Extracting prog: 2h18m56.491860996s Minimizing prog: 39m31.622977749s Simplifying prog options: 0s Extracting C: 1m9.829634159s Simplifying C: 17m13.691608073s extracting reproducer from 118 programs testing a last program of every proc single: executing 68 programs separately with timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-close-openat$kvm-syz_usb_connect$uac1-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_IRQCHIP-ioctl$KVM_CREATE_VCPU-ioctl$KVM_SET_REGS-ioctl$KVM_SET_VCPU_EVENTS-ioctl$KVM_RUN-socket$inet6_mptcp-bind$inet6-listen-fsetxattr$trusted_overlay_upper-syz_emit_ethernet-syz_usb_connect-syz_usb_control_io$cdc_ncm-syz_usb_control_io$printer-syz_usb_control_io$uac1-syz_usb_control_io$printer-socket$inet_udp-socket$nl_xfrm-sendmsg$nl_xfrm-setsockopt$IPT_SO_SET_REPLACE detailed listing: executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) syz_usb_connect$uac1(0x2, 0xa6, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000000000106b1d010100000000030109029400030100400009040000000101"], 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r2, 0xae60) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f00000002c0)={[0x8aba, 0x4, 0x4, 0xd646, 0x7, 0xf, 0x120000, 0x1ff, 0x0, 0x8, 0x8000000000000001, 0x2, 0x10003, 0x101, 0x5, 0x1], 0x8000000, 0x141200}) ioctl$KVM_SET_VCPU_EVENTS(r3, 0x4400ae8f, &(0x7f0000000140)=@x86={0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}) ioctl$KVM_RUN(r3, 0xae80, 0x0) r4 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r4, 0x0) fsetxattr$trusted_overlay_upper(r0, &(0x7f0000000080), &(0x7f00000000c0)={0x0, 0xfb, 0x6e, 0x5, 0xb9, "3f5d8e802470a9525b50411ed3765a3f", "08c39c6d749ce7ee1019a57f494a5d8a5eb7d4e324d4ebca44e1930bc81e020d1f9fd4bc5ae25c919379ce0fa6a01c82ba7e59c626dd01c1754698485a3da45b0a88d1cdfc08c6139a7569377dfd0625f80949a36f687cb8e7"}, 0x6e, 0x3) syz_emit_ethernet(0x5a, &(0x7f0000000140)=ANY=[@ANYBLOB="aaaaaaaaaaaa00000000000086dd6002000000240600fe8000000009758c73a700000000000000000000bbfe8000000000000000000000000000aaa0054e22", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="9002000090780000080a0000000000000000030308000000"], 0x0) r5 = syz_usb_connect(0x0, 0x24, &(0x7f0000001440)={{0x12, 0x1, 0x0, 0xab, 0xd1, 0xa0, 0x40, 0x77b, 0x2226, 0xca8b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0x3a, 0x92, 0xf8}}]}}]}}, 0x0) syz_usb_control_io$cdc_ncm(r5, 0x0, 0x0) syz_usb_control_io$printer(r5, 0x0, 0x0) syz_usb_control_io$uac1(r5, 0x0, 0x0) syz_usb_control_io$printer(r5, 0x0, 0x0) r6 = socket$inet_udp(0x2, 0x2, 0x0) r7 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r7, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="3c0100001000130426bd7000000000000000000000000000000000000000000120010000000000000000000000000000000000004e2400000000002000000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc0200000000000000000000000000000000000032000000ac1414000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000200000000000000000003000800000000000000000000000000000000000000000000000000000000000000cc00000000000000000000000000000000000000000000000000000000000000000000000200010120000000000000004c001200726663343130362867636d28616573292900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000080000000"], 0x13c}}, 0x0) setsockopt$IPT_SO_SET_REPLACE(r6, 0x0, 0x40, &(0x7f0000000600)=@filter={'filter\x00', 0xc, 0x4, 0x268, 0xffffffff, 0x130, 0x98, 0x98, 0x98, 0xffffffff, 0x1d0, 0x98, 0x1d0, 0x98, 0x4, 0x0, {[{{@uncond, 0x0, 0x70, 0x98}, @REJECT={0x28}}, {{@uncond, 0x0, 0x70, 0x98}, @common=@unspec=@STANDARD={0x28, '\x00', 0x0, 0xffffffffffffffff}}, {{@ip={@local, @broadcast, 0x0, 0x0, 'ip6tnl0\x00', 'hsr0\x00'}, 0x0, 0x70, 0xa0}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x2c8) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-socket$inet6_tcp-syz_usb_connect-connect$inet-sendmsg$inet-syz_usb_connect$hid-socket$inet6_sctp-setsockopt$IP6T_SO_SET_REPLACE-ioctl$AUTOFS_DEV_IOCTL_VERSION-fsopen-fsconfig$FSCONFIG_SET_STRING-fsconfig$FSCONFIG_SET_STRING-sendmsg$IPSET_CMD_DEL-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_VCPU-ioctl$KVM_X86_SETUP_MCE-syz_usb_control_io$hid-ioctl$KVM_SET_MSRS-syz_usb_control_io detailed listing: executing program 0: r0 = socket$inet_tcp(0x2, 0x1, 0x0) socket$inet6_tcp(0xa, 0x1, 0x0) r1 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)=ANY=[@ANYBLOB="1201fb0019030320d812010079de01ec020109021b0001000003000904000001785ecc00090585020004"], 0x0) connect$inet(r0, &(0x7f0000000000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x1c}}, 0x10) sendmsg$inet(r0, &(0x7f00000015c0)={0x0, 0x0, &(0x7f0000001600)=[{0x0}], 0x1}, 0x0) r2 = syz_usb_connect$hid(0x2, 0x0, 0x0, 0x0) r3 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000001300)=@raw={'raw\x00', 0x3c1, 0x3, 0x448, 0x0, 0xc8, 0x8, 0x0, 0x5803, 0x378, 0x2e8, 0x2e8, 0x378, 0x2e8, 0x3, 0x0, {[{{@ipv6={@remote, @local, [0xffffffff], [0x0, 0x0, 0x0, 0xffffff00], 'vlan0\x00', 'geneve1\x00', {}, {}, 0x33}, 0x0, 0x190, 0x1f8, 0x0, {0x0, 0x2000000000000}, [@common=@unspec=@string={{0xc0}, {0x0, 0x0, 'bm\x00', "cfcaf80c672f61cd17ae5119b5135c2aee68d23a465cd431e1ecef50c3234e082555f67222476147864fa03182f5df11d8c348cbd06dc8de1dcbde7d4e252c3394fed47bf78c70f607b0178fa5ea335019ac07a602061c96baebc989f1f35a214e67262c1fe4b124e0f7323a587d2a1fcfe36bbf12eca0a7b66c60c527bac2b5", 0x1, 0x2}}, @inet=@rpfilter={{0x28}}]}, @unspec=@CT1={0x68, 'CT\x00', 0x1, {0x34, 0x2, 0x8, 0x3, 'syz1\x00', 'syz1\x00', {0x80000001}}}}, {{@ipv6={@mcast2, @private0, [0x0, 0x0, 0xff], [], 'batadv_slave_1\x00', 'syz_tun\x00', {}, {}, 0x0, 0x0, 0x0, 0xc}, 0x0, 0x118, 0x180, 0x0, {}, [@common=@hbh={{0x48}, {0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3], 0xfe}}, @inet=@rpfilter={{0x28, 'rpfilter\x00', 0x2}}]}, @unspec=@CT2={0x68, 'CT\x00', 0x2, {0x6, 0x6, 0x1, 0x9, 'pptp\x00', 'syz1\x00'}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x4a8) ioctl$AUTOFS_DEV_IOCTL_VERSION(0xffffffffffffffff, 0xc0189371, &(0x7f0000000040)={{0x1, 0x1, 0x18, r3}, './file0\x00'}) r5 = fsopen(&(0x7f0000000280)='ceph\x00', 0x0) fsconfig$FSCONFIG_SET_STRING(r5, 0x1, &(0x7f0000000000)='source', &(0x7f0000000040)='c:::\x00', 0x0) fsconfig$FSCONFIG_SET_STRING(r5, 0x1, &(0x7f00000000c0)='source', &(0x7f0000000100)='\\\x8b\x00', 0x0) sendmsg$IPSET_CMD_DEL(r4, &(0x7f0000000140)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000100)={&(0x7f00000000c0)={0x28, 0xa, 0x6, 0x301, 0x0, 0x0, {0x1, 0x0, 0x8}, [@IPSET_ATTR_ADT={0x14, 0x8, 0x0, 0x1, [{0x10, 0x7, 0x0, 0x1, @IPSET_ATTR_PACKETS={0xc, 0x19, 0x1, 0x0, 0x5}}]}]}, 0x28}, 0x1, 0x0, 0x0, 0x20000000}, 0x4000) r6 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0) r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) ioctl$KVM_X86_SETUP_MCE(r8, 0x4008ae9c, &(0x7f0000000000)={0x1c, 0x4}) syz_usb_control_io$hid(r1, &(0x7f0000000400)={0x24, &(0x7f00000002c0)={0x0, 0x6, 0xdb, {0xdb, 0x37, "5e13266a218379b739c4c5fc13f3a12577a0ad99de0994c2c20f48a4d48d596a1ea466e624db2eb83405bfaae72efc8e3e4a08ffc6d210b988512bf8c59e63c8a5f4fdfd50dd796fdc26164e2d71a8464c71b9857b63ac725dd6861dc6f091ea33025f16e38fa7398cd2bf9b7297e7953c4623cd3b41fb614ee1b8028331048723c7f279119226b21364bacdb2654baedb44fc6a6cdec9c56e7ddf3df42b6e4cadcc7b38af134ad3c74f32a6507706707779aca59eb8d05d2f3aa3b32f6c772b2bf89cdcc75afdc76d3e9755adf71b593c3cee705723a99cc9"}}, &(0x7f00000001c0)={0x0, 0x3, 0x6c, @string={0x6c, 0x3, "f646651223bb59a502ea880e9cad67c2140e2e9c789c843979ddfea5f92a70b5140f1654906bb80f06838cd48c798f3ece3cd761f04f851ae73cf65db59efcf51f4398d646aafe706ac217ebcdba04f556f38138fc7544298c4f6bc2de000cf0ee562a1f281fcfcbf44a"}}, &(0x7f0000000240)={0x0, 0x22, 0xf, {[@global=@item_012={0x1, 0x1, 0x6, "b0"}, @main=@item_012={0x0, 0x0, 0xc}, @local=@item_012={0x1, 0x2, 0x2, "b9"}, @main=@item_4={0x3, 0x0, 0xb, "1118352f"}, @main=@item_4={0x3, 0x0, 0x9, "604b3de6"}]}}, &(0x7f00000003c0)={0x0, 0x21, 0x9, {0x9, 0x21, 0x5a, 0x7, 0x1, {0x22, 0x6f4}}}}, &(0x7f0000000640)={0x2c, &(0x7f0000000440)={0x20, 0x15, 0x8a, "13e865d4541a10d13b5948dc97ca835090ac26731b9ce21dee1480b536518c3e7fa59efb8d4f62847515e50a07ff59fe4280703d9797e081882b22dcaf737f4cb3957b46de7160f0da0ed189321e41e4e3fb8d2a56e9a4ad55adad31cd3b6b97a2b926c192d0a7a13bd7d20e76e3c90216611e54930e1aabc69b90ba4f42ddad1b59bacc1f9ec4e7b06e"}, &(0x7f0000000500)={0x0, 0xa, 0x1}, &(0x7f0000000540)={0x0, 0x8, 0x1, 0x11}, &(0x7f0000000580)={0x20, 0x1, 0x74, "ea9469fb34ad4877b1fc7a5cd5a6e5c7cfb1ce1787b6cf8b6a720abb009652c6925f923447923a5aeff1c96a8ab454330113d8ee0b547c8ca4695e02a74dc15477ff590b27cb6c421bc0af8dd9ef8a88eef2927e55462d4e8dc3b656c911b7a4975a7cdc09aceb85cbfabc841a81536196880804"}, &(0x7f0000000600)={0x20, 0x3, 0x1, 0x5}}) ioctl$KVM_SET_MSRS(r8, 0x4008ae89, &(0x7f0000000080)=ANY=[@ANYBLOB="01000000000000008402"]) syz_usb_control_io(r2, 0x0, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-close-openat$kvm-syz_usb_connect$uac1-ioctl$KVM_CREATE_VM-ioctl$KVM_CREATE_IRQCHIP-ioctl$KVM_CREATE_VCPU-ioctl$KVM_SET_REGS-ioctl$KVM_SET_VCPU_EVENTS-ioctl$KVM_RUN-socket$inet6_mptcp-bind$inet6-listen-fsetxattr$trusted_overlay_upper-syz_emit_ethernet-syz_usb_connect-syz_usb_control_io$cdc_ncm-syz_usb_control_io$printer-syz_usb_control_io$uac1-syz_usb_control_io$printer-socket$inet_udp-socket$nl_xfrm-sendmsg$nl_xfrm-setsockopt$IPT_SO_SET_REPLACE detailed listing: executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) syz_usb_connect$uac1(0x2, 0xa6, &(0x7f0000000340)=ANY=[@ANYBLOB="12010000000000106b1d010100000000030109029400030100400009040000000101"], 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r2, 0xae60) r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f00000002c0)={[0x8aba, 0x4, 0x4, 0xd646, 0x7, 0xf, 0x120000, 0x1ff, 0x0, 0x8, 0x8000000000000001, 0x2, 0x10003, 0x101, 0x5, 0x1], 0x8000000, 0x141200}) ioctl$KVM_SET_VCPU_EVENTS(r3, 0x4400ae8f, &(0x7f0000000140)=@x86={0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}) ioctl$KVM_RUN(r3, 0xae80, 0x0) r4 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r4, 0x0) fsetxattr$trusted_overlay_upper(r0, &(0x7f0000000080), &(0x7f00000000c0)={0x0, 0xfb, 0x6e, 0x5, 0xb9, "3f5d8e802470a9525b50411ed3765a3f", "08c39c6d749ce7ee1019a57f494a5d8a5eb7d4e324d4ebca44e1930bc81e020d1f9fd4bc5ae25c919379ce0fa6a01c82ba7e59c626dd01c1754698485a3da45b0a88d1cdfc08c6139a7569377dfd0625f80949a36f687cb8e7"}, 0x6e, 0x3) syz_emit_ethernet(0x5a, &(0x7f0000000140)=ANY=[@ANYBLOB="aaaaaaaaaaaa00000000000086dd6002000000240600fe8000000009758c73a700000000000000000000bbfe8000000000000000000000000000aaa0054e22", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="9002000090780000080a0000000000000000030308000000"], 0x0) r5 = syz_usb_connect(0x0, 0x24, &(0x7f0000001440)={{0x12, 0x1, 0x0, 0xab, 0xd1, 0xa0, 0x40, 0x77b, 0x2226, 0xca8b, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0x3a, 0x92, 0xf8}}]}}]}}, 0x0) syz_usb_control_io$cdc_ncm(r5, 0x0, 0x0) syz_usb_control_io$printer(r5, 0x0, 0x0) syz_usb_control_io$uac1(r5, 0x0, 0x0) syz_usb_control_io$printer(r5, 0x0, 0x0) r6 = socket$inet_udp(0x2, 0x2, 0x0) r7 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r7, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="3c0100001000130426bd7000000000000000000000000000000000000000000120010000000000000000000000000000000000004e2400000000002000000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="fc0200000000000000000000000000000000000032000000ac1414000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000200000000000000000003000800000000000000000000000000000000000000000000000000000000000000cc00000000000000000000000000000000000000000000000000000000000000000000000200010120000000000000004c001200726663343130362867636d28616573292900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000080000000"], 0x13c}}, 0x0) setsockopt$IPT_SO_SET_REPLACE(r6, 0x0, 0x40, &(0x7f0000000600)=@filter={'filter\x00', 0xc, 0x4, 0x268, 0xffffffff, 0x130, 0x98, 0x98, 0x98, 0xffffffff, 0x1d0, 0x98, 0x1d0, 0x98, 0x4, 0x0, {[{{@uncond, 0x0, 0x70, 0x98}, @REJECT={0x28}}, {{@uncond, 0x0, 0x70, 0x98}, @common=@unspec=@STANDARD={0x28, '\x00', 0x0, 0xffffffffffffffff}}, {{@ip={@local, @broadcast, 0x0, 0x0, 'ip6tnl0\x00', 'hsr0\x00'}, 0x0, 0x70, 0xa0}, @common=@unspec=@CONNMARK={0x30}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x2c8) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-setsockopt$EBT_SO_SET_ENTRIES-bpf$MAP_CREATE_CONST_STR-setsockopt$sock_int-bpf$OBJ_PIN_MAP-syz_open_dev$vcsu-openat detailed listing: executing program 0: r0 = socket(0xa, 0x2, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000080)=@broute={'broute\x00', 0x20, 0x2, 0x230, [0x0, 0x0, 0x0, 0x0, 0x0, 0x200004c0], 0x0, 0x0, &(0x7f00000004c0)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000000000050000000000000000000000000000feffffff01000000030000000000000081006e7230000000000000002000000000007465616d300000000000000000000020766c616e30000000000000004000000076657468305f746f5f746561ed000000aaaaaaf991bb000000000000aaaaaaaaaabb0000000000000000d0000000d000000000010000766c616e0069df4e5100000000000000000000079ba3160000000000000000000800000000eb560000000000892f0700636f6e6e6c6162656c000000000000000000e5ffffff00000000000020000000080000000000000000000000000000004e465154455545000000000000000000000000000000000080000000000000000800000000000000000800000000000400000000000000000000000080000000000000000000000001fcffffffffffff0000000001000000ffffffff000000000000000000000000000400000000efff000000000000000000000000000000000000000001000000feffffff010000000b00006b90088754ea234d6f6e6430000000000000000000000074489c4c2c0000000000000000000000626f6e64300000ff000000000000000076657468315f744d8abdc76964676500aaaaaaaaaabb0000000000e7feffffffffff00000008000000007000000070000000a0000000434f4e4e5345434d3c964de64039918d16289341524b0000000020827903000000000000000000000000000804000000"]}, 0x2a8) r1 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000100)={0x2, 0x4, 0x8, 0x1, 0x80, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x2, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) setsockopt$sock_int(r0, 0x1, 0x9, &(0x7f0000000180), 0x4) bpf$OBJ_PIN_MAP(0x6, &(0x7f0000000040)=@o_path={&(0x7f0000000000)='./file0\x00', r1, 0x4000, r0}, 0x18) r2 = syz_open_dev$vcsu(&(0x7f00000001c0), 0x7, 0x282800) openat(r2, &(0x7f0000000200)='./file0\x00', 0x0, 0xa0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-setsockopt$EBT_SO_SET_ENTRIES-bpf$MAP_CREATE_CONST_STR-setsockopt$sock_int-bpf$OBJ_PIN_MAP-syz_open_dev$vcsu-openat detailed listing: executing program 0: r0 = socket(0xa, 0x2, 0x0) setsockopt$EBT_SO_SET_ENTRIES(r0, 0x0, 0x80, &(0x7f0000000080)=@broute={'broute\x00', 0x20, 0x2, 0x230, [0x0, 0x0, 0x0, 0x0, 0x0, 0x200004c0], 0x0, 0x0, &(0x7f00000004c0)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000000000050000000000000000000000000000feffffff01000000030000000000000081006e7230000000000000002000000000007465616d300000000000000000000020766c616e30000000000000004000000076657468305f746f5f746561ed000000aaaaaaf991bb000000000000aaaaaaaaaabb0000000000000000d0000000d000000000010000766c616e0069df4e5100000000000000000000079ba3160000000000000000000800000000eb560000000000892f0700636f6e6e6c6162656c000000000000000000e5ffffff00000000000020000000080000000000000000000000000000004e465154455545000000000000000000000000000000000080000000000000000800000000000000000800000000000400000000000000000000000080000000000000000000000001fcffffffffffff0000000001000000ffffffff000000000000000000000000000400000000efff000000000000000000000000000000000000000001000000feffffff010000000b00006b90088754ea234d6f6e6430000000000000000000000074489c4c2c0000000000000000000000626f6e64300000ff000000000000000076657468315f744d8abdc76964676500aaaaaaaaaabb0000000000e7feffffffffff00000008000000007000000070000000a0000000434f4e4e5345434d3c964de64039918d16289341524b0000000020827903000000000000000000000000000804000000"]}, 0x2a8) r1 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000100)={0x2, 0x4, 0x8, 0x1, 0x80, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x2, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) setsockopt$sock_int(r0, 0x1, 0x9, &(0x7f0000000180), 0x4) bpf$OBJ_PIN_MAP(0x6, &(0x7f0000000040)=@o_path={&(0x7f0000000000)='./file0\x00', r1, 0x4000, r0}, 0x18) r2 = syz_open_dev$vcsu(&(0x7f00000001c0), 0x7, 0x282800) openat(r2, &(0x7f0000000200)='./file0\x00', 0x0, 0xa0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): semget-semctl$SEM_STAT_ANY detailed listing: executing program 0: r0 = semget(0x0, 0x2, 0x200) semctl$SEM_STAT_ANY(r0, 0xa047ae53a995f79c, 0x14, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): semget-semctl$SEM_STAT_ANY detailed listing: executing program 0: r0 = semget(0x0, 0x2, 0x200) semctl$SEM_STAT_ANY(r0, 0xa047ae53a995f79c, 0x14, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_emit_ethernet-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io$uac1-syz_usb_control_io$cdc_ncm-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io$cdc_ncm-socket$inet6_sctp-sendmmsg$inet6-socket$netlink-writev-syz_usb_control_io$hid detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x1cb, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000122f0d4071040403dfe4000000010902b901010000003f0904"], 0x0) syz_emit_ethernet(0x66, &(0x7f0000000780)={@broadcast, @random="6487a2bed3d6", @void, {@ipv4={0x800, @gre={{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0x0, 0x6c, 0x0, @private}}}}}, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) r1 = socket$inet6_sctp(0xa, 0x801, 0x84) sendmmsg$inet6(r1, &(0x7f0000000c80)=[{{&(0x7f00000000c0)={0xa, 0x0, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'}, 0x1c, &(0x7f0000001900)=[{&(0x7f0000000240)="ad", 0x1}], 0x1}}, {{&(0x7f0000000100)={0xa, 0x4e24, 0x1, @ipv4={'\x00', '\xff\xff', @private=0xa010100}, 0x1}, 0x1c, &(0x7f0000000300)=[{&(0x7f0000000800)=',', 0x1}], 0x1, &(0x7f0000000a00)=ANY=[@ANYBLOB="180000000000000029000000360000003b000000000000001400000000000000290000000b000000000000020000000028"], 0x58}}], 0x2, 0x0) r2 = socket$netlink(0x10, 0x3, 0x4) writev(r2, &(0x7f0000000080)=[{&(0x7f0000000e40)="480000001400190d09004beafd0d36020a8447000b4e230f00000000a2bc560119d7004f19dfb7f393d7359031033f817f00000000000000000101ff05c00e030002000000ffff01", 0x48}], 0x1) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000480)={0x18, &(0x7f0000000040)=ANY=[@ANYBLOB="401401000000ff"], 0x0, 0x0, 0x0, 0x0}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_emit_ethernet-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io$uac1-syz_usb_control_io$cdc_ncm-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io$cdc_ncm-socket$inet6_sctp-sendmmsg$inet6-socket$netlink-writev-syz_usb_control_io$hid detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x1cb, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000122f0d4071040403dfe4000000010902b901010000003f0904"], 0x0) syz_emit_ethernet(0x66, &(0x7f0000000780)={@broadcast, @random="6487a2bed3d6", @void, {@ipv4={0x800, @gre={{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0x0, 0x6c, 0x0, @private}}}}}, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0) r1 = socket$inet6_sctp(0xa, 0x801, 0x84) sendmmsg$inet6(r1, &(0x7f0000000c80)=[{{&(0x7f00000000c0)={0xa, 0x0, 0x0, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'}, 0x1c, &(0x7f0000001900)=[{&(0x7f0000000240)="ad", 0x1}], 0x1}}, {{&(0x7f0000000100)={0xa, 0x4e24, 0x1, @ipv4={'\x00', '\xff\xff', @private=0xa010100}, 0x1}, 0x1c, &(0x7f0000000300)=[{&(0x7f0000000800)=',', 0x1}], 0x1, &(0x7f0000000a00)=ANY=[@ANYBLOB="180000000000000029000000360000003b000000000000001400000000000000290000000b000000000000020000000028"], 0x58}}], 0x2, 0x0) r2 = socket$netlink(0x10, 0x3, 0x4) writev(r2, &(0x7f0000000080)=[{&(0x7f0000000e40)="480000001400190d09004beafd0d36020a8447000b4e230f00000000a2bc560119d7004f19dfb7f393d7359031033f817f00000000000000000101ff05c00e030002000000ffff01", 0x48}], 0x1) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000480)={0x18, &(0x7f0000000040)=ANY=[@ANYBLOB="401401000000ff"], 0x0, 0x0, 0x0, 0x0}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-dup-write$6lowpan_enable-syz_io_uring_setup-syz_io_uring_submit-bpf$BPF_BTF_LOAD-io_uring_enter-syz_genetlink_get_family_id$gtp-openat$sw_sync-syz_open_dev$vim2m-ioctl$vim2m_VIDIOC_S_CTRL-ioctl$SW_SYNC_IOC_CREATE_FENCE-ppoll-socketpair$unix-ioctl$sock_SIOCGIFINDEX-socket$inet_mptcp-setsockopt$inet_tcp_int-bind$inet-sendmmsg detailed listing: executing program 0: socket(0x10, 0x3, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r1 = dup(r0) write$6lowpan_enable(r1, &(0x7f0000000000)='0', 0xfffffd2c) r2 = syz_io_uring_setup(0x23c, &(0x7f0000000380)={0x0, 0x1ffefe, 0x10100, 0x7ffff, 0x0, 0x0, r1}, &(0x7f0000000200)=0x0, &(0x7f00000001c0)=0x0) syz_io_uring_submit(r3, r4, &(0x7f0000000040)=@IORING_OP_POLL_ADD={0x6, 0x2, 0x0, @fd_index=0x3, 0x0, 0x0, 0x0, {}, 0x1}) bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000500)={&(0x7f0000000200)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x10, 0x10, 0x2, [@int={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2e365a339683931c}]}}, 0x0, 0x2a, 0x0, 0xa, 0x0, 0x0, @void, @value}, 0x20) io_uring_enter(r2, 0x2ded, 0x25d2, 0x0, 0x0, 0x0) syz_genetlink_get_family_id$gtp(0x0, 0xffffffffffffffff) r5 = openat$sw_sync(0xffffffffffffff9c, 0x0, 0x0, 0x0) r6 = syz_open_dev$vim2m(&(0x7f0000000000), 0x47b, 0x2) ioctl$vim2m_VIDIOC_S_CTRL(r6, 0x402c560b, &(0x7f0000000040)={0xf0f071, 0x1}) ioctl$SW_SYNC_IOC_CREATE_FENCE(r5, 0xc0285700, &(0x7f0000000180)={0x8000, "340b7832ceefd131b8e6498c25f58fad9987ffe93bbabd18cf501922de974a27", 0xffffffffffffffff}) ppoll(&(0x7f0000000700)=[{r7}], 0x1, 0x0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'lo\x00'}) r9 = socket$inet_mptcp(0x2, 0x1, 0x106) setsockopt$inet_tcp_int(r9, 0x6, 0x19, &(0x7f0000000000)=0x1, 0x4) bind$inet(r9, &(0x7f0000000200)={0x2, 0x4e24, @multicast2}, 0x10) sendmmsg(r9, &(0x7f0000003a80)=[{{&(0x7f00000000c0)=@in={0x2, 0x4e24, @loopback}, 0x80, &(0x7f0000000400)=[{&(0x7f0000000240)='7', 0x20}], 0x1}}], 0x1, 0x2c000011) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-dup-write$6lowpan_enable-syz_io_uring_setup-syz_io_uring_submit-bpf$BPF_BTF_LOAD-io_uring_enter-syz_genetlink_get_family_id$gtp-openat$sw_sync-syz_open_dev$vim2m-ioctl$vim2m_VIDIOC_S_CTRL-ioctl$SW_SYNC_IOC_CREATE_FENCE-ppoll-socketpair$unix-ioctl$sock_SIOCGIFINDEX-socket$inet_mptcp-setsockopt$inet_tcp_int-bind$inet-sendmmsg detailed listing: executing program 0: socket(0x10, 0x3, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r0 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r1 = dup(r0) write$6lowpan_enable(r1, &(0x7f0000000000)='0', 0xfffffd2c) r2 = syz_io_uring_setup(0x23c, &(0x7f0000000380)={0x0, 0x1ffefe, 0x10100, 0x7ffff, 0x0, 0x0, r1}, &(0x7f0000000200)=0x0, &(0x7f00000001c0)=0x0) syz_io_uring_submit(r3, r4, &(0x7f0000000040)=@IORING_OP_POLL_ADD={0x6, 0x2, 0x0, @fd_index=0x3, 0x0, 0x0, 0x0, {}, 0x1}) bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000500)={&(0x7f0000000200)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x10, 0x10, 0x2, [@int={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2e365a339683931c}]}}, 0x0, 0x2a, 0x0, 0xa, 0x0, 0x0, @void, @value}, 0x20) io_uring_enter(r2, 0x2ded, 0x25d2, 0x0, 0x0, 0x0) syz_genetlink_get_family_id$gtp(0x0, 0xffffffffffffffff) r5 = openat$sw_sync(0xffffffffffffff9c, 0x0, 0x0, 0x0) r6 = syz_open_dev$vim2m(&(0x7f0000000000), 0x47b, 0x2) ioctl$vim2m_VIDIOC_S_CTRL(r6, 0x402c560b, &(0x7f0000000040)={0xf0f071, 0x1}) ioctl$SW_SYNC_IOC_CREATE_FENCE(r5, 0xc0285700, &(0x7f0000000180)={0x8000, "340b7832ceefd131b8e6498c25f58fad9987ffe93bbabd18cf501922de974a27", 0xffffffffffffffff}) ppoll(&(0x7f0000000700)=[{r7}], 0x1, 0x0, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'lo\x00'}) r9 = socket$inet_mptcp(0x2, 0x1, 0x106) setsockopt$inet_tcp_int(r9, 0x6, 0x19, &(0x7f0000000000)=0x1, 0x4) bind$inet(r9, &(0x7f0000000200)={0x2, 0x4e24, @multicast2}, 0x10) sendmmsg(r9, &(0x7f0000003a80)=[{{&(0x7f00000000c0)=@in={0x2, 0x4e24, @loopback}, 0x80, &(0x7f0000000400)=[{&(0x7f0000000240)='7', 0x20}], 0x1}}], 0x1, 0x2c000011) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$cec-ioctl$CEC_DQEVENT-keyctl$KEYCTL_PKEY_VERIFY-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-dup-write$6lowpan_enable-syz_io_uring_setup-syz_io_uring_submit-io_uring_enter-sendmsg$NFT_BATCH-write$FUSE_INIT-openat$sequencer-write$sequencer-ioctl$SNDCTL_SEQ_SYNC detailed listing: executing program 0: r0 = syz_open_dev$cec(&(0x7f0000000000), 0xffffffffffffffff, 0x0) ioctl$CEC_DQEVENT(r0, 0xc0506107, 0x0) keyctl$KEYCTL_PKEY_VERIFY(0x1c, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="656e633d72617720686173683d626c616b6532732d3136302d61726d00000000000000000000000000000000000000000000000000000000000000001200"/77], 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = dup(r1) write$6lowpan_enable(r2, &(0x7f0000000000)='0', 0xfffffd2c) r3 = syz_io_uring_setup(0x239, &(0x7f0000000380)={0x0, 0x1ffffe, 0x10100, 0x0, 0xfffffffc, 0x0, r2}, &(0x7f0000000180)=0x0, &(0x7f00000001c0)=0x0) syz_io_uring_submit(r4, r5, &(0x7f0000000040)=@IORING_OP_POLL_ADD={0x6, 0x2, 0x0, @fd_index=0x4, 0x0, 0x0, 0x0, {}, 0x1}) io_uring_enter(r3, 0x2ded, 0x4000, 0x0, 0x0, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, 0x0}, 0x0) write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0) r6 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000), 0x16b601, 0x0) write$sequencer(r6, &(0x7f0000000100)=ANY=[@ANYBLOB="0293"], 0x9) ioctl$SNDCTL_SEQ_SYNC(r6, 0x5101) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$cec-ioctl$CEC_DQEVENT-keyctl$KEYCTL_PKEY_VERIFY-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-dup-write$6lowpan_enable-syz_io_uring_setup-syz_io_uring_submit-io_uring_enter-sendmsg$NFT_BATCH-write$FUSE_INIT-openat$sequencer-write$sequencer-ioctl$SNDCTL_SEQ_SYNC detailed listing: executing program 0: r0 = syz_open_dev$cec(&(0x7f0000000000), 0xffffffffffffffff, 0x0) ioctl$CEC_DQEVENT(r0, 0xc0506107, 0x0) keyctl$KEYCTL_PKEY_VERIFY(0x1c, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="656e633d72617720686173683d626c616b6532732d3136302d61726d00000000000000000000000000000000000000000000000000000000000000001200"/77], 0x0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = dup(r1) write$6lowpan_enable(r2, &(0x7f0000000000)='0', 0xfffffd2c) r3 = syz_io_uring_setup(0x239, &(0x7f0000000380)={0x0, 0x1ffffe, 0x10100, 0x0, 0xfffffffc, 0x0, r2}, &(0x7f0000000180)=0x0, &(0x7f00000001c0)=0x0) syz_io_uring_submit(r4, r5, &(0x7f0000000040)=@IORING_OP_POLL_ADD={0x6, 0x2, 0x0, @fd_index=0x4, 0x0, 0x0, 0x0, {}, 0x1}) io_uring_enter(r3, 0x2ded, 0x4000, 0x0, 0x0, 0x0) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, 0x0}, 0x0) write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0) r6 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000), 0x16b601, 0x0) write$sequencer(r6, &(0x7f0000000100)=ANY=[@ANYBLOB="0293"], 0x9) ioctl$SNDCTL_SEQ_SYNC(r6, 0x5101) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$inet6_tcp_int-connect$inet6-setsockopt$inet6_tcp_TCP_ULP-setsockopt$inet6_tcp_TLS_TX-recvfrom$inet6-io_uring_setup-recvmsg-close_range detailed listing: executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000040)=0x100000001, 0x76dc) connect$inet6(r0, &(0x7f0000000080), 0x1c) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f00000000c0), 0x4) setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x2, &(0x7f0000000500)=@gcm_256={{0x303}, "2a4001011f891d5b", "11682d84dd05bb63ae661f051e1e79ceafeaa60a5bd1dc83db142ade2bd907fd", "fd6ed24e", "d4e9e1c90d89691c"}, 0x38) recvfrom$inet6(r0, &(0x7f0000000300)=""/25, 0x19, 0x0, 0x0, 0x0) io_uring_setup(0x371f, &(0x7f0000000680)={0x0, 0x0, 0x100, 0x0, 0xfffffffe}) recvmsg(r0, &(0x7f00000004c0)={0x0, 0x0, 0x0}, 0x0) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$inet6_tcp_int-connect$inet6-setsockopt$inet6_tcp_TCP_ULP-setsockopt$inet6_tcp_TLS_TX-recvfrom$inet6-io_uring_setup-recvmsg-close_range detailed listing: executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000040)=0x100000001, 0x76dc) connect$inet6(r0, &(0x7f0000000080), 0x1c) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f00000000c0), 0x4) setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x2, &(0x7f0000000500)=@gcm_256={{0x303}, "2a4001011f891d5b", "11682d84dd05bb63ae661f051e1e79ceafeaa60a5bd1dc83db142ade2bd907fd", "fd6ed24e", "d4e9e1c90d89691c"}, 0x38) recvfrom$inet6(r0, &(0x7f0000000300)=""/25, 0x19, 0x0, 0x0, 0x0) io_uring_setup(0x371f, &(0x7f0000000680)={0x0, 0x0, 0x100, 0x0, 0xfffffffe}) recvmsg(r0, &(0x7f00000004c0)={0x0, 0x0, 0x0}, 0x0) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-syz_open_dev$loop-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD detailed listing: executing program 0: r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x2a82) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000400)='cpuset.effective_cpus\x00', 0x275a, 0x0) ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f00000005c0)={r1, 0x800, {0x2a00, 0x80010000, 0x0, 0x5, 0x0, 0x0, 0x0, 0x1, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd6447a4b4e00d9683dda1af1ea09de2b7fb0a0100000000000000000300", "2809e8dbe108598904004ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dac00000000000000000000002000", "90be8b1c5512406c7f00", [0x4, 0x40000000000000]}}) r2 = syz_open_dev$loop(&(0x7f0000000000), 0x1, 0x8000) ioctl$LOOP_CONFIGURE(r2, 0x4c0a, &(0x7f0000000480)={r0, 0x0, {0x2a00, 0x80010000, 0x0, 0x0, 0x4, 0x0, 0x0, 0x3, 0x18, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea80000000000000000000000deff0000000000000000000000000000000800", "2809e8dbe108038948224ad54afac11d875397bdb22d0000b420a1a93c7540f4767f9e01177d3dd40600000061ac00", "90be8b1c55f96400", [0x800]}}) ioctl$LOOP_CHANGE_FD(r2, 0x4c06, r0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$loop-openat$cgroup_ro-ioctl$LOOP_CONFIGURE-syz_open_dev$loop-ioctl$LOOP_CONFIGURE-ioctl$LOOP_CHANGE_FD detailed listing: executing program 0: r0 = syz_open_dev$loop(&(0x7f0000000440), 0x81, 0x2a82) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000400)='cpuset.effective_cpus\x00', 0x275a, 0x0) ioctl$LOOP_CONFIGURE(r0, 0x4c0a, &(0x7f00000005c0)={r1, 0x800, {0x2a00, 0x80010000, 0x0, 0x5, 0x0, 0x0, 0x0, 0x1, 0x1c, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd6447a4b4e00d9683dda1af1ea09de2b7fb0a0100000000000000000300", "2809e8dbe108598904004ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dac00000000000000000000002000", "90be8b1c5512406c7f00", [0x4, 0x40000000000000]}}) r2 = syz_open_dev$loop(&(0x7f0000000000), 0x1, 0x8000) ioctl$LOOP_CONFIGURE(r2, 0x4c0a, &(0x7f0000000480)={r0, 0x0, {0x2a00, 0x80010000, 0x0, 0x0, 0x4, 0x0, 0x0, 0x3, 0x18, "fee8a2ab78fc179fd1f8a0e91ddaaca7bd64c6a4b4e00d9683dda1af1ea80000000000000000000000deff0000000000000000000000000000000800", "2809e8dbe108038948224ad54afac11d875397bdb22d0000b420a1a93c7540f4767f9e01177d3dd40600000061ac00", "90be8b1c55f96400", [0x800]}}) ioctl$LOOP_CHANGE_FD(r2, 0x4c06, r0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-socket$unix-bind$unix-socket$unix-connect$unix-writev-setsockopt$SO_TIMESTAMP-setsockopt$SO_TIMESTAMPING-recvmmsg-syz_usb_control_io$hid-syz_usb_control_io$hid detailed listing: executing program 0: r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x20, 0x403, 0x6030, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x2}}}}]}}]}}, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000000)={0x24, 0x0, 0x0, &(0x7f00000001c0)={0x0, 0x22, 0x2, {[@main=@item_012={0x1, 0x0, 0x0, ')'}]}}, 0x0}, 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000880)={0x84, &(0x7f00000003c0)={0x0, 0x0, 0xd, "625e81abf2f5246c2f97ff767a"}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = socket$unix(0x1, 0x2, 0x0) bind$unix(r1, &(0x7f0000000100)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = socket$unix(0x1, 0x2, 0x0) connect$unix(r2, &(0x7f0000000180)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) writev(r2, &(0x7f0000000040)=[{&(0x7f0000000000)="d2", 0x1}], 0x1) setsockopt$SO_TIMESTAMP(r1, 0x1, 0x23, &(0x7f0000000080)=0x6, 0x26) setsockopt$SO_TIMESTAMPING(r1, 0x1, 0x41, &(0x7f0000000200)=0x41d1, 0x4) recvmmsg(r1, &(0x7f0000000840)=[{{0x0, 0x0, 0x0}, 0xfffffefb}], 0x1, 0x1000000120de, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000540)={0x2c, 0x0, 0x0, 0x0, &(0x7f00000002c0)=ANY=[@ANYBLOB="200119"], 0x0}) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000800)={0x2c, 0x0, 0x0, 0x0, &(0x7f0000000740)={0x20, 0x1, 0x5, "883ef3f326"}, 0x0}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-socket$unix-bind$unix-socket$unix-connect$unix-writev-setsockopt$SO_TIMESTAMP-setsockopt$SO_TIMESTAMPING-recvmmsg-syz_usb_control_io$hid-syz_usb_control_io$hid detailed listing: executing program 0: r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x20, 0x403, 0x6030, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x2}}}}]}}]}}, 0x0) syz_usb_control_io(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, &(0x7f0000000000)={0x24, 0x0, 0x0, &(0x7f00000001c0)={0x0, 0x22, 0x2, {[@main=@item_012={0x1, 0x0, 0x0, ')'}]}}, 0x0}, 0x0) syz_usb_control_io(r0, 0x0, &(0x7f0000000880)={0x84, &(0x7f00000003c0)={0x0, 0x0, 0xd, "625e81abf2f5246c2f97ff767a"}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r1 = socket$unix(0x1, 0x2, 0x0) bind$unix(r1, &(0x7f0000000100)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = socket$unix(0x1, 0x2, 0x0) connect$unix(r2, &(0x7f0000000180)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) writev(r2, &(0x7f0000000040)=[{&(0x7f0000000000)="d2", 0x1}], 0x1) setsockopt$SO_TIMESTAMP(r1, 0x1, 0x23, &(0x7f0000000080)=0x6, 0x26) setsockopt$SO_TIMESTAMPING(r1, 0x1, 0x41, &(0x7f0000000200)=0x41d1, 0x4) recvmmsg(r1, &(0x7f0000000840)=[{{0x0, 0x0, 0x0}, 0xfffffefb}], 0x1, 0x1000000120de, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000540)={0x2c, 0x0, 0x0, 0x0, &(0x7f00000002c0)=ANY=[@ANYBLOB="200119"], 0x0}) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000800)={0x2c, 0x0, 0x0, 0x0, &(0x7f0000000740)={0x20, 0x1, 0x5, "883ef3f326"}, 0x0}) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_ethernet-openat$kvm-ioctl$KVM_CREATE_VM-openat$cgroup_ro-io_uring_setup-syz_open_dev$admmidi-ioctl$SNDRV_RAWMIDI_IOCTL_PARAMS-close_range-write$binfmt_script-syz_open_procfs-socket$nl_route-sendmsg$nl_route-unlink-mmap-preadv-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmsg$NL80211_CMD_SET_REKEY_OFFLOAD-ioctl$KVM_RUN detailed listing: executing program 0: syz_emit_ethernet(0x2a, &(0x7f0000000000)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaa6008d3b00ecd0056db3023a3db"], 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000100)='blkio.bfq.io_queued_recursive\x00', 0x275a, 0x0) r3 = io_uring_setup(0x669, &(0x7f0000007940)) r4 = syz_open_dev$admmidi(&(0x7f0000000000), 0x2, 0x1a9882) ioctl$SNDRV_RAWMIDI_IOCTL_PARAMS(r4, 0xc0305710, &(0x7f0000000040)={0x0, 0xa132, 0x41, 0x0, 0x3b2}) close_range(r3, 0xffffffffffffffff, 0x0) write$binfmt_script(r2, &(0x7f0000000000), 0x208e24b) r5 = syz_open_procfs(0x0, &(0x7f0000000100)='syscall\x00') r6 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r6, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="400000001000210400"/20, @ANYRES32=r5, @ANYBLOB="000000000000010020001280080001006772650014000280060010"], 0x40}}, 0x0) unlink(&(0x7f00000004c0)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00') mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2, 0x28011, r2, 0x0) preadv(r2, &(0x7f00000015c0)=[{&(0x7f0000000080)=""/124, 0xffffff23}], 0x1, 0x0, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r7 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r7, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x64, 0x0, 0x0) sendmsg$NL80211_CMD_SET_REKEY_OFFLOAD(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, 0x0}, 0x0) ioctl$KVM_RUN(r7, 0xae80, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup-write$6lowpan_enable-pselect6-openat$audio-openat$procfs-openat$tcp_mem-sendfile-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syz_usb_control_io detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r1 = getpid() syz_pidfd_open(r1, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r1, 0x1, 0x0) r2 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r3 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r3) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) r4 = dup(r2) write$6lowpan_enable(r4, &(0x7f0000000000)='0', 0xfffffd2c) pselect6(0x40, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, &(0x7f0000000680)={0x7ff, 0x0, 0x0, 0x3, 0x0, 0x2}, 0x0, 0x0) openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x109842, 0x0) r5 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/diskstats\x00', 0x0, 0x0) r6 = openat$tcp_mem(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/tcp_wmem\x00', 0x1, 0x0) sendfile(r6, r5, 0x0, 0x3fffff) prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x0, 0x0, &(0x7f0000006680)) syz_usb_control_io(r0, 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open single: successfully extracted reproducer found reproducer with 19 syscalls minimizing guilty program testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup-write$6lowpan_enable-pselect6-openat$audio-openat$procfs-openat$tcp_mem-sendfile-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r2) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) r3 = dup(r1) write$6lowpan_enable(r3, &(0x7f0000000000)='0', 0xfffffd2c) pselect6(0x40, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, &(0x7f0000000680)={0x7ff, 0x0, 0x0, 0x3, 0x0, 0x2}, 0x0, 0x0) openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x109842, 0x0) r4 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/diskstats\x00', 0x0, 0x0) r5 = openat$tcp_mem(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/tcp_wmem\x00', 0x1, 0x0) sendfile(r5, r4, 0x0, 0x3fffff) prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x0, 0x0, &(0x7f0000006680)) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup-write$6lowpan_enable-pselect6-openat$audio-openat$procfs-openat$tcp_mem-sendfile detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r2) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) r3 = dup(r1) write$6lowpan_enable(r3, &(0x7f0000000000)='0', 0xfffffd2c) pselect6(0x40, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, &(0x7f0000000680)={0x7ff, 0x0, 0x0, 0x3, 0x0, 0x2}, 0x0, 0x0) openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x109842, 0x0) r4 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/diskstats\x00', 0x0, 0x0) r5 = openat$tcp_mem(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/tcp_wmem\x00', 0x1, 0x0) sendfile(r5, r4, 0x0, 0x3fffff) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup-write$6lowpan_enable-pselect6-openat$audio-openat$procfs-openat$tcp_mem detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r2) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) r3 = dup(r1) write$6lowpan_enable(r3, &(0x7f0000000000)='0', 0xfffffd2c) pselect6(0x40, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, &(0x7f0000000680)={0x7ff, 0x0, 0x0, 0x3, 0x0, 0x2}, 0x0, 0x0) openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x109842, 0x0) openat$procfs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/diskstats\x00', 0x0, 0x0) openat$tcp_mem(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/tcp_wmem\x00', 0x1, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup-write$6lowpan_enable-pselect6-openat$audio-openat$procfs detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r2) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) r3 = dup(r1) write$6lowpan_enable(r3, &(0x7f0000000000)='0', 0xfffffd2c) pselect6(0x40, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, &(0x7f0000000680)={0x7ff, 0x0, 0x0, 0x3, 0x0, 0x2}, 0x0, 0x0) openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x109842, 0x0) openat$procfs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/diskstats\x00', 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup-write$6lowpan_enable-pselect6-openat$audio detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r2) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) r3 = dup(r1) write$6lowpan_enable(r3, &(0x7f0000000000)='0', 0xfffffd2c) pselect6(0x40, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, &(0x7f0000000680)={0x7ff, 0x0, 0x0, 0x3, 0x0, 0x2}, 0x0, 0x0) openat$audio(0xffffffffffffff9c, &(0x7f0000000180), 0x109842, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup-write$6lowpan_enable-pselect6 detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r2) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) r3 = dup(r1) write$6lowpan_enable(r3, &(0x7f0000000000)='0', 0xfffffd2c) pselect6(0x40, &(0x7f0000000600)={0x0, 0x0, 0x0, 0x0, 0x0, 0x400}, 0x0, &(0x7f0000000680)={0x7ff, 0x0, 0x0, 0x3, 0x0, 0x2}, 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup-write$6lowpan_enable detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r2) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) r3 = dup(r1) write$6lowpan_enable(r3, &(0x7f0000000000)='0', 0xfffffd2c) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise-dup detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) r1 = syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r2) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) dup(r1) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup-madvise detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r1 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r1) madvise(&(0x7f0000ff3000/0xd000)=nil, 0xd000, 0x13) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0-dup detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) r1 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) dup(r1) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi-openat$ptp0 detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) openat$ptp0(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE-syz_open_dev$sndmidi detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x141101) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open-prctl$PR_SCHED_CORE detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, r0, 0x1, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid-syz_pidfd_open detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) r0 = getpid() syz_pidfd_open(r0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc-getpid detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) getpid() program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media-socket$inet_smc detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) socket$inet_smc(0x2b, 0x1, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$media detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) syz_open_dev$media(&(0x7f00000001c0), 0x0, 0x101580) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f00000000c0)={{0x12, 0x1, 0x200, 0x19, 0x82, 0x30, 0x20, 0x413, 0x6023, 0xece5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x60, 0x2, [{{0x9, 0x4, 0x84, 0x0, 0x1, 0xee, 0x48, 0xb1, 0x0, [], [{{0x9, 0x5, 0x82, 0x2, 0x20, 0x0, 0x0, 0xb}}]}}]}}]}}, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x0, 0x0, 0x0, 0x0) program did not crash extracting C reproducer testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open simplifying C reproducer testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: no output from test machine a never seen crash title: no output from test machine, ignore testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open reproducing took 3h16m51.6361025s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline] BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xc8/0x430 drivers/media/v4l2-core/v4l2-fh.c:63 Read of size 8 at addr ffff88802a8b0738 by task v4l_id/5995 CPU: 0 UID: 0 PID: 5995 Comm: v4l_id Not tainted 6.13.0-rc2-syzkaller-00130-g150b567e0d57 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline] v4l2_fh_open+0xc8/0x430 drivers/media/v4l2-core/v4l2-fh.c:63 em28xx_v4l2_open+0x14c/0x9d0 drivers/media/usb/em28xx/em28xx-video.c:2153 v4l2_open+0x22f/0x370 drivers/media/v4l2-core/v4l2-dev.c:429 chrdev_open+0x521/0x600 fs/char_dev.c:414 do_dentry_open+0xbe1/0x1b70 fs/open.c:945 vfs_open+0x3e/0x330 fs/open.c:1075 do_open fs/namei.c:3828 [inline] path_openat+0x2c84/0x3590 fs/namei.c:3987 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_openat fs/open.c:1433 [inline] __se_sys_openat fs/open.c:1428 [inline] __x64_sys_openat+0x247/0x2a0 fs/open.c:1428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe210f169a4 Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007fff69f52aa0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fff69f52cb8 RCX: 00007fe210f169a4 RDX: 0000000000000000 RSI: 00007fff69f53f1d RDI: 00000000ffffff9c RBP: 00007fff69f53f1d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff69f52cd0 R14: 000055dc66b21670 R15: 00007fe21141aa80 Allocated by task 5839: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] em28xx_v4l2_init+0xfd/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2532 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 5839: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x430 mm/slub.c:4746 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline] kref_put include/linux/kref.h:65 [inline] em28xx_v4l2_init+0x16d7/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2901 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff88802a8b0000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 1848 bytes inside of freed 8192-byte region [ffff88802a8b0000, ffff88802a8b2000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a8b0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801ac42280 ffffea0000d19400 0000000000000006 raw: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 head: 00fff00000000040 ffff88801ac42280 ffffea0000d19400 0000000000000006 head: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea0000aa2c01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5662, tgid 5662 (dhcpcd-run-hook), ts 41910264437, free_ts 41909336531 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556 prep_new_page mm/page_alloc.c:1564 [inline] get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3474 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2269 alloc_slab_page+0x6a/0x110 mm/slub.c:2408 allocate_slab+0x5a/0x2b0 mm/slub.c:2574 new_slab mm/slub.c:2627 [inline] ___slab_alloc+0xc27/0x14a0 mm/slub.c:3815 __slab_alloc+0x58/0xa0 mm/slub.c:3905 __slab_alloc_node mm/slub.c:3980 [inline] slab_alloc_node mm/slub.c:4141 [inline] __kmalloc_cache_noprof+0x27b/0x390 mm/slub.c:4309 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] tomoyo_print_bprm security/tomoyo/audit.c:26 [inline] tomoyo_init_log+0x11cd/0x2050 security/tomoyo/audit.c:264 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63 tomoyo_environ security/tomoyo/domain.c:672 [inline] tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881 tomoyo_bprm_check_security+0x117/0x180 security/tomoyo/tomoyo.c:102 security_bprm_check+0x86/0x250 security/security.c:1296 search_binary_handler fs/exec.c:1736 [inline] exec_binprm fs/exec.c:1790 [inline] bprm_execve+0xa53/0x17a0 fs/exec.c:1842 page last free pid 5662 tgid 5662 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2657 discard_slab mm/slub.c:2673 [inline] __put_partials+0x160/0x1c0 mm/slub.c:3142 put_cpu_partial+0x17c/0x250 mm/slub.c:3217 __slab_free+0x290/0x380 mm/slub.c:4468 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] __kmalloc_cache_noprof+0x1d9/0x390 mm/slub.c:4309 kmalloc_noprof include/linux/slab.h:901 [inline] tomoyo_print_header security/tomoyo/audit.c:156 [inline] tomoyo_init_log+0x1ca/0x2050 security/tomoyo/audit.c:255 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63 tomoyo_environ security/tomoyo/domain.c:672 [inline] tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881 tomoyo_bprm_check_security+0x117/0x180 security/tomoyo/tomoyo.c:102 security_bprm_check+0x86/0x250 security/security.c:1296 search_binary_handler fs/exec.c:1736 [inline] exec_binprm fs/exec.c:1790 [inline] bprm_execve+0xa53/0x17a0 fs/exec.c:1842 do_execveat_common+0x55f/0x6f0 fs/exec.c:1949 Memory state around the buggy address: ffff88802a8b0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802a8b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802a8b0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802a8b0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802a8b0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline] BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xc8/0x430 drivers/media/v4l2-core/v4l2-fh.c:63 Read of size 8 at addr ffff88802a8b0738 by task v4l_id/5995 CPU: 0 UID: 0 PID: 5995 Comm: v4l_id Not tainted 6.13.0-rc2-syzkaller-00130-g150b567e0d57 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline] v4l2_fh_open+0xc8/0x430 drivers/media/v4l2-core/v4l2-fh.c:63 em28xx_v4l2_open+0x14c/0x9d0 drivers/media/usb/em28xx/em28xx-video.c:2153 v4l2_open+0x22f/0x370 drivers/media/v4l2-core/v4l2-dev.c:429 chrdev_open+0x521/0x600 fs/char_dev.c:414 do_dentry_open+0xbe1/0x1b70 fs/open.c:945 vfs_open+0x3e/0x330 fs/open.c:1075 do_open fs/namei.c:3828 [inline] path_openat+0x2c84/0x3590 fs/namei.c:3987 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_openat fs/open.c:1433 [inline] __se_sys_openat fs/open.c:1428 [inline] __x64_sys_openat+0x247/0x2a0 fs/open.c:1428 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe210f169a4 Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007fff69f52aa0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fff69f52cb8 RCX: 00007fe210f169a4 RDX: 0000000000000000 RSI: 00007fff69f53f1d RDI: 00000000ffffff9c RBP: 00007fff69f53f1d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff69f52cd0 R14: 000055dc66b21670 R15: 00007fe21141aa80 Allocated by task 5839: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] em28xx_v4l2_init+0xfd/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2532 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 5839: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x430 mm/slub.c:4746 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline] kref_put include/linux/kref.h:65 [inline] em28xx_v4l2_init+0x16d7/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2901 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff88802a8b0000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 1848 bytes inside of freed 8192-byte region [ffff88802a8b0000, ffff88802a8b2000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a8b0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801ac42280 ffffea0000d19400 0000000000000006 raw: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 head: 00fff00000000040 ffff88801ac42280 ffffea0000d19400 0000000000000006 head: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea0000aa2c01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5662, tgid 5662 (dhcpcd-run-hook), ts 41910264437, free_ts 41909336531 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556 prep_new_page mm/page_alloc.c:1564 [inline] get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3474 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2269 alloc_slab_page+0x6a/0x110 mm/slub.c:2408 allocate_slab+0x5a/0x2b0 mm/slub.c:2574 new_slab mm/slub.c:2627 [inline] ___slab_alloc+0xc27/0x14a0 mm/slub.c:3815 __slab_alloc+0x58/0xa0 mm/slub.c:3905 __slab_alloc_node mm/slub.c:3980 [inline] slab_alloc_node mm/slub.c:4141 [inline] __kmalloc_cache_noprof+0x27b/0x390 mm/slub.c:4309 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] tomoyo_print_bprm security/tomoyo/audit.c:26 [inline] tomoyo_init_log+0x11cd/0x2050 security/tomoyo/audit.c:264 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63 tomoyo_environ security/tomoyo/domain.c:672 [inline] tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881 tomoyo_bprm_check_security+0x117/0x180 security/tomoyo/tomoyo.c:102 security_bprm_check+0x86/0x250 security/security.c:1296 search_binary_handler fs/exec.c:1736 [inline] exec_binprm fs/exec.c:1790 [inline] bprm_execve+0xa53/0x17a0 fs/exec.c:1842 page last free pid 5662 tgid 5662 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2657 discard_slab mm/slub.c:2673 [inline] __put_partials+0x160/0x1c0 mm/slub.c:3142 put_cpu_partial+0x17c/0x250 mm/slub.c:3217 __slab_free+0x290/0x380 mm/slub.c:4468 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] __kmalloc_cache_noprof+0x1d9/0x390 mm/slub.c:4309 kmalloc_noprof include/linux/slab.h:901 [inline] tomoyo_print_header security/tomoyo/audit.c:156 [inline] tomoyo_init_log+0x1ca/0x2050 security/tomoyo/audit.c:255 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63 tomoyo_environ security/tomoyo/domain.c:672 [inline] tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881 tomoyo_bprm_check_security+0x117/0x180 security/tomoyo/tomoyo.c:102 security_bprm_check+0x86/0x250 security/security.c:1296 search_binary_handler fs/exec.c:1736 [inline] exec_binprm fs/exec.c:1790 [inline] bprm_execve+0xa53/0x17a0 fs/exec.c:1842 do_execveat_common+0x55f/0x6f0 fs/exec.c:1949 Memory state around the buggy address: ffff88802a8b0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802a8b0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802a8b0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802a8b0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802a8b0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================