee7759e89d7bdd1a32d7b311711b757fe43c06d21a35810d8fe98b27faea8aa12bc8716eefc5c97c45ac33eeec964c5214bc3a9359bdea1cccab94f15e36319cb34ebcacedb82c2ed3de5a8a8f0011e8f74e82d7f96093530e76692839d7961939adfdeeeaff19d11efcafb6d546fef271e89d6cc2389e81ff58cefcce3fbf4625a7e7de40e42e07b3c7340002000000000000f288a4510de03dab19d26285eda89156d50dd385a60333ba5bbf5d77cd7007ad1519ad5470de3dd6d6080cafccf8a97406bb6b68a1f0c4549820a73c880f475f732ae00398e8bd1f4108b7807fb33b72685ec37a2d3f766413a60459516246e5a1d998a2017aef0948a68cf255315ab80dd349e891aef595dc4d470e8ac32a308e15fc37d06aeac289c0523f483e1ff7408c6087f1ab652f2ef91d4f2b01987b0f46da034e5c3f745a7ee8101a3934c54e24b48ec0275e2d0687dc746b0827cbf652f406c6b95f2722e58c05f752ce2126596e1cd7655b904801784c416b22f73d324678e2724f43f1fe687c7e8a60c28b82b6528341b648cdd56fed7cdcbb1575912d5ecd36dea3bca0b7427d8392c6289455e8f8d2ab2242729251ae033a9e02210e62df0546a74b333a1c48f95fd54acb5741259e8c5488efeee327415cc19451432c6f14c27693102a3cd84857cd6586fc5ca9a93eb0145fac0662ff86107f998a8ef7df8aa14046c55b03d3d47f88a8d60f7774a2ee08758897fb411a94b3c2fc5d5f0da42c0456ec015f08e5247d33ae2d35603ff8454c16f8342856935125102bb784ed7148b6ce431b63ee356b0c785f2f47b90e29389f22fc5b59a70efaea2bd40195af4486220d702e30bfc43c10ec23ea6283994a7dde4dcb61fea6b651fb1d62458d0741a12830052fcc460db043afe525629b40d7cee458e4cb5e930ed624806c43a006e39336d07c2b8081c128ad2706f48261f7897484c297a1a6613bc18f5a38d442768af38041efe03d152ef95ff569e76db2391f4509d7f339d92fdb4a89364949da398000000000000000d80a4fe654578376e599aff3565b1d531f30912b9945030b81ea9935fd46edb44a78f615255490a4b621501f2a9e4d24624c4dac9274118c67584f5d374755534d7f68f679c4ff516a9cc8036cbd65868fcb2bf1cb9aea4e05df72279fdb0d2b9e935c5af3cf474bed79dfc248c1f5aea4b8b32c5d295e57079d0fe662a46b7f71cd47744db86c50b704c971d90295c7b2c7439a2d78ccfa79b5fc2bff6bbf840262bf89394b3e0691953264d2700c838fa2c7b3425260f59554e502dcea39cb313b0000000000004ca7c12f45858d6284ca6270d6b2f0e58fded8a7b4a302a97bc641df07720ba2b26bbfcc807ca0abb1b44322269c21c5ec68cb068ea88067d905ea917bb03eefdaebdeabf2d0dce80997c915c8949de992587c2cb5fe36d7d3e5db21b094b8b77940b5f07722e47a08d367e5f84c96ec664b72934b99b3109af65d77e86abd6859cddf4bbae1f0930462df15fddbc48562ea3511a8065ef028cf12f14dcf6ebecd8d884836174faf1aa609e5f1ee1162dfa13bdc1fa7cfaadba85c72e9758f03a755d0be53f8d2a1dfb1c68cc164b0a0780d971a96ea2c4d4ca0398c2235980a9307b3d5bd3b01faffd0a5dbed2881a9700af561ac8c6b00000000000000f96f06817fb903729a7db6ff957697c9ede7885d94ffb0969be0daf60af93109eb1dee72e4363f51af62af6fb2a6df3bec89822a7a0b678058fa3fef86faec216eb6992162f8dcbf719c148cd2f9c55f4901203a9a8a2c3e90f3943dbc10360a1a49700d1dfbf66d69f6fbaf506c8bcce8bb0d872a02238926407a4eddd5d0fc5a752f90000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000000000000000400", 0x1000}}, 0x1006)
program crashed: KASAN: use-after-free Read in lo_open
single: successfully extracted reproducer
found reproducer with 30 syscalls
minimizing guilty program
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-sendmmsg$unix-recvmmsg-userfaultfd-close-bpf$PROG_LOAD-ioctl$GIO_UNIMAP-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
r6 = open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x2, 0x0)
r7 = userfaultfd(0x80801)
close(r7)
bpf$PROG_LOAD(0x5, 0x0, 0x61)
ioctl$GIO_UNIMAP(r6, 0x4b66, &(0x7f0000000040)={0xd, &(0x7f00000003c0)=[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}]})
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-sendmmsg$unix-recvmmsg-userfaultfd-close-bpf$PROG_LOAD-ioctl$GIO_UNIMAP
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
r6 = open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x2, 0x0)
r7 = userfaultfd(0x80801)
close(r7)
bpf$PROG_LOAD(0x5, 0x0, 0x61)
ioctl$GIO_UNIMAP(r6, 0x4b66, &(0x7f0000000040)={0xd, &(0x7f00000003c0)=[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}]})
program did not crash
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-sendmmsg$unix-recvmmsg-userfaultfd-close-bpf$PROG_LOAD-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x2, 0x0)
r6 = userfaultfd(0x80801)
close(r6)
bpf$PROG_LOAD(0x5, 0x0, 0x61)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-sendmmsg$unix-recvmmsg-userfaultfd-close-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x2, 0x0)
r6 = userfaultfd(0x80801)
close(r6)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-sendmmsg$unix-recvmmsg-userfaultfd-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x2, 0x0)
userfaultfd(0x80801)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-sendmmsg$unix-recvmmsg-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x2, 0x0)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-sendmmsg$unix-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-bpf$PROG_LOAD-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000080)=ANY=[@ANYBLOB="b4050000000000007b105a0000000000a6800000000000009500000000000000"], &(0x7f0000003ff6)='GPL\x00', 0x5, 0xd3, &(0x7f0000000280)=""/211, 0x41000, 0x2a, '\x00', 0x0, @fallback=0x5, r3, 0x8, &(0x7f00000000c0), 0x8, 0x10, &(0x7f0000000400)={0x0, 0x10}, 0x10, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-mmap-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000377000/0x1000)=nil, 0x1000, 0xb635773f07ebbeea, 0x8010, 0xffffffffffffffff, 0xffffe000)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-sched_setscheduler-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-sched_setscheduler-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
sched_setscheduler(0x0, 0x2, 0x0)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-bpf$MAP_CREATE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="d9a3"], 0x48)
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-renameat-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r3 = dup(r1)
r4 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f0000000180)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
renameat(r3, &(0x7f0000000480)='./file0\x00', 0xffffffffffffffff, &(0x7f0000000500)='./file0\x00')
ioctl$LOOP_CHANGE_FD(r4, 0x4c03, r5)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-open-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
dup(r1)
r3 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r3, 0x4c0a, &(0x7f0000000180)={r4, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
open(0x0, 0x0, 0x0)
ioctl$LOOP_CHANGE_FD(r3, 0x4c03, r4)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
dup(r1)
r3 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CONFIGURE(r3, 0x4c0a, &(0x7f0000000180)={r4, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r3, 0x4c03, r4)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-seccomp$SECCOMP_SET_MODE_FILTER-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
dup(r1)
r3 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER(0x1, 0x0, &(0x7f0000000300)={0x3, &(0x7f00000002c0)=[{0x80, 0x2, 0x3, 0x4}, {0x3, 0x51, 0x9, 0xfffffffa}, {0x9, 0x0, 0xa, 0x62e}]})
ioctl$LOOP_CHANGE_FD(r3, 0x4c03, r4)
program did not crash
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
dup(r1)
r3 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r3, 0x4c0a, &(0x7f0000000180)={r4, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r3, 0x4c03, r4)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-syz_open_dev$loop-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
dup(r1)
r3 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
ioctl$LOOP_CONFIGURE(r3, 0x4c0a, &(0x7f0000000180)={0xffffffffffffffff, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r3, 0x4c03, 0xffffffffffffffff)
program did not crash
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-dup-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
r2 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r2, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r2, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r2, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
dup(r1)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(0xffffffffffffffff, 0x4c0a, &(0x7f0000000180)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(0xffffffffffffffff, 0x4c03, r3)
program did not crash
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-sendmmsg$inet6-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
syz_open_dev$tty1(0xc, 0x4, 0x1)
r1 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r1, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r1, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
sendmmsg$inet6(r1, &(0x7f0000000e40)=[{{&(0x7f0000000000)={0xa, 0x4e20, 0x0, @local, 0x1}, 0x1c, 0x0, 0x0, &(0x7f0000002280)=ANY=[@ANYBLOB="24000000000000002900000032000000ff020000000000000000000000000001", @ANYRES32=0x0, @ANYBLOB], 0x28, 0x7ffffff7}}], 0x1, 0x0)
r2 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r2, 0x4c0a, &(0x7f0000000180)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r2, 0x4c03, r3)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-setsockopt$inet6_int-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
syz_open_dev$tty1(0xc, 0x4, 0x1)
r1 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r1, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
setsockopt$inet6_int(r1, 0x29, 0x4b, &(0x7f0000000080)=0xfffffff7, 0x4)
r2 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r2, 0x4c0a, &(0x7f0000000180)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r2, 0x4c03, r3)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-setsockopt$inet6_IPV6_RTHDRDSTOPTS-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
syz_open_dev$tty1(0xc, 0x4, 0x1)
r1 = socket$inet6(0xa, 0x2, 0x0)
setsockopt$inet6_IPV6_RTHDRDSTOPTS(r1, 0x29, 0x37, &(0x7f0000000040)=ANY=[@ANYBLOB='\t\x00\x00\x00\x00\x00\x00\x00'], 0x8)
r2 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r2, 0x4c0a, &(0x7f0000000180)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r2, 0x4c03, r3)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-socket$inet6-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
syz_open_dev$tty1(0xc, 0x4, 0x1)
socket$inet6(0xa, 0x2, 0x0)
r1 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r1, 0x4c03, r2)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$tty1-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
syz_open_dev$tty1(0xc, 0x4, 0x1)
r1 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r1, 0x4c03, r2)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-alarm-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
alarm(0x3)
r1 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r1, 0x4c03, r2)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-bpf$PROG_LOAD-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x3, 0xb, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000e83100000000000000000018010000756c6c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b70300000000000085000000150000009500000000000000"], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
r1 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r1, 0x4c03, r2)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-alarm-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
alarm(0x8000000000000001)
r1 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r1, 0x4c03, r2)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='itimer_state\x00', r0}, 0x10)
r1 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r1, 0x4c0a, &(0x7f0000000180)={r2, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r1, 0x4c03, r2)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000280)='syzkaller\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48)
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
program crashed: KASAN: use-after-free Read in lo_open
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(0x0, 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
program did not crash
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
program did not crash
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, 0x0)
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
program did not crash
extracting C reproducer
testing compiled C program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
program did not crash
simplifying guilty program options
testing program (duration=53.385403083s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
program did not crash
testing program (duration=53.385403083s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
program did not crash
testing program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
detailed listing:
executing program 0:
r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x101000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.stat\x00', 0x275a, 0x0)
ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f0000000180)={r1, 0x0, {0x2a00, 0x80010000, 0x0, 0x8000000018, 0xfffffffffffffffd, 0x0, 0x0, 0x1a, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea89de2b7fb0a0100000000000000000300", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e1100752ac6c452a22861ac001d00", "91be8b1c551265406c7f306003d8a0f4bd004ab3fde500", [0x9, 0x800000000000007b]}})
ioctl$LOOP_CHANGE_FD(r0, 0x4c03, r1)
program crashed: KASAN: use-after-free Read in lo_open
extracting C reproducer
testing compiled C program (duration=53.385403083s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD
program did not crash
reproducing took 37m7.017081369s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:973 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0xace/0xe30 kernel/locking/mutex.c:1114
Read of size 4 at addr ffff8881edef8ff8 by task syz-executor/438
CPU: 1 PID: 438 Comm: syz-executor Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack+0x1e/0x20 lib/dump_stack.c:77
dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
__kasan_report+0xef/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
__asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
__mutex_lock_common kernel/locking/mutex.c:973 [inline]
__mutex_lock+0xace/0xe30 kernel/locking/mutex.c:1114
__mutex_lock_killable_slowpath+0xe/0x10 kernel/locking/mutex.c:1381
mutex_lock_killable+0xd3/0xe0 kernel/locking/mutex.c:1348
lo_open+0x1d/0xc0 drivers/block/loop.c:1899
__blkdev_get+0x610/0x1560 fs/block_dev.c:1581
blkdev_get+0x68/0x380 fs/block_dev.c:1714
blkdev_open+0x1cb/0x2b0 fs/block_dev.c:1856
do_dentry_open+0x8b5/0x1030 fs/open.c:806
vfs_open+0x73/0x80 fs/open.c:920
do_last fs/namei.c:3565 [inline]
path_openat+0x2a5e/0x35c0 fs/namei.c:3683
do_filp_open+0x1ae/0x3f0 fs/namei.c:3713
do_sys_open+0x2bb/0x5d0 fs/open.c:1123
__do_sys_openat fs/open.c:1150 [inline]
__se_sys_openat fs/open.c:1144 [inline]
__x64_sys_openat+0xa2/0xb0 fs/open.c:1144
do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f1de2830251
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 72 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007fff91c8a7d0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1de2830251
RDX: 0000000000000002 RSI: 00007fff91c8a8e0 RDI: 00000000ffffff9c
RBP: 00007fff91c8a8e0 R08: 000000000000000a R09: 00007fff91c8a597
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f1de2a20260 R14: 0000000000000003 R15: 00007fff91c8a8e0
Allocated by task 419:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
__kasan_kmalloc+0x162/0x200 mm/kasan/common.c:529
kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0xe2/0x270 mm/slub.c:2842
kmem_cache_alloc_node include/linux/slab.h:427 [inline]
alloc_task_struct_node kernel/fork.c:171 [inline]
dup_task_struct+0x57/0x640 kernel/fork.c:882
copy_process+0x503/0x2cf0 kernel/fork.c:1889
_do_fork+0x190/0x860 kernel/fork.c:2399
__do_sys_clone3 kernel/fork.c:2688 [inline]
__se_sys_clone3 kernel/fork.c:2675 [inline]
__x64_sys_clone3+0x1de/0x1f0 kernel/fork.c:2675
do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Freed by task 10:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
kasan_set_free_info mm/kasan/common.c:345 [inline]
__kasan_slab_free+0x1c3/0x280 mm/kasan/common.c:487
kasan_slab_free+0xe/0x10 mm/kasan/common.c:496
slab_free_hook mm/slub.c:1455 [inline]
slab_free_freelist_hook+0xb7/0x180 mm/slub.c:1494
slab_free mm/slub.c:3080 [inline]
kmem_cache_free+0x10c/0x2c0 mm/slub.c:3096
free_task_struct kernel/fork.c:176 [inline]
free_task+0xe9/0x150 kernel/fork.c:480
__put_task_struct+0x2b7/0x420 kernel/fork.c:755
put_task_struct include/linux/sched/task.h:147 [inline]
delayed_put_task_struct+0x71/0x210 kernel/exit.c:229
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch+0x446/0x980 kernel/rcu/tree.c:2167
rcu_core+0x4bd/0xbd0 kernel/rcu/tree.c:2387
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2396
__do_softirq+0x236/0x660 kernel/softirq.c:292
The buggy address belongs to the object at ffff8881edef8fc0
which belongs to the cache task_struct of size 3904
The buggy address is located 56 bytes inside of
3904-byte region [ffff8881edef8fc0, ffff8881edef9f00)
The buggy address belongs to the page:
page:ffffea0007b7be00 refcount:1 mapcount:0 mapping:ffff8881f5cf5b80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 0000000000000000 0000000100000001 ffff8881f5cf5b80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
alloc_slab_page+0x3c/0x3b0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x93/0x420 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x29e/0x420 mm/slub.c:2667
__slab_alloc+0x63/0xa0 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842
kmem_cache_alloc_node include/linux/slab.h:427 [inline]
alloc_task_struct_node kernel/fork.c:171 [inline]
dup_task_struct+0x57/0x640 kernel/fork.c:882
copy_process+0x503/0x2cf0 kernel/fork.c:1889
_do_fork+0x190/0x860 kernel/fork.c:2399
kernel_thread+0x6f/0x90 kernel/fork.c:2489
create_kthread kernel/kthread.c:311 [inline]
kthreadd+0x354/0x480 kernel/kthread.c:654
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881edef8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881edef8f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881edef8f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8881edef9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881edef9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:973 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0xace/0xe30 kernel/locking/mutex.c:1114
Read of size 4 at addr ffff8881edef8ff8 by task syz-executor/438
CPU: 1 PID: 438 Comm: syz-executor Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack+0x1e/0x20 lib/dump_stack.c:77
dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
__kasan_report+0xef/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
__asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
__mutex_lock_common kernel/locking/mutex.c:973 [inline]
__mutex_lock+0xace/0xe30 kernel/locking/mutex.c:1114
__mutex_lock_killable_slowpath+0xe/0x10 kernel/locking/mutex.c:1381
mutex_lock_killable+0xd3/0xe0 kernel/locking/mutex.c:1348
lo_open+0x1d/0xc0 drivers/block/loop.c:1899
__blkdev_get+0x610/0x1560 fs/block_dev.c:1581
blkdev_get+0x68/0x380 fs/block_dev.c:1714
blkdev_open+0x1cb/0x2b0 fs/block_dev.c:1856
do_dentry_open+0x8b5/0x1030 fs/open.c:806
vfs_open+0x73/0x80 fs/open.c:920
do_last fs/namei.c:3565 [inline]
path_openat+0x2a5e/0x35c0 fs/namei.c:3683
do_filp_open+0x1ae/0x3f0 fs/namei.c:3713
do_sys_open+0x2bb/0x5d0 fs/open.c:1123
__do_sys_openat fs/open.c:1150 [inline]
__se_sys_openat fs/open.c:1144 [inline]
__x64_sys_openat+0xa2/0xb0 fs/open.c:1144
do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f1de2830251
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d fa 72 1f 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007fff91c8a7d0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1de2830251
RDX: 0000000000000002 RSI: 00007fff91c8a8e0 RDI: 00000000ffffff9c
RBP: 00007fff91c8a8e0 R08: 000000000000000a R09: 00007fff91c8a597
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007f1de2a20260 R14: 0000000000000003 R15: 00007fff91c8a8e0
Allocated by task 419:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
__kasan_kmalloc+0x162/0x200 mm/kasan/common.c:529
kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0xe2/0x270 mm/slub.c:2842
kmem_cache_alloc_node include/linux/slab.h:427 [inline]
alloc_task_struct_node kernel/fork.c:171 [inline]
dup_task_struct+0x57/0x640 kernel/fork.c:882
copy_process+0x503/0x2cf0 kernel/fork.c:1889
_do_fork+0x190/0x860 kernel/fork.c:2399
__do_sys_clone3 kernel/fork.c:2688 [inline]
__se_sys_clone3 kernel/fork.c:2675 [inline]
__x64_sys_clone3+0x1de/0x1f0 kernel/fork.c:2675
do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Freed by task 10:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
kasan_set_free_info mm/kasan/common.c:345 [inline]
__kasan_slab_free+0x1c3/0x280 mm/kasan/common.c:487
kasan_slab_free+0xe/0x10 mm/kasan/common.c:496
slab_free_hook mm/slub.c:1455 [inline]
slab_free_freelist_hook+0xb7/0x180 mm/slub.c:1494
slab_free mm/slub.c:3080 [inline]
kmem_cache_free+0x10c/0x2c0 mm/slub.c:3096
free_task_struct kernel/fork.c:176 [inline]
free_task+0xe9/0x150 kernel/fork.c:480
__put_task_struct+0x2b7/0x420 kernel/fork.c:755
put_task_struct include/linux/sched/task.h:147 [inline]
delayed_put_task_struct+0x71/0x210 kernel/exit.c:229
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch+0x446/0x980 kernel/rcu/tree.c:2167
rcu_core+0x4bd/0xbd0 kernel/rcu/tree.c:2387
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2396
__do_softirq+0x236/0x660 kernel/softirq.c:292
The buggy address belongs to the object at ffff8881edef8fc0
which belongs to the cache task_struct of size 3904
The buggy address is located 56 bytes inside of
3904-byte region [ffff8881edef8fc0, ffff8881edef9f00)
The buggy address belongs to the page:
page:ffffea0007b7be00 refcount:1 mapcount:0 mapping:ffff8881f5cf5b80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 0000000000000000 0000000100000001 ffff8881f5cf5b80
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
alloc_slab_page+0x3c/0x3b0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x93/0x420 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x29e/0x420 mm/slub.c:2667
__slab_alloc+0x63/0xa0 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842
kmem_cache_alloc_node include/linux/slab.h:427 [inline]
alloc_task_struct_node kernel/fork.c:171 [inline]
dup_task_struct+0x57/0x640 kernel/fork.c:882
copy_process+0x503/0x2cf0 kernel/fork.c:1889
_do_fork+0x190/0x860 kernel/fork.c:2399
kernel_thread+0x6f/0x90 kernel/fork.c:2489
create_kthread kernel/kthread.c:311 [inline]
kthreadd+0x354/0x480 kernel/kthread.c:654
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881edef8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881edef8f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881edef8f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8881edef9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881edef9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================