Extracting prog: 4m30.940910168s
Minimizing prog: 19m15.48565049s
Simplifying prog options: 0s
Extracting C: 41.44155785s
Simplifying C: 7m50.683890414s


extracting reproducer from 30 programs
testing a last program of every proc
single: executing 6 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_emit_ethernet
detailed listing:
executing program 0:
syz_emit_ethernet(0x3a, &(0x7f0000000100)={@local, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x3}, @void, {@ipv4={0x800, @tcp={{0x6, 0x4, 0x0, 0x0, 0x2c, 0x0, 0x0, 0x0, 0x5, 0x0, @dev, @private=0xa010100, {[@generic={0x1, 0x2}]}}, {{0x0, 0x0, 0x41424344, 0x41424344, 0x0, 0x6, 0x5, 0x0, 0x0, 0x0, 0x8}}}}}}, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-landlock_create_ruleset-landlock_restrict_self-socket$inet_mptcp-bind$inet-openat$dlm_plock-socket$nl_generic-io_setup-io_uring_setup-pipe-socket$nl_netfilter-sendmsg$NFT_BATCH-write$binfmt_misc-splice
detailed listing:
executing program 0:
syz_usb_connect(0x3, 0x91, &(0x7f0000000040)={{0x12, 0x1, 0x250, 0x23, 0xc5, 0x2b, 0x20, 0x1b3d, 0x156, 0x755e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x7f, 0x1, 0x12, 0xa3, 0x40, 0x6, [{{0x9, 0x4, 0xb6, 0x7f, 0x1, 0xa6, 0x4c, 0x4c, 0x9, [@generic={0x5c, 0x8, "31503e19f5d3998a6cf6014e80e251ee17d9d28bad16fd52bddb3730860e074db563fe1cea60b1778398916fb73cc107459e65515da21cee6407a4a72caca5121029e90b26da8659e60afe7b8475cdc8302c6c186b40589e972b"}, @uac_as={[@format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x8, 0x1, 0x75, 0x8}]}], [{{0x9, 0x5, 0x3, 0x4, 0x40, 0x1, 0xb, 0x5}}]}}]}}]}}, 0x0)
r0 = landlock_create_ruleset(&(0x7f0000000040)={0x0, 0x1}, 0x4a, 0x0)
landlock_restrict_self(r0, 0x0)
r1 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r1, &(0x7f0000000080)={0xa, 0x0, @private}, 0x3d)
r2 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f00000003c0), 0x28400, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
io_setup(0x2, &(0x7f0000001340))
io_uring_setup(0x7582, &(0x7f0000000140)={0x0, 0xfab, 0x2, 0x2, 0x17d, 0x0, r2})
pipe(&(0x7f0000000580)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000000)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a010100000100000000000200fffc0900010073797a30000000000800024000000001cc000000030a01020000000000000000020000000900010073797a3000000000aa000300"], 0x1e4}}, 0x0)
write$binfmt_misc(r4, &(0x7f0000000000), 0xfffffecc)
splice(r3, 0x0, r5, 0x0, 0x7fff, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_sctp-openat$iommufd-ioctl$IOMMU_IOAS_ALLOC-ioctl$IOMMU_VFIO_IOAS$SET-ioctl$IOMMU_VFIO_IOAS$GET-syz_open_dev$vim2m-ioctl$vim2m_VIDIOC_G_FMT-ioctl$IOMMU_TEST_OP_ADD_RESERVED-ioctl$IOMMU_VFIO_IOMMU_MAP_DMA-setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX-getsockopt$sock_buf-socket$inet6_sctp-ioctl$IOMMU_TEST_OP_MOCK_DOMAIN-setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS-socket$nl_generic-sendmsg$ETHTOOL_MSG_COALESCE_SET-syz_genetlink_get_family_id$tipc2-syz_genetlink_get_family_id$smc-sendmsg$SMC_PNETID_GET-setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO-setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS-bind$inet6-sendto$inet6-setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS-pipe
detailed listing:
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000640), 0x0, 0x0)
ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f00000002c0)={0xc, 0x0, <r2=>0x0})
ioctl$IOMMU_VFIO_IOAS$SET(r1, 0x3b88, &(0x7f00000000c0)={0xc, r2})
ioctl$IOMMU_VFIO_IOAS$GET(r1, 0x3b88, &(0x7f0000000040)={0xc, <r3=>0x0})
r4 = syz_open_dev$vim2m(&(0x7f0000000000), 0x7, 0x2)
ioctl$vim2m_VIDIOC_G_FMT(r4, 0xc0285629, &(0x7f0000000080)={0x3, @win={{0x0, 0x0, 0x0, 0x10000}, 0x0, 0x0, 0x0, 0x0, 0x0}})
ioctl$IOMMU_TEST_OP_ADD_RESERVED(r1, 0x3ba0, &(0x7f0000000100)={0x48, 0x2, r3})
ioctl$IOMMU_VFIO_IOMMU_MAP_DMA(r1, 0x3b70, &(0x7f00000001c0)={0x20, 0x2, 0x0, 0x3, 0x2})
setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX(r0, 0x84, 0x6e, &(0x7f00000000c0)=[@in6={0xa, 0x4e25, 0x0, @private2}], 0x1c)
getsockopt$sock_buf(r0, 0x1, 0x1c, 0x0, &(0x7f0000001100)=0x2d)
r5 = socket$inet6_sctp(0xa, 0x5, 0x84)
ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r1, 0x3ba0, &(0x7f0000000200)={0x48, 0x2, r2})
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000580)={0x0, @in={{0x2, 0x0, @empty}}, 0x0, 0x0, 0x3fc, 0x0, 0x32}, 0x9c)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$ETHTOOL_MSG_COALESCE_SET(r6, &(0x7f0000001340)={0x0, 0x0, &(0x7f0000001300)={&(0x7f0000000300)=ANY=[@ANYBLOB="14000000", @ANYRES16, @ANYBLOB="040000"], 0x14}}, 0x0)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000040), r6)
r7 = syz_genetlink_get_family_id$smc(&(0x7f00000003c0), r6)
sendmsg$SMC_PNETID_GET(r6, &(0x7f0000000500)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000400)={0x14, r7, 0x1, 0x0, 0x0, {0x19}}, 0x14}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008800)
setsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r5, 0x84, 0x72, &(0x7f00000001c0)={0x0, 0x1, 0x20}, 0xc)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000000)={0x0, @in6={{0xa, 0x0, 0x0, @empty}}, 0x0, 0x0, 0x0, 0x0, 0x8a}, 0x9c)
bind$inet6(r5, &(0x7f00004b8fe4)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
sendto$inet6(r5, &(0x7f0000847fff)='X', 0x1, 0x0, &(0x7f00000000c0)={0xa, 0x4e23, 0x0, @remote}, 0xf)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r5, 0x84, 0x9, &(0x7f0000000a00)={0x0, @in6={{0xa, 0x4e23, 0x0, @loopback}}, 0x0, 0x0, 0x0, 0x0, 0x3c}, 0x9c)
pipe(&(0x7f0000000100))

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm-sendmsg$nl_xfrm-openat$uinput-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE-ioctl$UI_ABS_SETUP-flock-ioctl$AUTOFS_DEV_IOCTL_READY-write$binfmt_elf64
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000600)=ANY=[@ANYBLOB="ec00000021000100000000000000000000000000000000000000000000000000fe8000000000000000000000000000bb00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="00000000000000009cf3100000000000000000000000584e7b1b00009b1414bb0000000b6ca28a627148415c43053a0af34d0000000000000000007f000001000000000000000000000001e00000020000000000000000000000002b000000073500000a000200e0000001000000000000000000000000fe8000000000000000000000000000aa00000000000000000000000000000000fc0100"/164], 0xec}, 0x1, 0x0, 0x0, 0x20040010}, 0x4040014)
r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$UI_DEV_SETUP(r2, 0x405c5503, &(0x7f0000000100)={{}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r2, 0x5501)
ioctl$UI_ABS_SETUP(r2, 0x401c5504, 0x0)
flock(r1, 0xc)
ioctl$AUTOFS_DEV_IOCTL_READY(0xffffffffffffffff, 0xc0189376, &(0x7f00000000c0)={{0x1, 0x1, 0x18, <r3=>r0, {0x3}}, './file0\x00'})
write$binfmt_elf64(r3, &(0x7f0000000700)={{0x7f, 0x45, 0x4c, 0x46, 0x4, 0x2, 0x32, 0x7b, 0x1, 0x3, 0x3e, 0x591, 0x374, 0x40, 0x27, 0x5, 0x4, 0x38, 0x2, 0x100, 0x4, 0x4}, [{0x1, 0x4, 0xf946, 0x4, 0x6, 0xffffffffffffff7f, 0x0, 0x5}, {0x6474e551, 0x2, 0xfffffffffffffffd, 0x6, 0x8, 0x6b32, 0x10, 0xff}], "2aff9e30dab7da5827a9c544a0485e601b6267269f54ba7b0aca2edd6432383476aa1c62ea7b6a97eb42a5ad2f3653a6c0b1e47ef78efb6ca0881ca444c09ccb51ee7689082a1f60b3da42bf8b0c0f742130f95e1d1eb8e15fba5de3e54ee9a0fb9635fbc364890977b529a21dcd425267f488f26e75e91628ed26e6c8b6bc0505aa3ed728ebb590063127fbfddd8a67b5a8815d572452c42fedd3796f37bd1ac078ea1de02e2f65a0bddea74d7367233ef8b631c5ca60a0f7a5a3b79887f2bfc8851c46aa8fd38c347fdb2194484ea3b9a00ba0aae552a15220ae0a1d807334b35064ac9fde89af6d1848fba2cff6ccaa5fc46fc258f7b101ee5baae9ccc06ac37e7429b2290a5726160cfbcbbd26a105cd8a00a222f9379c2ce3d038ee43e4fdb50ae3ce2f291f60362339a848158501cd2be03103dec0d9bd836545f3dda5e8ad09c5293eb7907b31bb2c18670621f4a07c6fd2327fd05976e0b59876d4539325a5d665994b4ef61c755c91af6344ba91c299b024ec60d7da1108785601fdcf6ede3028e594b6bb71b098be650b601dfdb5bfef08f098d7c28f2fe63dbf8a006cd5bea35220c0ab056439407757065fc244abd14857de2f129038d7ff04b5aa1fdf5669ba11a1c9aed3564220af612db6dfc2ee3addadf0de77d5620d1cbd91797e4e05f4c9d25e20aab933cb46e5d5e99e2b008aa00b076deae0bcafdf5404994514f3ca3b87f9dba88a594519f2ef7d8acc92758b9b06c855126a7e54c9d325b2ce94bab5dbaf42887552101a6e1ca7b1b062494e14c532935b0ec0d3077dfbc6df1263dea88eb31e28f104f9b89c6a1a26a407a4ad5267f09a26ad00302192d05627ac8ba67a1fba81fef6d7efb5fa4c452b2015551925fad98ec9e3daefd6f4ad151bbbd8a27c88403eccfdc2aeb4ecd5be2452353ed815f4585b315c4e9486bde90f69a37319811a3cf5b1e1bbf9caf3dc5b337f7b09e949872a18529d94be080f5a52cf9358b4ae051a516ba933124ecb52d0398ef0959b0dfe25b50b6b8e07ada3cbe3df17da75b2ec75d16512d6d57257b8f8bf319919f1f0e5075dc0077f5a30ef40c9e615385424d21d4dbbcb0bde546b322d9d9341114b04e1770cc3345b6501c01be2e9e95bb8210e69dfc65db3e65c07fb5d4ca5f5c644cdbe8153518eebf8bc2c0d2d352a058d7d66426b89380914df97ea5e08f5b26fbd361194cc50ae5fcac45e62bc584c4e05fdab93737920e427d35deff36f42dbd5a5bfdd1b745540768c3c5ea222a34fe4a71ab625b0f4db959626e2cd331c71e56fb879151376b4cd67fa042d5c5f7d25fccb0359f069e0c21953cf19911049440760d02f8c28aa2a9bf0657af8eb6ed2e45f2e6f2cfcbb29a9a5612d05071821d987643a3360088caa3f885401185e43b2c02a7d109e3ca2a56e47c0b27277753d3ad17927931864fe246ada9148f744caa26bd9c8b20e1f525a1fec3758d97d3d2c1134c5eff535e100f3d561c1ad319856ceb16f3813f29f93b84bf77775b287e72dcb517cb9ba28a51680703cab1ab75dad54db2ef7002a17eeeae40a599217ac565f5473910ebb3f74b74d0ea45e3bc1dd2642dc4a66921971cc3aad15222bb07a272e2ffc93695bd2410389b0f87c576f3f64c36905a81f986c63f5abcce06ef9c9888f9c6a48b44ed3d22dd40e508adf1d1cb824073558942adb5c8f9eb8cd212a057b105ae1d4d5ce106900fe3e53a5fb50a27ec35096caf444dcc55da9d80c448ae8d45ea631e5a0f902c9c7d5c65c225e85964764c034e1af3275add7397e148d7a42afbc278983b66354336f072dadd45b12936de76df204a99b94d988aa7b341a81a2780708240789c382b14f7add8795288325769c01d38777b89d265e7c553a1cf20a7a086a386c49dbc55dbca0230a7578ebc2bf0770554309dabfdc0884cb6fc0e73f4f420eb728a64de3b734b3bfa5beac4e81860352f01c6bfef5398c449d65487c02cd855cbb7e01f10e2d0d8a37f7f0b601c80847576e79d0a9fe2b5d7f9513d655c372f073120e4bf832d39d6f3355a6bd448641eb0b1fe45730cb7c82e8669814ed772a618d4a4b409b4beaa3e4b8d1c74510ec3ea6bd1c6e1a5190180a00ae38ec9893c06c7860febd38657d6a8488fe19bd6ae8397f4fdb70991353fd4169ed90402c587178da926f7d6d3d5c038c411a94ffa75b933f37bad67f86ae84d36266dd737c80f308f8d777ef442b47d9350e2c1faa9d0a158aad3d9022d3c3aecb9d1932ca2a78c8a46f1a92dcc261513abaddafe2861596d6e4333c6e739d569d505068990eab4598a4ba93eac21b062c869be83566d25f177d24a8f486bea023e348b08488723ab065729f363cf800c7fa44fa0e42652fbd60aac6445f9d07367105b3610fcb2724852d235da9ac01c13acdcb838bbf65aa4ca564ab2a73ca5e0b522aa026cdfd0a990d15e21501d8654e9a8c4c8d3ec4726fca477d0d3f8a13cbcfc0e4bbfd2d5bd3ddba96c12a981b9be1445fa0db7229864cd4d0c51fd35cd047927838c45f6cf829bd1a8855d694c9ecd0cb103f9a0598ea8dc81e30d95a528395fee6af393b885c5442d6444ec8a642a2d12559004c82bf4b4dea5c2d7a2e10f6e680636738e933d4d78793f7907ad08edfa164f7dc31e95d4299eaebd5f11d31e2518e4344ab4046d0dc5b0a49a2faecfc729656c0ccbf3c3562ca232b33105f6be6b64d3c9f134c2c1afd5ba1f76ac06921afd1b6059f8f9240b7006bff678ed6d49f22d0e16a1f3f30225d0fa7c748bd3ccea82fa9509ce445e8fb44d0f2f671d06e779a5e0c4b235879f451625e42460b25c23797deaa7b2a9104a5eaab550b4e7f4cf280f9013f6ec341531b12262f5d8ba72c87305c50a998805b8d8c55576eecd3a4fd23bb08256cdc17e212329d981d1b903874aca580216ac30bf34e5e155c803550828e7180f0f81e6a3ec23bbb021e538c18745f43857d3b603a030f4a8557bd84e83db6d2735b463799f83066cf3fd7d1fc86d119f08187d1a72800587cf666599f26b946252c0569f1c58d7691c6fe1a2ac6f554afbd712615766cef7a8f2e38bb03677d3bff315753bafc75fb40fb7a2f3520efc8c8f8ba2935eae2ea5340d1987c51f492f1bb49af4914eb6a7606031dd992dc87bfad600f61566982664dea3d3a5fff4b1582e0b8275c442f86f4be0601d1e2f89cd79912e2cbb945d528a93714e7742b59feeae5b998717d3cad9c473e61dd76fab358cf7435fa85b02c59aa8e06fcab59ba295810e016d497204961cfe57cf0cae8690db2596a9628b59d4e56c1a75986b95e9840db9cd9ceef0098009bb10b03c3ed2b227d39e95ef13146af3689dba0191da599a4eabcafde0959b903d5a5d02c8ec91231f4c63c37008e170f27ef844a73a172393ff2818f51e76845e91f7f7f89ffefab3cb0cc4e5a6e6d9d3aa37764b4c9e79bc6efc711ee8409eec4aab52d424e3a3b60dc332a2e4e07bcb3e75943c94908d74ed9c685292eda153cdf67e3d87b929ba32fae21464aedb5eee7d061a74c0bd4edc043320c26739c29237749923f240d13926c25070a331bcf3d9a9442597c047a8afcdbc738ca549e7496596678bb8e37934d1d18bb866f833a85a17aa18cb104a2b45a7cf68fd3eff8f029ad20cae04e8d6ef52c9485275e71412d46ac54be7e2dcdbf9347ca8153abfe7164b4a38e5ae9cb4fe801d86f5ff25e1ed6145a8009e015e6218e9758ce09372ea572fc0891be60ac01c461de6fb2bcb33ec067ab4e105675acac33983191b3903ec1ff8895c028d212df59e835e23deabd4c3aabae5b045867cfcdb022b7ded89eb8d931211ead4bfa2b3adb621ff1ecc73b7ea00aa0b40427b51f20ad346e2aebf2496153454020254fe8213a69e5d1d49e08092c692dc84c0d404265ac59f7771db9fb4f7dee7bee108ef0d82855ce9c4d3c9909538de6553c2b23e4983655bd77445eeececace73438abee6902fdf08af8da7f8ad99513bf14e63f643e8e5b1dbf8f6336aef9e97b6558e1e047bd0e2d47d0f10d5812cfc2d666720fb48db4029780e04535576f6a82f3eacacaae9561e4c150c979667962762b5e559a6b7ee4b4a5505ba0c6f90b094940427c46087b65312dd28dea90ed1aadece3a9a26c0f01ad24176c6f3c4026edbf1b74b12297e9d9c6164af286a127a0af438a62b15e0c973940c4d359f1705578cc3d1fb7d385cc4edd0fcb6a5b32e0f80334b7fb6d96c726747d8b5933ec54710327fe2cb5d2c8954d5d491078d94d240bae86fd0c34945b9f9b88837baaa7ae6dd110dc05fb97feb168fdcfff8ff529b8e56971dd6889d763c7ebc345cf8de0a3ddb009ec64f9238b553f4fd4e59c69e4e73085a9b4b30d7a7cfe09c29a73c4bc7a48f32bdb0e6b6769dfcc50a537eb1954d0e1006e190a17cfa88372f4936a5ba908b34bc2df398002e1dafc0fdcdb34305106112ac83a85ab5ae231d96e6ef6afb20587bfc4ef8ba1488652083848cf45171805296a1a04b1d0a3e93f9094f1067e1d315ae98ff0f355a3b8e84c186f029afc6cd0df8852db3982a4381d9fd53577d3f7061d354aaf26fc4366fd461c3f1766e7a41ee824d7dfe7b06929ec23de689401d84ba83bdbc8462c7d6f6d9c4c2bda4cbe6c1497ca7e6716076cab47ea5a5bb0b6ef7a1be522057056acd32c4b6afc59a90db9e9862890839d362718c7b1dd29b77933d2b41a572547da6137967c7f2e827a2d778d57844e56f942f841f47a763a4789a04701ceddc6c0ce9a4be1cadebb8ff63a4f18c0d54fb2ba70664ea5c4ca0eae42f6250c562532dcedb0f4d03791a1cc163cfa261397fe45ee3230ec0eebaa43142abf09f72818c29d850acfc50712fb9e859ab3fbaaea18808c43345fe61a77722771a38a4fb190598eba70a4b23b2ec55852c026bcc306e31d97fcd12e2198f1c954abf8df86733a30a45c88ac5678d6019831f58ca74fc2624792cc18d1e1660f78ccf26e561d85d64a77a5aefc53149b18187d0a2c8ae24d6eb3c41684726f8a512f9eb6b6a025baabb86857f0304eef3f1375d5df79103c033e8225e7eab9a4f073d37495495bd0c31f73f0edfdb15e0d4e3379b8dd8925b33251e717b77ac0add06d9b7b04e18f3f00bf0a95d71538da8d6985752e9fab17f7b676ba315f281f1840da696b9fd9e82c1e4ea172762ec96acbe405d6aaadbae14520b52d11557ccf1ba001d32d1eb7eaa0b1f914c0123481a47aecc54ce678269ac3727a657e41eb692396037d617d53a278e032372aaaf4981daa0d495232063383fbbb31b7335edff397f7474413b927a968b7344cab8675574e8d12ec463c0c5d8be21a1e97fa3a2dc57684d97a5cbc3622d69346a351fc82f3471403e37bc29f2efd567a3ed0f0b9228b9d7d49db8493aed75d991d0557bc569bd5ad8e92be858d3adf65db728a732beba827a2eae2a10e0cc2998ca0dcfd50b927c474c4e7bfa929d989a439bba2d75529a50ffff0be0baf81f927b3e7ca36c2ef3bdaffb79e84a1bc373e4ad41668917a0aa77190b42093c777c892a586f1823341b711e3978284268075eeb296453d6d271ce963bf5e3cba78d9bb1604e30a1521993e14e84b996bc1d10258653987012ea156d22ab9acb97e3f273b1bee0679cc17322db12723386c270119daea97ce4e326997e55001f82bdd46e6ce49762978302294c1ec8cd1f356a2ae8e29dc022dbc1b431f592a67a4d2939524465602d81dda32d6ada4f", ['\x00', '\x00', '\x00', '\x00', '\x00']}, 0x15b0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
single: successfully extracted reproducer
found reproducer with 14 syscalls
minimizing guilty program
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm-sendmsg$nl_xfrm-openat$uinput-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE-ioctl$UI_ABS_SETUP-flock-ioctl$AUTOFS_DEV_IOCTL_READY
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000600)=ANY=[@ANYBLOB="ec00000021000100000000000000000000000000000000000000000000000000fe8000000000000000000000000000bb00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="00000000000000009cf3100000000000000000000000584e7b1b00009b1414bb0000000b6ca28a627148415c43053a0af34d0000000000000000007f000001000000000000000000000001e00000020000000000000000000000002b000000073500000a000200e0000001000000000000000000000000fe8000000000000000000000000000aa00000000000000000000000000000000fc0100"/164], 0xec}, 0x1, 0x0, 0x0, 0x20040010}, 0x4040014)
r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$UI_DEV_SETUP(r2, 0x405c5503, &(0x7f0000000100)={{}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r2, 0x5501)
ioctl$UI_ABS_SETUP(r2, 0x401c5504, 0x0)
flock(r1, 0xc)
ioctl$AUTOFS_DEV_IOCTL_READY(0xffffffffffffffff, 0xc0189376, &(0x7f00000000c0)={{0x1, 0x1, 0x18, r0, {0x3}}, './file0\x00'})

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm-sendmsg$nl_xfrm-openat$uinput-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE-ioctl$UI_ABS_SETUP-flock
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000600)=ANY=[@ANYBLOB="ec00000021000100000000000000000000000000000000000000000000000000fe8000000000000000000000000000bb00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="00000000000000009cf3100000000000000000000000584e7b1b00009b1414bb0000000b6ca28a627148415c43053a0af34d0000000000000000007f000001000000000000000000000001e00000020000000000000000000000002b000000073500000a000200e0000001000000000000000000000000fe8000000000000000000000000000aa00000000000000000000000000000000fc0100"/164], 0xec}, 0x1, 0x0, 0x0, 0x20040010}, 0x4040014)
r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$UI_DEV_SETUP(r2, 0x405c5503, &(0x7f0000000100)={{}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r2, 0x5501)
ioctl$UI_ABS_SETUP(r2, 0x401c5504, 0x0)
flock(r1, 0xc)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm-sendmsg$nl_xfrm-openat$uinput-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE-ioctl$UI_ABS_SETUP
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000600)=ANY=[@ANYBLOB="ec00000021000100000000000000000000000000000000000000000000000000fe8000000000000000000000000000bb00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="00000000000000009cf3100000000000000000000000584e7b1b00009b1414bb0000000b6ca28a627148415c43053a0af34d0000000000000000007f000001000000000000000000000001e00000020000000000000000000000002b000000073500000a000200e0000001000000000000000000000000fe8000000000000000000000000000aa00000000000000000000000000000000fc0100"/164], 0xec}, 0x1, 0x0, 0x0, 0x20040010}, 0x4040014)
r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$UI_DEV_SETUP(r2, 0x405c5503, &(0x7f0000000100)={{}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r2, 0x5501)
ioctl$UI_ABS_SETUP(r2, 0x401c5504, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm-sendmsg$nl_xfrm-openat$uinput-ioctl$UI_DEV_SETUP-ioctl$UI_DEV_CREATE
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000600)=ANY=[@ANYBLOB="ec00000021000100000000000000000000000000000000000000000000000000fe8000000000000000000000000000bb00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="00000000000000009cf3100000000000000000000000584e7b1b00009b1414bb0000000b6ca28a627148415c43053a0af34d0000000000000000007f000001000000000000000000000001e00000020000000000000000000000002b000000073500000a000200e0000001000000000000000000000000fe8000000000000000000000000000aa00000000000000000000000000000000fc0100"/164], 0xec}, 0x1, 0x0, 0x0, 0x20040010}, 0x4040014)
r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$UI_DEV_SETUP(r2, 0x405c5503, &(0x7f0000000100)={{}, 'syz0\x00'})
ioctl$UI_DEV_CREATE(r2, 0x5501)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm-sendmsg$nl_xfrm-openat$uinput-ioctl$UI_DEV_SETUP
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000600)=ANY=[@ANYBLOB="ec00000021000100000000000000000000000000000000000000000000000000fe8000000000000000000000000000bb00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="00000000000000009cf3100000000000000000000000584e7b1b00009b1414bb0000000b6ca28a627148415c43053a0af34d0000000000000000007f000001000000000000000000000001e00000020000000000000000000000002b000000073500000a000200e0000001000000000000000000000000fe8000000000000000000000000000aa00000000000000000000000000000000fc0100"/164], 0xec}, 0x1, 0x0, 0x0, 0x20040010}, 0x4040014)
r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$UI_DEV_SETUP(r2, 0x405c5503, &(0x7f0000000100)={{}, 'syz0\x00'})

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm-sendmsg$nl_xfrm-openat$uinput
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000600)=ANY=[@ANYBLOB="ec00000021000100000000000000000000000000000000000000000000000000fe8000000000000000000000000000bb00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="00000000000000009cf3100000000000000000000000584e7b1b00009b1414bb0000000b6ca28a627148415c43053a0af34d0000000000000000007f000001000000000000000000000001e00000020000000000000000000000002b000000073500000a000200e0000001000000000000000000000000fe8000000000000000000000000000aa00000000000000000000000000000000fc0100"/164], 0xec}, 0x1, 0x0, 0x0, 0x20040010}, 0x4040014)
openat$uinput(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm-sendmsg$nl_xfrm
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000600)=ANY=[@ANYBLOB="ec00000021000100000000000000000000000000000000000000000000000000fe8000000000000000000000000000bb00"/64, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="00000000000000009cf3100000000000000000000000584e7b1b00009b1414bb0000000b6ca28a627148415c43053a0af34d0000000000000000007f000001000000000000000000000001e00000020000000000000000000000002b000000073500000a000200e0000001000000000000000000000000fe8000000000000000000000000000aa00000000000000000000000000000000fc0100"/164], 0xec}, 0x1, 0x0, 0x0, 0x20040010}, 0x4040014)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int-socket$nl_xfrm
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)
socket$nl_xfrm(0x10, 0x3, 0x6)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX-setsockopt$inet_int
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)
setsockopt$inet_int(r0, 0x0, 0xf, &(0x7f0000000080)=0x1, 0x4)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp-setsockopt$inet_tcp_TLS_TX
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
setsockopt$inet_tcp_TLS_TX(r0, 0x6, 0x1, &(0x7f0000000000)=@ccm_128={{}, "c04d831721b66c43", "7e50992d53face4acb591d981848b3d9", "a7844c4e", "6c25c0284645e18b"}, 0x28)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout-socket$inet_mptcp
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)
socket$inet_mptcp(0x2, 0x1, 0x106)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$binfmt_aout
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0xc1)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000e0dec14004231a022918010203010902220001000000000904000001e36ec20009050000000000000007058299"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, 0x0, 0x0)

program did not crash
testing program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x34, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=1m4.070806473s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
simplifying C reproducer
testing compiled C program (duration=1m4.070806473s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=1m4.070806473s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=1m4.070806473s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=1m4.070806473s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=1m4.070806473s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=1m4.070806473s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=1m4.070806473s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=1m4.070806473s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
reproducing took 32m18.552050057s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xc8/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
Read of size 8 at addr ffff88807b518738 by task v4l_id/5886

CPU: 1 UID: 0 PID: 5886 Comm: v4l_id Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xc8/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
 em28xx_v4l2_open+0x14c/0x9d0 drivers/media/usb/em28xx/em28xx-video.c:2155
 v4l2_open+0x22f/0x370 drivers/media/v4l2-core/v4l2-dev.c:427
 chrdev_open+0x521/0x600 fs/char_dev.c:414
 do_dentry_open+0x978/0x1460 fs/open.c:958
 vfs_open+0x3e/0x330 fs/open.c:1088
 do_open fs/namei.c:3774 [inline]
 path_openat+0x2c84/0x3590 fs/namei.c:3933
 do_filp_open+0x235/0x490 fs/namei.c:3960
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_openat fs/open.c:1446 [inline]
 __se_sys_openat fs/open.c:1441 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd3857a39a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffe8d2a4200 EFLAGS: 00000246
 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007ffe8d2a4418 RCX: 00007fd3857a39a4
RDX: 0000000000000000 RSI: 00007ffe8d2a4f1f RDI: 00000000ffffff9c
RBP: 00007ffe8d2a4f1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe8d2a4430 R14: 000055e8a01fe670 R15: 00007fd385964a80
 </TASK>

Allocated by task 5847:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
 kmalloc_noprof include/linux/slab.h:878 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 em28xx_v4l2_init+0xfd/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2534
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 5847:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x1a0/0x440 mm/slub.c:4727
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2120 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x16d7/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2903
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88807b518000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1848 bytes inside of
 freed 8192-byte region [ffff88807b518000, ffff88807b51a000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b518
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001ed4601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5215, tgid 5215 (S10udev), ts 18152164561, free_ts 15742652998
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1541
 prep_new_page mm/page_alloc.c:1549 [inline]
 get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3459
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4735
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 alloc_slab_page+0x6a/0x140 mm/slub.c:2412
 allocate_slab+0x5a/0x2f0 mm/slub.c:2578
 new_slab mm/slub.c:2631 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
 __slab_alloc+0x58/0xa0 mm/slub.c:3908
 __slab_alloc_node mm/slub.c:3961 [inline]
 slab_alloc_node mm/slub.c:4122 [inline]
 __kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4290
 kmalloc_noprof include/linux/slab.h:878 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
 tomoyo_init_log+0x11cd/0x2050 security/tomoyo/audit.c:264
 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
 tomoyo_bprm_check_security+0x114/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x86/0x250 security/security.c:1297
 search_binary_handler fs/exec.c:1740 [inline]
 exec_binprm fs/exec.c:1794 [inline]
 bprm_execve+0xa56/0x1770 fs/exec.c:1845
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1112 [inline]
 free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2642
 free_contig_range+0x152/0x550 mm/page_alloc.c:6750
 destroy_args+0x92/0x910 mm/debug_vm_pgtable.c:1017
 debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1397
 do_one_initcall+0x248/0x880 init/main.c:1269
 do_initcall_level+0x157/0x210 init/main.c:1331
 do_initcalls+0x3f/0x80 init/main.c:1347
 kernel_init_freeable+0x435/0x5d0 init/main.c:1580
 kernel_init+0x1d/0x2b0 init/main.c:1469
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88807b518600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b518680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807b518700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88807b518780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b518800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xc8/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
Read of size 8 at addr ffff88807b518738 by task v4l_id/5886

CPU: 1 UID: 0 PID: 5886 Comm: v4l_id Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xc8/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
 em28xx_v4l2_open+0x14c/0x9d0 drivers/media/usb/em28xx/em28xx-video.c:2155
 v4l2_open+0x22f/0x370 drivers/media/v4l2-core/v4l2-dev.c:427
 chrdev_open+0x521/0x600 fs/char_dev.c:414
 do_dentry_open+0x978/0x1460 fs/open.c:958
 vfs_open+0x3e/0x330 fs/open.c:1088
 do_open fs/namei.c:3774 [inline]
 path_openat+0x2c84/0x3590 fs/namei.c:3933
 do_filp_open+0x235/0x490 fs/namei.c:3960
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_openat fs/open.c:1446 [inline]
 __se_sys_openat fs/open.c:1441 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1441
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd3857a39a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffe8d2a4200 EFLAGS: 00000246
 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007ffe8d2a4418 RCX: 00007fd3857a39a4
RDX: 0000000000000000 RSI: 00007ffe8d2a4f1f RDI: 00000000ffffff9c
RBP: 00007ffe8d2a4f1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe8d2a4430 R14: 000055e8a01fe670 R15: 00007fd385964a80
 </TASK>

Allocated by task 5847:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
 kmalloc_noprof include/linux/slab.h:878 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 em28xx_v4l2_init+0xfd/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2534
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 5847:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x1a0/0x440 mm/slub.c:4727
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2120 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x16d7/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2903
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88807b518000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1848 bytes inside of
 freed 8192-byte region [ffff88807b518000, ffff88807b51a000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b518
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001ed4601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5215, tgid 5215 (S10udev), ts 18152164561, free_ts 15742652998
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1541
 prep_new_page mm/page_alloc.c:1549 [inline]
 get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3459
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4735
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 alloc_slab_page+0x6a/0x140 mm/slub.c:2412
 allocate_slab+0x5a/0x2f0 mm/slub.c:2578
 new_slab mm/slub.c:2631 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
 __slab_alloc+0x58/0xa0 mm/slub.c:3908
 __slab_alloc_node mm/slub.c:3961 [inline]
 slab_alloc_node mm/slub.c:4122 [inline]
 __kmalloc_cache_noprof+0x1d5/0x2c0 mm/slub.c:4290
 kmalloc_noprof include/linux/slab.h:878 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
 tomoyo_init_log+0x11cd/0x2050 security/tomoyo/audit.c:264
 tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
 tomoyo_bprm_check_security+0x114/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x86/0x250 security/security.c:1297
 search_binary_handler fs/exec.c:1740 [inline]
 exec_binprm fs/exec.c:1794 [inline]
 bprm_execve+0xa56/0x1770 fs/exec.c:1845
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1112 [inline]
 free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2642
 free_contig_range+0x152/0x550 mm/page_alloc.c:6750
 destroy_args+0x92/0x910 mm/debug_vm_pgtable.c:1017
 debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1397
 do_one_initcall+0x248/0x880 init/main.c:1269
 do_initcall_level+0x157/0x210 init/main.c:1331
 do_initcalls+0x3f/0x80 init/main.c:1347
 kernel_init_freeable+0x435/0x5d0 init/main.c:1580
 kernel_init+0x1d/0x2b0 init/main.c:1469
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88807b518600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b518680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807b518700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88807b518780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b518800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================