Extracting prog: 2m39.74884253s
Minimizing prog: 2h50m54.587182294s
Simplifying prog options: 0s
Extracting C: 52.017017931s
Simplifying C: 27m21.630819534s


extracting reproducer from 37 programs
testing a last program of every proc
single: executing 7 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-syz_usb_control_io$cdc_ecm-syz_usb_control_io$uac2-openat$rdma_cm-getsockopt$llc_int-setxattr-openat$sndtimer-write$RDMA_USER_CM_CMD_CREATE_ID-write$RDMA_USER_CM_CMD_RESOLVE_IP
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
syz_usb_control_io$uac2(r0, 0x0, 0x0)
r4 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0)
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
setxattr(&(0x7f0000000280)='./cgroup.net/devices.allow\x00', &(0x7f0000000300)=@random={'osx.', '\x00'}, &(0x7f0000000340)='/dev/infiniband/rdma_cm\x00', 0x18, 0x0)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)
write$RDMA_USER_CM_CMD_CREATE_ID(r4, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000040)={<r5=>0xffffffffffffffff}, 0x111}}, 0x20)
write$RDMA_USER_CM_CMD_RESOLVE_IP(r4, &(0x7f0000000200)={0x3, 0x40, 0xfa02, {{0x6000000, 0x0, 0x0, @loopback}, {0xa, 0xfffd, 0xfffffffd, @remote}, r5, 0xfffffffc}}, 0x48)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
single: successfully extracted reproducer
found reproducer with 18 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-syz_usb_control_io$cdc_ecm-syz_usb_control_io$uac2-openat$rdma_cm-getsockopt$llc_int-setxattr-openat$sndtimer-write$RDMA_USER_CM_CMD_CREATE_ID
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
syz_usb_control_io$uac2(r0, 0x0, 0x0)
r4 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0)
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
setxattr(&(0x7f0000000280)='./cgroup.net/devices.allow\x00', &(0x7f0000000300)=@random={'osx.', '\x00'}, &(0x7f0000000340)='/dev/infiniband/rdma_cm\x00', 0x18, 0x0)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)
write$RDMA_USER_CM_CMD_CREATE_ID(r4, &(0x7f0000000100)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000040), 0x111}}, 0x20)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-syz_usb_control_io$cdc_ecm-syz_usb_control_io$uac2-openat$rdma_cm-getsockopt$llc_int-setxattr-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
syz_usb_control_io$uac2(r0, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0)
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
setxattr(&(0x7f0000000280)='./cgroup.net/devices.allow\x00', &(0x7f0000000300)=@random={'osx.', '\x00'}, &(0x7f0000000340)='/dev/infiniband/rdma_cm\x00', 0x18, 0x0)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-syz_usb_control_io$cdc_ecm-syz_usb_control_io$uac2-openat$rdma_cm-getsockopt$llc_int-setxattr
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
syz_usb_control_io$uac2(r0, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0)
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
setxattr(&(0x7f0000000280)='./cgroup.net/devices.allow\x00', &(0x7f0000000300)=@random={'osx.', '\x00'}, &(0x7f0000000340)='/dev/infiniband/rdma_cm\x00', 0x18, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-syz_usb_control_io$cdc_ecm-syz_usb_control_io$uac2-openat$rdma_cm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
syz_usb_control_io$uac2(r0, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0)
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program crashed: KASAN: null-ptr-deref Write in v4l2_prio_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-syz_usb_control_io$cdc_ecm-syz_usb_control_io$uac2-openat$rdma_cm-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
syz_usb_control_io$uac2(r0, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000540), 0x2, 0x0)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-syz_usb_control_io$cdc_ecm-syz_usb_control_io$uac2-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
syz_usb_control_io$uac2(r0, 0x0, 0x0)
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program crashed: WARNING: kobject bug in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-openat$comedi-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r3, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-fanotify_mark-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = fanotify_init(0xf00, 0x1000)
fanotify_mark(r2, 0x105, 0x50000828, r1, 0x0)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(0xffffffffffffffff, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
fanotify_init(0xf00, 0x1000)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r2, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-mknodat-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
r1 = openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
mknodat(r1, &(0x7f0000000080)='./file0\x00', 0x8614, 0x9)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r2, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(0xffffffffffffffff, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r0, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, &(0x7f0000000040))
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, 0x0, 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, 0x0, 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, 0x0, 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)=ANY=[@ANYBLOB="a9eeccc5000044"], 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0)
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, 0x0, 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, 0x0, 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, 0x0, &(0x7f0000000140))
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, 0x0, 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), 0x0)
openat$sndtimer(0xffffffffffffff9c, &(0x7f00000001c0), 0x349000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, 0x0, 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
program crashed: KASAN: use-after-free Read in v4l2_fh_open
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
program crashed: KASAN: null-ptr-deref Write in v4l2_prio_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
program crashed: KASAN: null-ptr-deref Write in v4l2_prio_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, 0x0, 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, 0x0, 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, 0x0, 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x349000)

program did not crash
validation run: crashed=false
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io-prctl$PR_SET_SYSCALL_USER_DISPATCH_ON-syslog-openat$dir-fanotify_init-openat-openat$comedi-syz_usb_control_io$cdc_ecm-getsockopt$llc_int-openat$sndtimer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x1, 0x401, 0x0)
syslog(0x0, 0x0, 0x0)
openat$dir(0xffffffffffffff9c, &(0x7f00000002c0)='./cgroup.net/devices.allow\x00', 0x80000, 0x0)
fanotify_init(0xf00, 0x1000)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000180)='./cgroup.net/devices.allow\x00', 0x189002, 0x40)
openat$comedi(0xffffffffffffff9c, &(0x7f0000000000)='/dev/comedi1\x00', 0xe2680, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, 0x0, 0x0, 0x0})
getsockopt$llc_int(r1, 0x10c, 0x3, &(0x7f00000000c0), &(0x7f0000000140)=0x4)
openat$sndtimer(0xffffffffffffff9c, 0x0, 0x349000)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
validation run: crashed=true
reproducing took 3h41m19.787718746s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: use-after-free in v4l2_fh_open+0xab/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff888038fe08b0 by task v4l_id/7242

CPU: 0 UID: 0 PID: 7242 Comm: v4l_id Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xab/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
 em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
 v4l2_open+0x1c2/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
 chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
 do_dentry_open+0x83d/0x13e0 fs/open.c:949
 vfs_open+0x3b/0x350 fs/open.c:1081
 do_open fs/namei.c:4677 [inline]
 path_openat+0x2e43/0x38a0 fs/namei.c:4836
 do_file_open+0x23e/0x4a0 fs/namei.c:4865
 do_sys_openat2+0x113/0x200 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f22cab4e407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fff6e7c13a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f22caa60880 RCX: 00007f22cab4e407
RDX: 0000000000000000 RSI: 00007fff6e7c1f1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007fff6e7c15f0 R14: 00007f22cb2e4000 R15: 000055c2bc6eb4d8
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888038fe0680 pfn:0x38fe0
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea0000d4b508 ffff8880b8842b80 0000000000000000
raw: ffff888038fe0680 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_ZERO|__GFP_COMP), pid 6092, tgid 6092 (kworker/0:5), ts 514883030129, free_ts 515266771282
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2490
 ___kmalloc_large_node+0x4e/0x150 mm/slub.c:5201
 __kmalloc_large_noprof+0x1a/0x90 mm/slub.c:5222
 kmalloc_noprof include/linux/slab.h:947 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 em28xx_v4l2_init+0xe7/0x2f00 drivers/media/usb/em28xx/em28xx-video.c:2532
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 6092 tgid 6092 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xfe3/0x1170 mm/page_alloc.c:2978
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x16c8/0x2f00 drivers/media/usb/em28xx/em28xx-video.c:2901
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888038fe0780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888038fe0800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888038fe0880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                     ^
 ffff888038fe0900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888038fe0980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: use-after-free in v4l2_fh_open+0xab/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff888038fe08b0 by task v4l_id/7242

CPU: 0 UID: 0 PID: 7242 Comm: v4l_id Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xab/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
 em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
 v4l2_open+0x1c2/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
 chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
 do_dentry_open+0x83d/0x13e0 fs/open.c:949
 vfs_open+0x3b/0x350 fs/open.c:1081
 do_open fs/namei.c:4677 [inline]
 path_openat+0x2e43/0x38a0 fs/namei.c:4836
 do_file_open+0x23e/0x4a0 fs/namei.c:4865
 do_sys_openat2+0x113/0x200 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f22cab4e407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fff6e7c13a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f22caa60880 RCX: 00007f22cab4e407
RDX: 0000000000000000 RSI: 00007fff6e7c1f1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007fff6e7c15f0 R14: 00007f22cb2e4000 R15: 000055c2bc6eb4d8
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888038fe0680 pfn:0x38fe0
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea0000d4b508 ffff8880b8842b80 0000000000000000
raw: ffff888038fe0680 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_ZERO|__GFP_COMP), pid 6092, tgid 6092 (kworker/0:5), ts 514883030129, free_ts 515266771282
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2490
 ___kmalloc_large_node+0x4e/0x150 mm/slub.c:5201
 __kmalloc_large_noprof+0x1a/0x90 mm/slub.c:5222
 kmalloc_noprof include/linux/slab.h:947 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 em28xx_v4l2_init+0xe7/0x2f00 drivers/media/usb/em28xx/em28xx-video.c:2532
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 6092 tgid 6092 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xfe3/0x1170 mm/page_alloc.c:2978
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x16c8/0x2f00 drivers/media/usb/em28xx/em28xx-video.c:2901
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888038fe0780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888038fe0800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888038fe0880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                     ^
 ffff888038fe0900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888038fe0980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================