Extracting prog: 16m20.374304131s
Minimizing prog: 9m1.901021859s
Simplifying prog options: 0s
Extracting C: 1m22.158024331s
Simplifying C: 10m30.287163942s
extracting reproducer from 31 programs
testing a last program of every proc
single: executing 6 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$nl_rdma-sendmsg$netlink
detailed listing:
executing program 0:
r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000040)=ANY=[@ANYBLOB="1400000013000100080000000000000003"], 0x14}], 0x1, 0x0, 0x0, 0x88}, 0x0)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$sock_ipv4_tunnel_SIOCCHGTUNNEL
detailed listing:
executing program 0:
r0 = socket(0x2, 0x5, 0x0)
ioctl$sock_ipv4_tunnel_SIOCCHGTUNNEL(r0, 0x89f3, &(0x7f00000007c0)={'sit0\x00', &(0x7f0000000780)={'tunl0\x00', 0x0, 0x1, 0x40, 0x1, 0x515a, {{0x6, 0x4, 0x1, 0x0, 0x18, 0x64, 0x0, 0x1, 0x29, 0x0, @local, @broadcast, {[@end]}}}}})
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$video-ioctl$VIDIOC_S_FMT
detailed listing:
executing program 0:
r0 = syz_open_dev$video(&(0x7f00000000c0), 0x2, 0x8100)
ioctl$VIDIOC_S_FMT(r0, 0xc0d05640, &(0x7f00000006c0)={0x1, @pix={0x0, 0x0, 0x34565348, 0x0, 0x0, 0x0, 0x9, 0xfeedcafe, 0xe7, 0xffffff80}})
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
syz_usb_connect(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120100006325a640402000207265970000010902240001000000000904000002214c6a0009050702000000da000905"], 0x0)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_udplite-setsockopt$ARPT_SO_SET_REPLACE
detailed listing:
executing program 0:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f0000000580)={'filter\x00', 0x4, 0x4, 0x3c8, 0x1d0, 0x1d0, 0xe8, 0x2e0, 0x2e0, 0x2e0, 0x7fffffe, 0x0, {[{{@uncond, 0xc0, 0xe8, 0x0, {0x3ed}}, @unspec=@AUDIT={0x28, 'AUDIT\x00', 0x0, {0x1}}}, {{@arp={@dev={0xac, 0x14, 0x14, 0x3b}, @multicast2, 0xffffff00, 0xff000000, 0xff, 0x1, {@mac=@link_local}, {@empty, {[0x0, 0xff, 0xff]}}, 0x0, 0x4, 0xffff, 0xc092, 0x0, 0x2, 'gretap0\x00', 'veth1_macvtap\x00', {0xff}, {0xff}}, 0xc0, 0xe8}, @unspec=@NFQUEUE1={0x28, 'NFQUEUE\x00', 0x1, {0x0, 0x6}}}, {{@arp={@initdev={0xac, 0x1e, 0xfe, 0x0}, @broadcast, 0xff, 0x0, 0x0, 0x0, {@empty, {[0x0, 0x0, 0x0, 0xff, 0xff, 0xff]}}, {@mac=@broadcast, {[0x0, 0xff, 0x0, 0x0, 0xff]}}, 0x0, 0x0, 0x2, 0x5, 0xe, 0x0, 'bridge0\x00', 'macvtap0\x00', {0xff}, {0xff}, 0x0, 0x1a}, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@mac=@link_local, @empty, @multicast1, @broadcast, 0x7, 0x1}}}], {{'\x00', 0xc0, 0xe8}, {0x28, '\x00', 0x2}}}}, 0x418)
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_udplite-setsockopt$ARPT_SO_SET_REPLACE
detailed listing:
executing program 0:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f0000000580)={'filter\x00', 0x4, 0x4, 0x3c8, 0x1d0, 0x1d0, 0xe8, 0x2e0, 0x2e0, 0x2e0, 0x7fffffe, 0x0, {[{{@uncond, 0xc0, 0xe8, 0x0, {0x3ed}}, @unspec=@AUDIT={0x28, 'AUDIT\x00', 0x0, {0x1}}}, {{@arp={@dev={0xac, 0x14, 0x14, 0x3b}, @multicast2, 0xffffff00, 0xff000000, 0xff, 0x1, {@mac=@link_local}, {@empty, {[0x0, 0xff, 0xff]}}, 0x0, 0x4, 0xffff, 0xc092, 0x0, 0x2, 'gretap0\x00', 'veth1_macvtap\x00', {0xff}, {0xff}}, 0xc0, 0xe8}, @unspec=@NFQUEUE1={0x28, 'NFQUEUE\x00', 0x1, {0x0, 0x6}}}, {{@arp={@initdev={0xac, 0x1e, 0xfe, 0x0}, @broadcast, 0xff, 0x0, 0x0, 0x0, {@empty, {[0x0, 0x0, 0x0, 0xff, 0xff, 0xff]}}, {@mac=@broadcast, {[0x0, 0xff, 0x0, 0x0, 0xff]}}, 0x0, 0x0, 0x2, 0x5, 0xe, 0x0, 'bridge0\x00', 'macvtap0\x00', {0xff}, {0xff}, 0x0, 0x1a}, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@mac=@link_local, @empty, @multicast1, @broadcast, 0x7, 0x1}}}], {{'\x00', 0xc0, 0xe8}, {0x28, '\x00', 0x2}}}}, 0x418)
program did not crash
single: failed to extract reproducer
bisect: bisecting 31 programs with base timeout 30s
testing program (duration=37s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2]
detailed listing:
executing program 3:
r0 = syz_open_procfs(0x0, &(0x7f0000000380)='ns\x00')
getdents64(r0, 0xfffffffffffffffe, 0x46)
executing program 3:
r0 = io_uring_setup(0x1612, &(0x7f0000000200)={0x0, 0xe377, 0x0, 0x2, 0xfffffffd})
io_uring_register$IORING_REGISTER_BUFFERS2(r0, 0xf, &(0x7f0000001580)={0x1, 0x0, 0x700, &(0x7f00000014c0)=[{0x0}], 0x0}, 0x20)
executing program 3:
r0 = socket$inet6(0xa, 0x80002, 0x0)
setsockopt$inet6_mreq(r0, 0x29, 0x1c, &(0x7f00000001c0)={@remote}, 0x14)
executing program 3:
syz_mount_image$iso9660(&(0x7f00000000c0), &(0x7f00000001c0)='./file0\x00', 0x204818, &(0x7f0000000480)=ANY=[], 0x1, 0x54e, &(0x7f00000008c0)="$eJzs3V1v01gawPHHfYEoK1WrZYVQVeBQdqUileAkEBSxN17nJD2Q2JHtoPYKVTRFFSmsKCtte8Nyw8xIMx+CuZwPMd8IzUeYke2kLzSJgb5O9f9FcE7sY5/npJYfuY2PBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiOXWbLtoSdN4nWU1mlsL/Nbe2/7WhxbInQPFmH5FrPif5HJyLV107e97q6/G/83LXPpuTnJxkZOdv1z966MrUxOD7ccE/FV+/sY9bW3vvFzt9bpvjiuQc+j65dHrGtozoW9aTkMrE/qqWqnY95bqoaqbpg5Xwki3lBtoJ/IDteDeUcVqtax0YcXveI2a09SDhQ/vlmy7oh4X2toJQt+797gQukum2TReI2kTr47bPIwPxCcmUpF2Wkqtb/S65awBxI2KX9KolNWoZJdKxWKpVKw8qD54aNtThxbYn5FDLY7voMWf0zGevYGjmejnf2mKEU86sixq6MuVmgTiS2vE+r5B/v/nPT223/35f5Dlr+2tnpUk/99I390Ylf9HxHJ6ry3Zlh15KavSk5505c0J9jVz5qM9/GqIFk+MhOKLkZY4yRLVX6KkKhWpiC3PZEnqEoqSuhhpipZQViSUSHRyRLkSiBZHIvElECUL4sodUVKUqlSlLEq0FGRFfOmIJw2piZPsZV02ks+9LMoaFeNuo+LIYeQHx11XSmNGS/7H0R3r+Rs4it8H+R8AAAAAAFxYVvLb9/j6f1quJ7W6aWr7rMMCAAAAAADHKPnL/1xcTMe162Jx/Q8AAAAAwEVjJffYWSKSl5tpbV2s5HYpfgkAAAAAAMAFkfz9/0ZcJHOg3BRrd7oUrv8BAAAAALggvs+cYz9sX7Z+/U2CYNp6317+h7WZzM3rbE6m201+vseoPmvN9HeSFJW0mJpy9ZyVSxvtToL5qV+sZ8Vh7QXg7Abw/68J4MqU/Ci30ja31tJybbAm7SVfN01dcP3mo6I4zsxEpJej/77a+J8kw//Ba81YOdnodQvPX/fWkljex3t5v9mfQPHQPIpjYnmbzLeQ3HMxdMTTyY0Y/X7zlqxv9Lr2/vFPpJtPHOzx3cyYPj/IfNpqvj/jbf7g+HNxn8XCqNH3oygeceQf5Hba5vbC7bQYEkUpK4rS/iiGfxZHj6KcFUX5iFEAwFlZz8hClhzKu99wlvu27C5fmd0/yELaZmE2ObFOzQ45o9tZZ3R7fHabzIril0PPQBqVY+N+f/osq36MN/g4MquGzZIVf4STbzf/I1e3tnfubmyuvui+6L4qlcoV+75tPyjJdDKMfkHuAQAMsf8ZO9bQ/J/5FB7rfsZV9d92v1JQkOfyWnqyJovJ3QbJNw6G7jW/72sIixlXrfkkTaZPeFkcc1V3KbnLYbDf0ti2B2Mon8JPAgCA0zOfkYe/JP8vZlx3H8zl46+O8/ue1gYAAE6GDj5Z+eg7KwhM+1mxWi060ZJWge8+UYGpNbQyXqQDd8nxGlq1Az/yXb8ZV56amg5V2Gm3/SBSdT9QbT80y8n0gar/6PdQtxwvMm7Ybmon1Mr1vchxI1UzofuvduffTRMu6SDZOGxr19SN60TG91TodwJXF5QKtVZ7DU1Ne5Gpm7jqqXZgWk6QU0/9ZqelVU2HbmDakZ/ucNCX8ep+0Ep2e+msP2wAAM6Jre2dl6u9XvfNCVaGdpw79aECAIC+jCwNAAAAAAAAAAAAAAAAAAAAAADOgdO4/4/KBa8MpoI+L/FQOYZK5qnj3YmfnACcqD8CAAD//x6LT3Q=")
mount$bind(&(0x7f00000002c0)='.\x00', &(0x7f0000000200)='./file0/../file0\x00', 0x0, 0x109041, 0x0)
executing program 3:
r0 = syz_open_dev$media(&(0x7f00000012c0), 0x66, 0x180502)
ioctl$MEDIA_IOC_G_TOPOLOGY(r0, 0xc0487c04, &(0x7f0000002f00)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, &(0x7f0000002d80)=[{}, {}, {}], 0x0, 0x0, 0x0})
executing program 3:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f0000000580)={'filter\x00', 0x4, 0x4, 0x3c8, 0x1d0, 0x1d0, 0xe8, 0x2e0, 0x2e0, 0x2e0, 0x7fffffe, 0x0, {[{{@uncond, 0xc0, 0xe8, 0x0, {0x3ed}}, @unspec=@AUDIT={0x28, 'AUDIT\x00', 0x0, {0x1}}}, {{@arp={@dev={0xac, 0x14, 0x14, 0x3b}, @multicast2, 0xffffff00, 0xff000000, 0xff, 0x1, {@mac=@link_local}, {@empty, {[0x0, 0xff, 0xff]}}, 0x0, 0x4, 0xffff, 0xc092, 0x0, 0x2, 'gretap0\x00', 'veth1_macvtap\x00', {0xff}, {0xff}}, 0xc0, 0xe8}, @unspec=@NFQUEUE1={0x28, 'NFQUEUE\x00', 0x1, {0x0, 0x6}}}, {{@arp={@initdev={0xac, 0x1e, 0xfe, 0x0}, @broadcast, 0xff, 0x0, 0x0, 0x0, {@empty, {[0x0, 0x0, 0x0, 0xff, 0xff, 0xff]}}, {@mac=@broadcast, {[0x0, 0xff, 0x0, 0x0, 0xff]}}, 0x0, 0x0, 0x2, 0x5, 0xe, 0x0, 'bridge0\x00', 'macvtap0\x00', {0xff}, {0xff}, 0x0, 0x1a}, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@mac=@link_local, @empty, @multicast1, @broadcast, 0x7, 0x1}}}], {{'\x00', 0xc0, 0xe8}, {0x28, '\x00', 0x2}}}}, 0x418)
executing program 32:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f0000000580)={'filter\x00', 0x4, 0x4, 0x3c8, 0x1d0, 0x1d0, 0xe8, 0x2e0, 0x2e0, 0x2e0, 0x7fffffe, 0x0, {[{{@uncond, 0xc0, 0xe8, 0x0, {0x3ed}}, @unspec=@AUDIT={0x28, 'AUDIT\x00', 0x0, {0x1}}}, {{@arp={@dev={0xac, 0x14, 0x14, 0x3b}, @multicast2, 0xffffff00, 0xff000000, 0xff, 0x1, {@mac=@link_local}, {@empty, {[0x0, 0xff, 0xff]}}, 0x0, 0x4, 0xffff, 0xc092, 0x0, 0x2, 'gretap0\x00', 'veth1_macvtap\x00', {0xff}, {0xff}}, 0xc0, 0xe8}, @unspec=@NFQUEUE1={0x28, 'NFQUEUE\x00', 0x1, {0x0, 0x6}}}, {{@arp={@initdev={0xac, 0x1e, 0xfe, 0x0}, @broadcast, 0xff, 0x0, 0x0, 0x0, {@empty, {[0x0, 0x0, 0x0, 0xff, 0xff, 0xff]}}, {@mac=@broadcast, {[0x0, 0xff, 0x0, 0x0, 0xff]}}, 0x0, 0x0, 0x2, 0x5, 0xe, 0x0, 'bridge0\x00', 'macvtap0\x00', {0xff}, {0xff}, 0x0, 0x1a}, 0xc0, 0x110}, @mangle={0x50, 'mangle\x00', 0x0, {@mac=@link_local, @empty, @multicast1, @broadcast, 0x7, 0x1}}}], {{'\x00', 0xc0, 0xe8}, {0x28, '\x00', 0x2}}}}, 0x418)
executing program 4:
r0 = openat$damon_attrs(0xffffffffffffff9c, &(0x7f0000000100), 0x8001, 0x4235c46ce7f00f15)
write$damon_attrs(r0, &(0x7f0000000600)={{' ', 0xf4}, {' ', 0x4}, {' ', 0x1}, {' ', 0x2}, {' ', 0x2000000000000008}}, 0x69)
executing program 4:
r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000300), 0x2002, 0x0)
ioctl$IOMMU_OPTION$IOMMU_OPTION_RLIMIT_MODE(r0, 0x3b87, &(0x7f0000000100)={0x18, 0x0, 0x0, 0x0, 0x1000000, 0xe06d})
executing program 4:
r0 = syz_open_dev$video4linux(&(0x7f00000001c0), 0x7ffd, 0x400)
ioctl$VIDIOC_QUERY_EXT_CTRL(r0, 0xc0205647, &(0x7f00000000c0)={0xf010000, 0x0, "4f2572ce1cedbf10981e10326800000000000000000000000500", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [0x0, 0xfffffffd]})
executing program 4:
r0 = openat$vicodec0(0xffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$VIDIOC_G_PARM(r0, 0xc0cc5615, &(0x7f00000000c0)={0xc, @raw_data="eacdddd318a885977c0b943548f575a58c838dd3699a70cd7c236066f2d47ef800042f71859ffaec22d3695481e962c802c046a95586692c99c93d831c4fd6358f9afb9d2104468272fb4f3be5c7767602c25d9c8cdd5ab69ec5e6cf2c980b79d722c18d5d26ec70d7868aad7477e70ea6ba8f1e53a8c135a0cb09e8d976937e106ab2a6d77f831d942b1124d89f94114ea5d2b2e9e03a16c57abeabfbd53622fc78c6fc66d02d26155c2016835c46b5807ae7642d51aa6bdb3c25fb509f93ed4f3f7f13c4600e73"})
executing program 4:
syz_mount_image$minix(&(0x7f0000002580), &(0x7f0000000040)='./bus\x00', 0x2a14c5e, &(0x7f00000025c0)=ANY=[], 0x6, 0x229, &(0x7f00000005c0)="$eJzs2z1PFEEcx/HfPtxxoIARtTCaEI1oI+dDZWHUjoo3QEXgVOIaUbSAmAiNWphQ2dlYmZhYWBqDnbHyBViY2GmIFJdYWbBmz32Am3vO3a4e30/D7Pxm2NkNc/eH5QRgz7qqcVmylA8OjhUOrI9ZWS8JQEr88Ou26yfsKATQ324OZ70CANnYuia9OCX9LD+ck5OPyoKgAvi6KWlj4olWFeb2gKRXnyU3rh+21qSjbphbBQ1W1xcvpdPRfGvIqD+C+UNxvm9HMhjnZ05G59+vYY1oNBckBzUW5vPx/CNN6x23reoIAID+ZGmyWd5wgK3rC17pXN08V8nP183zlfxCk/xifDwQt2aeTz9471/eDvLJuTvefKNlAqjB7mD/fzmetJ0m+9+ts/+rf08AkL6l5ZVbs57nP5IqjdK9sCdsRH8RSHocY0xXGtEzhxYGR08ojSj4Hjt6HHP6+oR57d27CjtZ2Kik3tyof7ihGtG3qb/3JO6xe3HndzVO/Pj9ePHZ23etDH7T5ins+KduZqNUrhojW+rhdY0bu2DWK7Q23Vr1/TZPWvPlIvnngEK3X4kApK14//ZicWl55eyCI+lGKRe94U9936xU9sXG9T2A/1fypl8rXTN6/N2H0x8//Spfev20gzNfkfTBfCAIAAAAAAAAAAAAAADadkiHs14CAAAAgJSYn/65O9Ltjy5lfY0AAAAAAAAAAAAAAAAAAPSbPwEAAP//dhAJcA==")
truncate(&(0x7f00000001c0)='./file1\x00', 0x60)
executing program 4:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
syz_usb_connect(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120100006325a640402000207265970000010902240001000000000904000002214c6a0009050702000000da000905"], 0x0)
executing program 2:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000940)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f00000001c0)="d80000001c0081064e81f782db44b9040a1d08040000000000000aa1180011000607002603600e12080b0f0000810401a8001605200001400200000803604e0cfab94dcf5c0461c1d67f6f94007134cf6ee08000a0e408e8d8ef52a98516277ce06bbace8017cbec4c2ee5a7cef4090000001fb791643a5ee422fe7c9f8775730d16a4683f5aeb4edbb57a5025ccca9e00360db70100000040fad95667e006dcdf63951f215ce3bb9ad809d5e1cace81ed0bffece0b42a9ecbee5de6ccd40dd6e4edef5d2defd5ccae8d3fb7c27a1059ae31c60e2234d732", 0xd8}], 0x1, 0x0, 0x0, 0x7400}, 0x0)
executing program 2:
r0 = openat$dsp(0xffffffffffffff9c, &(0x7f00000000c0), 0x8001, 0x0)
ioctl$SNDCTL_DSP_SPEED(r0, 0xc0045009, &(0x7f0000000040))
executing program 2:
syz_mount_image$vfat(&(0x7f00000000c0), &(0x7f0000000100)='./bus\x00', 0x20008c0, &(0x7f0000001b80)={[{@fat=@allow_utime={'allow_utime', 0x3d, 0xff}}, {@shortname_mixed}, {@iocharset={'iocharset', 0x3d, 'macgaelic'}}, {@shortname_lower}, {@fat=@check_strict}, {@shortname_lower}, {@iocharset={'iocharset', 0x3d, 'cp950'}}, {@fat=@codepage={'codepage', 0x3d, '864'}}, {@utf8no}, {@utf8}, {@uni_xlateno}, {@uni_xlateno}, {@utf8}, {@uni_xlate}]}, 0x82, 0x350, &(0x7f0000000580)="$eJzs3U9oW3UcAPBv9tKkHcz2IAwF4elN0LJWPOipZXQwzEUl+OcgBtepNHXQYLA7NKsX8Sh41JM3D3rwsLMIinjz4NUJMhUPutvA4ZMkL81Lk3adkM3i53MI331/329+v7c8mtfX5tdXV2LjwkxcvHHjeszOlqK8cnYlbpZiIZIYuBLjKhNyAMDxcDPL4s+s74gtpSkvCQCYst77/+unCpl3vz6sPvPuDwDHXv79/9xhNbMHDVyaypIAgCkbu///yMhwZfRH/eXCbwUAAMfV8y+9/MxqLeK5NJ2N2HyvXW/X4+nh+OrFeDOasR5nYj5uRfQvFLoPpd7jufO1tTNpmnbil4Wodzva9YjNTrvev1JYTXr91ViK+VjI+/OrjSzLknNf1NaW0p6IuNLpzR+bpXZ9Jk7m8/94MtZjOdK4f6w/4nxtbTnNn6C+OejvROwO71t0178Y8/H9a3EpmnEhur2Dy5ra2s5Smp7NaiP97Xq1V9d34B0QAAAAAAAAAAAAAAAAAAAAAAD4VxbTPQt7+99kw/17FhcnjPf2x+n35/sD7fb3B8qqWWTZH+88Xn8/iZH9gfbvz9Oul+PEvT10AAAAAAAAAAAAAAAAAAAA+M9obVei0Wyub7W2L28Ug85Wa/tERHQzb3372VdzMV5zm6Ccz1EYSvPU5Y1GlgyKs2SkJg+S7uSDzKdX91ZcrKnuHcXEZVQPHmo2Tz3880fDzEPJ4Jn/HtYkMfkAk33LKAab9/WXdCf/UXvB8m1qrmVZdlD7zivjXVGKKN/5C3d4kHWDb66/8cATrdNP9jJfZn2PPjb/wrUPP/lto9Hszhy9V7Cy1bqVbTTyf08+2Q4OksL5U4p+UCqeCeXD2ndHM43kh99ffPCD7442e1bMvD2hJukfzuf7hyr9oLvMfUNzk+aamXDyTyE4/fFK4+rOT78etavwRcJGHQAAAAAAAAAAAAAAAAAAcFcUPiueyz/sO3NY11PPTn9lAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHD3DP/+fyHYHcscJfirE+ND1fWtVkTlXh8mAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/c/8EAAD//9HQbnk=")
openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x2)
executing program 1:
r0 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000780)={0x6, 0x4, &(0x7f0000000000)=ANY=[@ANYBLOB="18020000f2ffffff0000000000000000850000001700000095"], &(0x7f00000005c0)='GPL\x00'}, 0x80)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000200)={r0, 0x4000000, 0x1, 0x0, &(0x7f0000000040)="97", 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, &(0x7f0000000280)="bf", 0x0, 0x8000}, 0x50)
executing program 0:
r0 = openat$fb0(0xffffffffffffff9c, &(0x7f00000001c0), 0x80, 0x0)
ioctl$FBIOPAN_DISPLAY(r0, 0x4606, 0x0)
executing program 1:
r0 = syz_open_dev$video4linux(&(0x7f00000005c0), 0x1, 0x141942)
ioctl$VIDIOC_SUBDEV_ENUM_FRAME_SIZE(r0, 0xc040564a, &(0x7f0000000000)={0x0, 0x0, 0x101b})
executing program 0:
semop(0x0, &(0x7f00000002c0)=[{0x0, 0x0, 0x800}, {0x2, 0x2, 0x1800}, {0x0, 0xd692}, {0x0, 0x5, 0x1000}], 0x4)
semctl$SETALL(0x0, 0x0, 0x11, &(0x7f00000069c0)=[0xb, 0xe])
executing program 1:
prlimit64(0x0, 0x2, &(0x7f0000000040), 0x0)
mprotect(&(0x7f0000ffc000/0x4000)=nil, 0x4008, 0x2)
executing program 0:
r0 = syz_open_dev$vim2m(&(0x7f0000000000), 0x8000000000000000, 0x2)
ioctl$vim2m_VIDIOC_ENUM_FMT(r0, 0xc0405602, &(0x7f0000000040)={0x0, 0x2, 0x1, "859ec8348c0e1d4c37a3312b5fd1ffff41219d909249432b147a3b3c4bb37340", 0x50565559})
executing program 2:
r0 = syz_open_dev$vim2m(&(0x7f0000000000), 0x0, 0x2)
ioctl$vim2m_VIDIOC_CREATE_BUFS(r0, 0xc100565c, &(0x7f0000000200)={0x0, 0x0, 0x4, {0x1, @pix={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0xfeedcafe, 0x0, 0x0, 0x0, 0x2}}})
executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000300)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x7}}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x401, 0x0, 0x0, {0x1, 0x0, 0x3}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x2c, 0x3, 0xa, 0x101, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}]}, @NFT_MSG_NEWRULE={0x94, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_EXPRESSIONS={0x6c, 0x4, 0x0, 0x1, [{0x34, 0x1, 0x0, 0x1, @exthdr={{0xb}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_EXTHDR_DREG={0x8, 0x1, 0x1, 0x0, 0xc}, @NFTA_EXTHDR_OFFSET={0x8, 0x3, 0x1, 0x0, 0xc5}, @NFTA_EXTHDR_LEN={0x8, 0x4, 0x1, 0x0, 0x22}, @NFTA_EXTHDR_TYPE={0x5, 0x2, 0x7}]}}}, {0x34, 0x1, 0x0, 0x1, @bitwise={{0xc}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_BITWISE_LEN={0x8, 0x3, 0x1, 0x0, 0x2}, @NFTA_BITWISE_SREG={0x8, 0x1, 0x1, 0x0, 0x14}, @NFTA_BITWISE_DREG={0x8, 0x2, 0x1, 0x0, 0x12}, @NFTA_BITWISE_OP={0x8}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x108}}, 0x8814)
executing program 1:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)=@migrate={0xbc, 0x21, 0x1, 0x0, 0x0, {{@in=@multicast1, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x11, 0x0, 0xffffffffffffffff}}, [@encap={0x1c, 0x4, {0x0, 0x0, 0x0, @in6=@local}}, @migrate={0x50, 0x11, [{@in=@multicast2, @in6=@local, @in=@private=0xa010101, @in6=@mcast1, 0xff, 0x4, 0x0, 0x0, 0xa, 0x2}]}]}, 0xbc}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
executing program 2:
r0 = socket$caif_stream(0x25, 0x1, 0x0)
sendmmsg$inet(r0, &(0x7f0000000040)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, &(0x7f0000000440)=[{&(0x7f0000000000)="92", 0x1}], 0x1}, 0x1000000}], 0x2, 0x0)
executing program 0:
r0 = socket(0xa, 0x3, 0xff)
connect$inet6(r0, &(0x7f0000000000)={0xa, 0x4e27, 0x1ff, @mcast1}, 0x19)
executing program 1:
r0 = syz_open_dev$sndctrl(&(0x7f0000004e80), 0x0, 0x0)
ioctl$SNDRV_CTL_IOCTL_ELEM_LIST(r0, 0xc0505510, &(0x7f0000000140)={0xdc52d74, 0x1, 0xfffffffc, 0x8009, &(0x7f00000001c0)=[{}]})
executing program 2:
r0 = syz_open_dev$video(&(0x7f00000000c0), 0x2, 0x8100)
ioctl$VIDIOC_S_FMT(r0, 0xc0d05640, &(0x7f00000006c0)={0x1, @pix={0x0, 0x0, 0x34565348, 0x0, 0x0, 0x0, 0x9, 0xfeedcafe, 0xe7, 0xffffff80}})
executing program 0:
r0 = socket(0x2, 0x5, 0x0)
ioctl$sock_ipv4_tunnel_SIOCCHGTUNNEL(r0, 0x89f3, &(0x7f00000007c0)={'sit0\x00', &(0x7f0000000780)={'tunl0\x00', 0x0, 0x1, 0x40, 0x1, 0x515a, {{0x6, 0x4, 0x1, 0x0, 0x18, 0x64, 0x0, 0x1, 0x29, 0x0, @local, @broadcast, {[@end]}}}}})
executing program 1:
r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000040)=ANY=[@ANYBLOB="1400000013000100080000000000000003"], 0x14}], 0x1, 0x0, 0x0, 0x88}, 0x0)
program did not crash
replaying the whole log did not cause a kernel crash
single: executing 6 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$nl_rdma-sendmsg$netlink
detailed listing:
executing program 0:
r0 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
sendmsg$netlink(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000040)=ANY=[@ANYBLOB="1400000013000100080000000000000003"], 0x14}], 0x1, 0x0, 0x0, 0x88}, 0x0)
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$sock_ipv4_tunnel_SIOCCHGTUNNEL
detailed listing:
executing program 0:
r0 = socket(0x2, 0x5, 0x0)
ioctl$sock_ipv4_tunnel_SIOCCHGTUNNEL(r0, 0x89f3, &(0x7f00000007c0)={'sit0\x00', &(0x7f0000000780)={'tunl0\x00', 0x0, 0x1, 0x40, 0x1, 0x515a, {{0x6, 0x4, 0x1, 0x0, 0x18, 0x64, 0x0, 0x1, 0x29, 0x0, @local, @broadcast, {[@end]}}}}})
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$video-ioctl$VIDIOC_S_FMT
detailed listing:
executing program 0:
r0 = syz_open_dev$video(&(0x7f00000000c0), 0x2, 0x8100)
ioctl$VIDIOC_S_FMT(r0, 0xc0d05640, &(0x7f00000006c0)={0x1, @pix={0x0, 0x0, 0x34565348, 0x0, 0x0, 0x0, 0x9, 0xfeedcafe, 0xe7, 0xffffff80}})
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
syz_usb_connect(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120100006325a640402000207265970000010902240001000000000904000002214c6a0009050702000000da000905"], 0x0)
program crashed: WARNING: ODEBUG bug in smsusb_term_device
single: successfully extracted reproducer
found reproducer with 2 syscalls
minimizing guilty program
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120100006325a640402000207265970000010902240001000000000904000002214c6a0009050702000000da000905"], 0x0)
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
syz_usb_connect(0x0, 0x36, 0x0, 0x0)
program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
syz_usb_connect(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x0)
program did not crash
extracting C reproducer
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
program crashed: WARNING: ODEBUG bug in smsusb_term_device
simplifying C reproducer
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
program crashed: WARNING: ODEBUG bug in smsusb_term_device
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in smscore_getbuffer
a never seen crash title: KASAN: slab-use-after-free Read in smscore_getbuffer, ignore
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
program crashed: WARNING: ODEBUG bug in smsusb_term_device
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
program crashed: WARNING: ODEBUG bug in smsusb_term_device
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in smscore_getbuffer
a never seen crash title: KASAN: slab-use-after-free Read in smscore_getbuffer, ignore
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
program crashed: general protection fault in process_scheduled_works
a never seen crash title: general protection fault in process_scheduled_works, ignore
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
program crashed: general protection fault in process_scheduled_works
a never seen crash title: general protection fault in process_scheduled_works, ignore
testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
syz_usb_connect(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120100006325a640402000207265970000010902240001000000000904000002214c6a0009050702000000da000905"], 0x0)
program crashed: KASAN: slab-use-after-free Read in smscore_getbuffer
validation run: crashed=true
testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
syz_usb_connect(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120100006325a640402000207265970000010902240001000000000904000002214c6a0009050702000000da000905"], 0x0)
program crashed: WARNING: ODEBUG bug in smsusb_term_device
validation run: crashed=true
testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$squashfs-syz_usb_connect
detailed listing:
executing program 0:
syz_mount_image$squashfs(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f00000002c0)={[{}]}, 0x1, 0x232, &(0x7f0000000000)="$eJzKKC4sZmdgYPj7sSaZgUGAAQRYGEQYLjAwMrAwMDDIM4KFGD4yQeipUPomlGaDyl+B0r5Q8XYo/de8KiKKgYExU+meGdMB8RRFRgEGHpGvpx4wJDPwxzJYzvNecykoc8pVobdL94PUe4VWbmJgVE/hXzRnwwSnmbxgYxkjo5DNYT4gM4sDZBADA8PkPxH3HrBIMoggmSXK8U/sVMvyVWad9xlmdExLY2A0mMXBwMCgd0R3pp0BbzcT1MziyqrsxJyc1KLiAwyo5k9m3M+kyAhSd+bv1eAHjHYM3bEMjAxyG/zVFn/7I1W5cVN95PSqiJqp3U03l66PY9im//eKidT7iRlh/x8cEtSyyMv/ME9G6fvmhjkfauqemDh2NirP5W+9/Pfd+5ja4gQ1psfiXYVs/AluWjWfnJ3cLB/PTa9u31KsuCArzWXisakX/yYcX8vAMPnCE1t9BgaGDSDnulXOjbnrFi/ItUz9fN2bFwwHoz5PZGBkZGBgYmCYGbZzD7K/yhugkcHAzMDAoMIAUsTCkJaZk2rgwcDIwMzAws6ADGCqmRg4wKr0kvNzUtoZGMFJAKxtOQML3AzDxwys/CDlII7RYwZWuIyxRQPMyHYorQKlPaD0cij9GErLoyUbFrAJ/VCeRgMDAxtDReJ//iJDNgYGhorEkpIiQ4hYSUmREVzMSABuMxPU1rlMqJ47zsQwCkbBKBgFo2AUjIJRMApGwSgYBSMZAAIAAP//kpC1eQ==")
syz_usb_connect(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120100006325a640402000207265970000010902240001000000000904000002214c6a0009050702000000da000905"], 0x0)
program crashed: general protection fault in process_scheduled_works
validation run: crashed=true
reproducing took 42m11.608878141s
repro crashed as (corrupted=false):
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 6035 Comm: kworker/0:9 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: do_submit_urb (events)
RIP: 0010:process_one_work kernel/workqueue.c:2575 [inline]
RIP: 0010:process_scheduled_works+0x5aa/0x15b0 kernel/workqueue.c:2711
Code: 89 ac 24 10 01 00 00 44 89 e8 c1 e8 05 83 e0 0f 89 03 48 8b 44 24 38 48 8d 58 08 48 89 d8 48 c1 e8 03 48 89 84 24 80 00 00 00 <42> 80 3c 20 00 74 08 48 89 df e8 a7 25 85 00 48 89 5c 24 48 4c 8b
RSP: 0018:ffffc900036a7bc0 EFLAGS: 00010002
RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000001fffffffc0
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000ffffffff
RBP: ffffc900036a7da8 R08: ffffffff970c430b R09: 1ffffffff2e18861
R10: dffffc0000000000 R11: fffffbfff2e18862 R12: dffffc0000000000
R13: 0000001fffffffc0 R14: ffff8880219087b0 R15: ffff888024235518
FS: 0000000000000000(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c0084a7000 CR3: 000000007b556000 CR4: 00000000003506f0
Call Trace:
worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:process_one_work kernel/workqueue.c:2575 [inline]
RIP: 0010:process_scheduled_works+0x5aa/0x15b0 kernel/workqueue.c:2711
Code: 89 ac 24 10 01 00 00 44 89 e8 c1 e8 05 83 e0 0f 89 03 48 8b 44 24 38 48 8d 58 08 48 89 d8 48 c1 e8 03 48 89 84 24 80 00 00 00 <42> 80 3c 20 00 74 08 48 89 df e8 a7 25 85 00 48 89 5c 24 48 4c 8b
RSP: 0018:ffffc900036a7bc0 EFLAGS: 00010002
RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000001fffffffc0
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000ffffffff
RBP: ffffc900036a7da8 R08: ffffffff970c430b R09: 1ffffffff2e18861
R10: dffffc0000000000 R11: fffffbfff2e18862 R12: dffffc0000000000
R13: 0000001fffffffc0 R14: ffff8880219087b0 R15: ffff888024235518
FS: 0000000000000000(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c0084a7000 CR3: 000000007b556000 CR4: 00000000003506f0
----------------
Code disassembly (best guess):
0: 89 ac 24 10 01 00 00 mov %ebp,0x110(%rsp)
7: 44 89 e8 mov %r13d,%eax
a: c1 e8 05 shr $0x5,%eax
d: 83 e0 0f and $0xf,%eax
10: 89 03 mov %eax,(%rbx)
12: 48 8b 44 24 38 mov 0x38(%rsp),%rax
17: 48 8d 58 08 lea 0x8(%rax),%rbx
1b: 48 89 d8 mov %rbx,%rax
1e: 48 c1 e8 03 shr $0x3,%rax
22: 48 89 84 24 80 00 00 mov %rax,0x80(%rsp)
29: 00
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 a7 25 85 00 call 0x8525e0
39: 48 89 5c 24 48 mov %rbx,0x48(%rsp)
3e: 4c rex.WR
3f: 8b .byte 0x8b
final repro crashed as (corrupted=false):
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 6035 Comm: kworker/0:9 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: do_submit_urb (events)
RIP: 0010:process_one_work kernel/workqueue.c:2575 [inline]
RIP: 0010:process_scheduled_works+0x5aa/0x15b0 kernel/workqueue.c:2711
Code: 89 ac 24 10 01 00 00 44 89 e8 c1 e8 05 83 e0 0f 89 03 48 8b 44 24 38 48 8d 58 08 48 89 d8 48 c1 e8 03 48 89 84 24 80 00 00 00 <42> 80 3c 20 00 74 08 48 89 df e8 a7 25 85 00 48 89 5c 24 48 4c 8b
RSP: 0018:ffffc900036a7bc0 EFLAGS: 00010002
RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000001fffffffc0
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000ffffffff
RBP: ffffc900036a7da8 R08: ffffffff970c430b R09: 1ffffffff2e18861
R10: dffffc0000000000 R11: fffffbfff2e18862 R12: dffffc0000000000
R13: 0000001fffffffc0 R14: ffff8880219087b0 R15: ffff888024235518
FS: 0000000000000000(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c0084a7000 CR3: 000000007b556000 CR4: 00000000003506f0
Call Trace:
worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:process_one_work kernel/workqueue.c:2575 [inline]
RIP: 0010:process_scheduled_works+0x5aa/0x15b0 kernel/workqueue.c:2711
Code: 89 ac 24 10 01 00 00 44 89 e8 c1 e8 05 83 e0 0f 89 03 48 8b 44 24 38 48 8d 58 08 48 89 d8 48 c1 e8 03 48 89 84 24 80 00 00 00 <42> 80 3c 20 00 74 08 48 89 df e8 a7 25 85 00 48 89 5c 24 48 4c 8b
RSP: 0018:ffffc900036a7bc0 EFLAGS: 00010002
RAX: 0000000000000001 RBX: 0000000000000008 RCX: 0000001fffffffc0
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000ffffffff
RBP: ffffc900036a7da8 R08: ffffffff970c430b R09: 1ffffffff2e18861
R10: dffffc0000000000 R11: fffffbfff2e18862 R12: dffffc0000000000
R13: 0000001fffffffc0 R14: ffff8880219087b0 R15: ffff888024235518
FS: 0000000000000000(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c0084a7000 CR3: 000000007b556000 CR4: 00000000003506f0
----------------
Code disassembly (best guess):
0: 89 ac 24 10 01 00 00 mov %ebp,0x110(%rsp)
7: 44 89 e8 mov %r13d,%eax
a: c1 e8 05 shr $0x5,%eax
d: 83 e0 0f and $0xf,%eax
10: 89 03 mov %eax,(%rbx)
12: 48 8b 44 24 38 mov 0x38(%rsp),%rax
17: 48 8d 58 08 lea 0x8(%rax),%rbx
1b: 48 89 d8 mov %rbx,%rax
1e: 48 c1 e8 03 shr $0x3,%rax
22: 48 89 84 24 80 00 00 mov %rax,0x80(%rsp)
29: 00
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 a7 25 85 00 call 0x8525e0
39: 48 89 5c 24 48 mov %rbx,0x48(%rsp)
3e: 4c rex.WR
3f: 8b .byte 0x8b