Extracting prog: 5m34.490462628s Minimizing prog: 39m26.944962268s Simplifying prog options: 0s Extracting C: 53.5135781s Simplifying C: 9m37.563798959s extracting reproducer from 30 programs testing a last program of every proc single: executing 5 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$inet6_tcp_int-connect$inet6-setsockopt$inet6_tcp_TCP_ULP-socket$pptp-syz_io_uring_setup-openat$userio-prlimit64-sched_setscheduler-getpid-bpf$BPF_PROG_TEST_RUN-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-sendmmsg$unix-sched_setaffinity-recvmmsg-syz_genetlink_get_family_id$tipc2-syz_io_uring_submit-bpf$MAP_CREATE-setsockopt$inet6_tcp_TCP_REPAIR_WINDOW-setsockopt$inet6_tcp_TLS_TX-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-close_range detailed listing: executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000000)=0x100000001, 0x4) connect$inet6(r0, &(0x7f0000000200)={0xa, 0x4e20, 0xeb, @remote, 0x4}, 0x1c) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000580), 0x3) socket$pptp(0x18, 0x1, 0x2) syz_io_uring_setup(0xa3, &(0x7f0000000300)={0x0, 0xf179, 0x100, 0x1, 0x133}, &(0x7f00000001c0)=0x0, 0x0, 0x0) openat$userio(0xffffffffffffff9c, &(0x7f0000000080), 0x22242, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r2 = getpid() bpf$BPF_PROG_TEST_RUN(0xa, 0x0, 0x0) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) sched_setscheduler(r2, 0x2, &(0x7f0000000200)=0x6) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r4, &(0x7f0000000000), 0x400000000000041, 0x0) sched_setaffinity(r2, 0x8, &(0x7f0000000240)=0x2) recvmmsg(r3, &(0x7f0000000040), 0x80002c1, 0x2, 0x0) syz_genetlink_get_family_id$tipc2(&(0x7f0000000040), 0xffffffffffffffff) syz_io_uring_submit(r1, 0x0, 0x0, &(0x7f0000000000)) bpf$MAP_CREATE(0x0, &(0x7f0000000ac0)=ANY=[@ANYBLOB="0600000004000000101000008900000000000000", @ANYRES32, @ANYBLOB='\"\x00'/20, @ANYRES32=0x0, @ANYBLOB='\x00'/25], 0x50) setsockopt$inet6_tcp_TCP_REPAIR_WINDOW(r0, 0x6, 0x1d, &(0x7f0000000040)={0x0, 0x9, 0x7a8, 0x6}, 0x14) setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x2, &(0x7f00000000c0)=@gcm_128={{0x303}, '\r\x00', "8a36c47a9c625dfaf08ace81c500", "f8ffffff", "362d3017f069109d"}, 0x28) r5 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f00000000c0)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0026}]}) close_range(r5, 0xffffffffffffffff, 0x0) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$PROG_LOAD-ioctl$sock_SIOCGIFINDEX-recvmmsg-futex-syz_init_net_socket$bt_l2cap-bind$bt_l2cap-listen-accept4$bt_l2cap-syz_emit_vhci-futex-futex-socket$inet_udp detailed listing: executing program 0: r0 = bpf$PROG_LOAD(0x5, 0x0, 0x0) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f00000005c0)={'ip6gretap0\x00'}) recvmmsg(0xffffffffffffffff, &(0x7f00000000c0), 0x10106, 0x2, 0x0) futex(&(0x7f000000cffc), 0xb, 0x0, 0x0, &(0x7f0000048000)=0x1, 0x0) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r1, &(0x7f0000000000)={0x1f, 0xf000, @any, 0x9, 0x1}, 0xe) listen(r0, 0x101) accept4$bt_l2cap(r1, &(0x7f0000000200), 0x0, 0x800) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e130100c900", @ANYBLOB=' '], 0x16) futex(&(0x7f000000cffc), 0xb, 0x0, 0x0, 0x0, 0x0) futex(0x0, 0xc, 0x1, 0x0, 0x0, 0x0) socket$inet_udp(0x2, 0x2, 0x0) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-getpid-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-sched_setscheduler-socket$nl_generic-sendmsg$nl_generic-setrlimit-socket$inet_tcp-bind$inet-connect$inet-mprotect-mq_open-prlimit64-sendmsg$nl_xfrm-socket$inet6_udp-ioctl$sock_ipv6_tunnel_SIOCCHGTUNNEL-ioctl$sock_ipv6_tunnel_SIOCGETTUNNEL-bpf$PROG_LOAD-sched_setscheduler-sched_setaffinity-prctl$PR_SCHED_CORE-syz_open_dev$MSR-socket$inet6_udplite-sendmsg detailed listing: executing program 0: prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x7) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) (async) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbee2, 0x8031, 0xffffffffffffffff, 0x0) (async) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0x4e21}, 0x6e) (async) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sched_setscheduler(0x0, 0x6, &(0x7f0000000000)=0x6) (async) r3 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="300000003e0007012bbd700000000000027c00000400fc800f0001806d14314965356ee88b"], 0x30}, 0x1, 0x0, 0x0, 0xc000}, 0xc040) (async) setrlimit(0x8, &(0x7f00000000c0)={0x1b4c9d73, 0x52adc44c}) r4 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r4, &(0x7f0000000200)={0x2, 0x4e20, @empty}, 0x10) connect$inet(r4, &(0x7f0000000000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x18}}, 0x10) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) (async) mq_open(&(0x7f000084dff0)='rmdF\x17\x16\xbc\xec', 0x6e93ebbbcc0884f2, 0x0, 0x0) (async) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) (async) sendmsg$nl_xfrm(0xffffffffffffffff, 0x0, 0x0) (async) r5 = socket$inet6_udp(0xa, 0x2, 0x0) (async) ioctl$sock_ipv6_tunnel_SIOCCHGTUNNEL(0xffffffffffffffff, 0x89f3, &(0x7f0000000100)={'syztnl1\x00', &(0x7f0000000080)={'ip6_vti0\x00', 0x0, 0x2f, 0x9, 0x0, 0xe, 0x0, @private0, @ipv4={'\x00', '\xff\xff', @remote}, 0x80, 0x20, 0x3, 0xfffff414}}) ioctl$sock_ipv6_tunnel_SIOCGETTUNNEL(r5, 0x89f0, &(0x7f0000000500)={'ip6tnl0\x00', &(0x7f0000000480)={'ip6_vti0\x00', r6, 0x4, 0x7, 0x61, 0x0, 0xc, @private0={0xfc, 0x0, '\x00', 0x1}, @mcast2, 0x20, 0x8060, 0xe7}}) (async) bpf$PROG_LOAD(0x5, 0x0, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000180)=0x4) (async) sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2) (async, rerun: 32) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) (async, rerun: 32) syz_open_dev$MSR(&(0x7f0000000040), 0x0, 0x0) (async) r8 = socket$inet6_udplite(0xa, 0x2, 0x88) sendmsg(r8, &(0x7f0000003400)={&(0x7f0000000540)=@ll={0x11, 0xf8, r7, 0x1, 0x5, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x1a}}, 0x80, &(0x7f0000003380)=[{&(0x7f0000000300)="c4b67545c34cb383723d5a5b6ff528c9ff4b7a358dcfff0f000000000000eb7999cb21479a488e1cb5bb353c13635325207d881d039e8147fd0bcad359ce7bc795434f08d199f35aa5772f27a42324b270970ae724eee99f160f259e21fc9d326d18f45ad78b2e533d589446699a7d514523ba3bf2a19188f78cf80c057ada8ca1b486bd1d930245e91f2007444ff2c6c2c1c638382bca78113c4275b5665cc900b9a7e679793704dcf1157b8db1da63780273b4909c908d7e298829ae5ae1a343f6c2972ecfe4487193247c9da9997d09e92e55fb15f3df3fdd605702d4d6af3804657cc21f", 0xe6}, {&(0x7f0000000840)="1f6f742f09c59a5ac2dd775e3b3ec1d355162731908c4dc70cef", 0x1a}, {&(0x7f0000000880)="8917ae", 0x3}, {0x0}, {&(0x7f0000002300)="65b09b936a9358cd966c356a3615496f1ff94b46d5a45f3ba975fd4f8051b617a3dc88cea06eafd8ac9399e196799f27f3dcaacad30e10f1a5b8076ca0573be65ce8224e3b23b8f4837d62e367adca2a64153f538628f1e22d39bf65540ed4ac3bf9fc5cb6a6733f53bfbe101f70c1d2f00c925b6b46f4fb6e198ae4e966f47729a690a8dac26005943072fc4e352c3d70ba603790411a713216d8c169e9009c9949a5cd4ad365c48765ba4db6fb0d7135de9b4a8b2bed55a9e194fe37ead7b284c6539f826930787511c6fc721dfbef1d427ceccce5c4e0d1ad7d1c18d4d975c1ed3402ecd81403d1e9ebaa209fae8bcf850e7bd2264abb263ee836f93019cd2136f6c18ca243f12fda81588ffb41013130e3804385cd073b3def89194325dfb48bb8130bca7a712bc33c6b06cbeec3dc7cb3313987dfd993fd1f3e575b987460488e1d139a6b1f0fb0037014c8640e4a2ed7f62bf7b2bfac08d63281a81ee4d35e829c110370743f1cfc77f8c933f9a6e4dab8318b58638bccc9d59d41186fafd1e8e17a584aab5b30cadbca8652e404d61b8b4549fc0db1ede315b75d289cfcfea11bbf5ad91d58bcf1c617f65bb8afbb81cec6bf2c1e4a3b9f8e090888675596c1bd94f56cf3afa03c39545cd57fa577595cdce9114cc052fe4cc8ec05a47d10fc95795241f52e65b31d80118663c07d57399c233dafa7daa6712f5f13718b372bb30ca6914fcea0da99fa85789120ec67a56331350c40baa6092369b858987ad72c24ea04ff2e27541f2a46dddd6144740e3d1692630d7a2eeb3d7916bb4131bb8196503a0eb111865ba03c27a7e7f8a9de57507b78b177a15e52f756cabfe6c2418983c4482ce2730c47ca173dde1ea45840703e19ea3c6b7cc9afe1d6d62eb37b27e06405f624ae5f4f3d690b4b5a9cbcef8b49ef63639c6b33056daecc272556aefd3d808b14d14ac281878cb13c512843b03c0656182146d5eca296b1ac1737743afe7fdd094cbefecadb7974e7f12c0489f1da0c3a8526a048d3ff26361f331f3cefa57d324e4c81f429765ede478cd693c4740c06261c0781ae20ad664ba10d01e7c51561275d6d3cd0484f2781b6defafb3a31639f1283d138fc58738ce90f94aaab1d07b618271f58d59a1467a412e9cad5adac446df304bb9fcb964760e75119634cf8244e8aeb05e54050ad8da7e10b614d9a487f8cba0a49dedeb936809a42aa5233cf305a94f988faa26705c6568b00851b6b8c506da9ccc99632b022bae26add26a87148b773bd52895fed0207baf702156306bbe8b1c954d977af565baa599f67d4b0339714b7dda31e504e61bdea89614652f3e0655beb34d8632cb4257b22538f190f08e5487b8c6548c3cc9d894ca6deea0016398b4a5dc86c844f354c0bd7154facf22cd8d641c1657d1c4aa092614805aaaa91267500f906e7afb11c30fecd3e1262395ddb2f3411613a203200b4ef3065f6a426de10e416ab4bedaadb6d9cf36e5951de73b1d068d320e16afd1c537e042cc3d5e596aae1f753dff83b61cac47e79687c1d23cfe4842400c13ef36a54ad9d5d911c6b03ba333830da0227334205044c2a3545841c67b5a68264f83df39912ec9202d2cf8befcb56ba28d93b96d32d4b0b113da56fc7b51eefe40b11e5eb5e72b5ef0d0af63d3d156b0888710343e29098c2feb8ce00d1d35cd040c526a88962d49d9fe5a7d412a9e9ccfc6d8e1c0b1e4379908c18d46ace0fb88dd059c9f0debb772e078c2927d194aefa062e27692185e5e619b8f7ce3e99b0a842485519a1f9fffb987063bb9cd5b463ac0a8632374262c6283db723b508345144a22ab5f9eb09f266a94b5fbafd3b4d72eefb416f180dd03de9a09d26fae561933d3c4158771493e5efa5c2c65f9d4b68d5732ea321b42d238175bbc7ebff627dd2452c9a15e368c5dce56cea16236650d8907ee5acb89e22e2b42f73613ea13ab7143d00a49ec12f93b01160c38a1b116412f2e887a76a77e174baa104666c472f9a8ecc16a1599e8cc0e1196ae8095a9cd1f043b3059d9ab1d7499e62055008fdbd4d2b6e777b343869427b258fa07120baa2125c7705a5acfe5f122f043889befcc6d7e7d9ab41afd3b6d4ab3661fe18103cae3045d61c0a93e31ed4aa1101c116d833765f5c966f13a227de00845875e06ad17e9d1e4ce6d120a52536fbb5a0ebec8d22763a2954f2dc9fd85bc46b54ab0ffd75786f3b2975e9e906a41a37720535ccba76d63dc138d5ea31d1fab1402f691a2fb8d5f9620bef6358c0e651138004541822ae340a3126d8f8eacca090347e8a754417792617059eebca1397b6ce34a4c4bd9db5ce2ea1da4fceda95a810651c74566e2903b3927c5edfde9a1591d6c7ce1e514b6f3553b3dc653030c5a8020be93a703d23b1c1a2575e525d07392e81601f0957ceea0824a08a39930d01097861b4fb989cee0fc5e01ecc940b33a734152f46909477551a3a0940ce5ceb47d1e9257f1b0864f2a6b9b74846e97683f19e3e50cd5947a94f275d1c1444a4a671f574172b9640e6fef81fc6ab01ff423f6f1d83c620f87b0a7221a48ad2ab092f07b30353febfc0ec58652c1d354589cb74a480fb6550477e9801ab495edc27bbb1a18f8f358f776e9ad91342075ad0631a2a50465c1da7c518bc6df0d845b747b6df4bebeb2ee72f0c4a2e6fca452e6a9468abc0c586d103da383d0192f73e4db295fa86556b549cbfb06217d2ea69dd30073b5dcec579f11aaa48b30d4435f87bfb41d3c02bfc3fb23ee30275f24218ee51ff4d238f9bd7c5bdae2aee851fdb3aff41ec0bfd5d696242c4f0a84b02ae1622e48e49ae4ed34ffb2f31a7fd1b2edb7fa728054f185980a6506f69ebb85e7242c40bdce97d5d8fc311e418daba36f63bd802a4a3e60c55786619d292d015e870a85094d9bc0c8e9990e665a3119fb774c22fc4800bab0faaab62869883f109b2f4b227b5946c22b963442e71f3ba104bc08a8f496f1c28a9026d5f360f9d1b0d37fea2d7b7556e1e328922722b4e00387636177dc3cdfb14720ddbc4d2dabef109a0dec8cebf8ad1b5821ada42a3e303a3d436af6fd7a8f56fb007c8c3f8c388d2bcbe2b55866db962a2473b04989505009e68be28d2b200fb5b3312984d1a292f4c04e703f5297edf7337f47cb85c06cb2664292e86a2d95465f9222ae498d7b50f1aadd7ad383dd86d010d677704844ce742db2badb22d9545c27dc5e94c2dcb165d5802f5bfb1d716186bf6a198e380e7bc9d8cd5bbe120191e465c1a550092a6ecadc786978e0b741bdb0a31cae308453ea39e9c2b5a2d9c190cd827cefd0457a71a9a46b54f79074dce696c1788cefd16195b4e236a004dbbb16391f9601819d23998977a44be461206a704113238ce3f89d6af7434c9348865b19b6c83fe962f938835efa09e44b8e5f4d98dc144075f9eb42624b7eeebc7a4a6b74763ff09257e2d07d8543ece8c2e8374995218084b3599ef6081fc69fc189e1ec3e64b5dbb1083408f1ff1d4a0eb594f2d65151b7beb160f3f57eea9b8665f102008c791ac362d09bfdfdbe75c3770dc7a935d0a7a6f4a965d9a55aa576bea987f3fe11bacbccc4557fbe1a389f77541e58e008c415a98b534a2b44c085b83e5f39831a377587552926a0c0e9e3e22961a97ec9ea34a1629c95b7fb3c01e8a2154ae7251f38c77ee985b8cd49a343ab3a775250aa6bf731bed05bee2f2062cdcafdb94aae69476eb11344f192775e859cdd162bdbcb845ed0fe05e91d8e21c9075ba82cda7fb966448051b2fd89a04680f2eb3c3173a3e97e09a0225dd3bd6fd8c82746bbcf40ad7e088fb1d5cbb5fb60207ee8e52959b56b1dbc19e059bcb9e82d051bbdf028b080e930a1fdb28679f573a1c63db7edd7f54022dcc9873c518403605f3e349aaa1e1f5da0884fb0a4214c3ddfe411c0dd5fe2f8fe2b0202f34654d4f1c36d0f5b750c03d9ce55c04809e80dd4adad58f7e46535715b522458f6b14da0473444fc1341315ec418513e0ebbfbf96cda5df172be7cf0531c823bb6dcfa6064c7bf74f67a1c881c128958ea5a196b52c1e3a2a1c2ea14e51601e87e0728c8362a9b532ccc41cd64ee9a7c5c02fc35048736931cc314d6e6083903d5a5f784f6a843edc7c1b547a6de314e6747dffc0704598c2bf76a2343cb0c1d26614865addb181f4e65aa150f446a8ed865a7f8b8518422d42e1d6b6cebf4d58171a21c0c8eb2c159b7021d3a5aca0ddd1ba9f9044b6b2ff3dd8c893848dc3d32356d14cf763b4cc1ff346e5b18c4c52da853d65929870ce58d0e0a2ac2ab252a513cd027c6e24e62a3dfd1b103494c8877d559b52cfbf56384c2a3ab4847bc766eadd995a5d161e9e3727f8010f7172f5813056ef8a548e1922bccd52a09633e8b3506bccfaae9ef606cf2b3ca2a59d4ecada2176961155e9bc4b20ecacc014ce87bc4371f9649125fdd12a46c7a10315e1fecdddfb5fe9d480112531d2ce9b5df1d33aa9bdc5fc9bd940ecac821aaad446fe1c9981ae0838fcce1498f7046995e6cff24de833311e4b4a3c69776468488c1e2d1a51cd6ef9a53c9456202357c91a05661ffc03536291fafd2cb7191a2a7ad8de780ed93bf5f901fab6c13c15975488468cdb1afb045808a02d88f5d302d619e88736fa946722192421888ad9d44ef1fa599d70515753ed3c5d0be1b45993a2209817c5d6c1ebdc02b7dcd31699d838359eddd8cee9436b05631b23d201834db91838dd6b20cb04bf6bc628b2a8fb7514a0992b3584f42a41c85ce2aaf7c6b19188dad0adce86e87f4b6cd60aea9ee710f16c4d61152758317df12c5e95abd296180177abe47d13874c8b560d18f0e572122cbc94fcea6c52aa45b3ba5a1c88a1df88d5f0e36adf72b5cf3d87797b4d4a9791d015a9017d903c2e85aa0a2c9cfc1187124f5fbf9a9c9c87fe45dbd50f81d7cf849933167c8b7efee5e3878c6b4dd9892dd085b0005a81bcf4737aa2c94262b7eb56564a746edecba8b1939614f98c249eda71a68c4451ef5b5ce88830f79a082ae1ee09730d6bc976103354d976129ccab2322d0abcfcab64f9cf7b546a0bc42c6046e3bf81af57baa4d138697deb50dc15a7b1d6f09327ef4729d2d0451ccd05fd5e67b1b64cb8190237e66007ac106883056496d76b7bae88bdc4c92e00acc0faebcca1f9b3e0355d873f3939e0b1c286ae3f620db6f8b8934872452df42f1f15e20c751497befe4c8e4846d5fc67bbd6b6b9b7bff340789c6daa88549b8e27ccf7b2961c145a6d8c52539dc3e1a9e7bad1f5226a3cfd435332c66f0df57519374d30eae0633e8b1326daa3ec7c36b8591a443bad5d4c9943d55bc6140b9e85c9a9c59dacdd9b66c9ba78bf63c311bf2352255e0d65e3343e97638862e1c055bc26bbe3f5bbb558a3e806b64a49677624862b9dc92e8e213f2b38baf97216ef2d432d2b367316c58e73a859cc78e400225a47dd7543ec6d51f8597ff558064ce16daf52047888faf11d43bb577b17626c1f788bd23ed691ee5028e1baa41c61bfd7f3a1f4e34d30081c5fe46146c58282e6c7ce58d686f7ce36bf74d817b880acc91a45c528dacbba16962c5e65d19a40e0e7cbe1dbbf70a747035ce66f279d3fcae1fa801bd6eb70621f3c102f6c3cf552df32e288ea64572a39648e2f2f0bfde129279f5b695bd8ff045d880f6d20feb461b8376cba4ba3030c4db51939cab4438697e5f31007f45f5dfca69ce08e68348838527c1a23e045", 0x1000}, {&(0x7f0000003300)}, {&(0x7f0000003340)}], 0x7}, 0x2010) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-socket$xdp-syz_usb_connect-setsockopt$XDP_UMEM_REG-setsockopt$XDP_TX_RING-openat$sndseq-ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL-socket$tipc-setsockopt$XDP_UMEM_COMPLETION_RING-ioctl$sock_SIOCGIFINDEX-setsockopt$XDP_UMEM_FILL_RING-bind$xdp-sendmsg$nl_generic detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = socket$xdp(0x2c, 0x3, 0x0) syz_usb_connect(0x2, 0x36, &(0x7f0000000080)=ANY=[@ANYBLOB="1201000025245c407c2c9101050f00000001090224000100008000090454fd02ffffff00090507ffff0481400609058703"], 0x0) setsockopt$XDP_UMEM_REG(r1, 0x11b, 0x4, &(0x7f0000000080)={&(0x7f0000000000)=""/5, 0x214000, 0x800, 0x0, 0x3}, 0x20) setsockopt$XDP_TX_RING(r1, 0x11b, 0x3, &(0x7f0000000180)=0x800, 0x4) (async, rerun: 32) r2 = openat$sndseq(0xffffffffffffff9c, &(0x7f00000001c0), 0x128c2) (rerun: 32) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL(r2, 0x4058534c, &(0x7f0000000200)={0x0, 0x1, 0x8, 0x1, 0x101, 0xa}) (async, rerun: 32) r3 = socket$tipc(0x1e, 0x2, 0x0) (rerun: 32) setsockopt$XDP_UMEM_COMPLETION_RING(r1, 0x11b, 0x6, &(0x7f0000000040)=0x20000, 0x4) (async) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000400)={'dummy0\x00', 0x0}) setsockopt$XDP_UMEM_FILL_RING(r1, 0x11b, 0x5, &(0x7f0000000140)=0x4000, 0x4) (async) bind$xdp(r1, &(0x7f0000000100)={0x2c, 0x0, r4}, 0x10) (async) sendmsg$nl_generic(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000000c0)=ANY=[@ANYBLOB="140000001580384ed02ff14d2957eafb47140000b4c8154f4387b311a867040f82f4798a64db116f8287f3ab80af5510bbd63c6085038ec6"], 0x14}}, 0x0) program did not crash testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$rtl8150-syz_usb_control_io$cdc_ecm-syz_usb_control_io$rtl8150-syz_usb_control_io$cdc_ncm-ioctl$KVM_CREATE_IRQCHIP-ioctl$KVM_SET_TSC_KHZ_cpu detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r7 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r7, 0x0, 0x0) syz_usb_control_io(r7, 0x0, 0x0) syz_usb_control_io$rtl8150(r7, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r7, 0x0, 0x0) syz_usb_control_io$rtl8150(r7, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r7, 0x0, 0x0) ioctl$KVM_CREATE_IRQCHIP(r6, 0xae60) ioctl$KVM_SET_TSC_KHZ_cpu(0xffffffffffffffff, 0xaea2, 0x1) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init single: successfully extracted reproducer found reproducer with 25 syscalls minimizing guilty program testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$rtl8150-syz_usb_control_io$cdc_ecm-syz_usb_control_io$rtl8150-syz_usb_control_io$cdc_ncm-ioctl$KVM_CREATE_IRQCHIP detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r7 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r7, 0x0, 0x0) syz_usb_control_io(r7, 0x0, 0x0) syz_usb_control_io$rtl8150(r7, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r7, 0x0, 0x0) syz_usb_control_io$rtl8150(r7, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r7, 0x0, 0x0) ioctl$KVM_CREATE_IRQCHIP(r6, 0xae60) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$rtl8150-syz_usb_control_io$cdc_ecm-syz_usb_control_io$rtl8150-syz_usb_control_io$cdc_ncm detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r6 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io$rtl8150(r6, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r6, 0x0, 0x0) syz_usb_control_io$rtl8150(r6, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r6, 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$rtl8150-syz_usb_control_io$cdc_ecm-syz_usb_control_io$rtl8150 detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r6 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io$rtl8150(r6, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r6, 0x0, 0x0) syz_usb_control_io$rtl8150(r6, 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$rtl8150-syz_usb_control_io$cdc_ecm detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r6 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io$rtl8150(r6, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r6, 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$rtl8150 detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r6 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io$rtl8150(r6, 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect-syz_usb_control_io-syz_usb_control_io detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r6 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r6, 0x0, 0x0) syz_usb_control_io(r6, 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect-syz_usb_control_io detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r6 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) syz_usb_control_io(r6, 0x0, 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-ioctl$KVM_CREATE_VM detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) program did not crash testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-openat$kvm-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program did not crash testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-ioctl$SIOCGSTAMP-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) ioctl$SIOCGSTAMP(r1, 0x8906, 0x0) ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program did not crash testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-ioctl$KVM_RUN-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) ioctl$KVM_RUN(r4, 0xae80, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-ioctl$KVM_SET_NESTED_STATE-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) ioctl$KVM_SET_NESTED_STATE(r4, 0x4080aebf, &(0x7f0000005700)=@vmx={0x0, 0x0, 0x2080}) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-sendmmsg$inet-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) sendmmsg$inet(0xffffffffffffffff, 0x0, 0x0, 0x4) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-syz_kvm_setup_cpu$x86-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text32={0x20, &(0x7f0000000100)="660f388173ab0fc76fb4360fc9bb25cc00007666ba6bb74189000003c70fae6e2fc0c00f0f2367260f01ca660f38817700c4c2459d78ad", 0x37}], 0x1, 0x51, 0x0, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-ioctl$KVM_CREATE_VCPU-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x2) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-ioctl$KVM_SET_USER_MEMORY_REGION-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil}) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_STOP_SCHED_SCAN-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) sendmsg$NL80211_CMD_STOP_SCHED_SCAN(r1, &(0x7f0000002540)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8001}, 0x80) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-syz_genetlink_get_family_id$nl80211-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000002440), 0xffffffffffffffff) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-socket$nl_generic-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) socket$nl_generic(0x10, 0x3, 0x10) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_generic-openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: socket$nl_generic(0x10, 0x3, 0x10) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, 0x0, 0x0) program did not crash testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB], 0x0) program did not crash extracting C reproducer testing compiled C program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init simplifying C reproducer testing compiled C program (duration=46.297825812s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program did not crash testing compiled C program (duration=46.297825812s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program did not crash testing compiled C program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program did not crash testing compiled C program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing compiled C program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing compiled C program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing compiled C program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing compiled C program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init validation run: crashed=true testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init validation run: crashed=true testing program (duration=46.297825812s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$kvm-ioctl$KVM_CREATE_VM-syz_usb_connect detailed listing: executing program 0: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0) program crashed: KASAN: slab-use-after-free Read in v4l2_fh_init validation run: crashed=true reproducing took 59m9.628478935s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in v4l2_fh_init+0x27d/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25 Read of size 8 at addr ffff888027dbc790 by task v4l_id/6174 CPU: 0 UID: 0 PID: 6174 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595 v4l2_fh_init+0x27d/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25 v4l2_fh_open+0x64/0xa0 drivers/media/v4l2-core/v4l2-fh.c:64 em28xx_v4l2_open+0x11e/0x570 drivers/media/usb/em28xx/em28xx-video.c:2153 v4l2_open+0x1d2/0x490 drivers/media/v4l2-core/v4l2-dev.c:433 chrdev_open+0x234/0x6a0 fs/char_dev.c:411 do_dentry_open+0x6d8/0x1660 fs/open.c:949 vfs_open+0x82/0x3f0 fs/open.c:1081 do_open fs/namei.c:4677 [inline] path_openat+0x208c/0x31a0 fs/namei.c:4836 do_file_open+0x20e/0x430 fs/namei.c:4865 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x12d/0x210 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fea248a7407 Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: 002b:00007fff07b26210 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fea2501a880 RCX: 00007fea248a7407 RDX: 0000000000000000 RSI: 00007fff07b27f1c RDI: ffffffffffffff9c RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007fff07b26460 R14: 00007fea25181000 R15: 000055b4a17014d8 Allocated by task 6039: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:415 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] em28xx_v4l2_init.cold+0x94/0x3503 drivers/media/usb/em28xx/em28xx-video.c:2532 em28xx_init_extension+0x13a/0x200 drivers/media/usb/em28xx/em28xx-core.c:1117 request_module_async+0x61/0x80 drivers/media/usb/em28xx/em28xx-cards.c:3457 process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276 process_scheduled_works kernel/workqueue.c:3359 [inline] worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6039: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kfree+0x1f6/0x6b0 mm/slub.c:6483 kref_put.isra.0+0x56/0x90 include/linux/kref.h:65 em28xx_v4l2_init.cold+0x280/0x3503 drivers/media/usb/em28xx/em28xx-video.c:2901 em28xx_init_extension+0x13a/0x200 drivers/media/usb/em28xx/em28xx-core.c:1117 request_module_async+0x61/0x80 drivers/media/usb/em28xx/em28xx-cards.c:3457 process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276 process_scheduled_works kernel/workqueue.c:3359 [inline] worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff888027dbc000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 1936 bytes inside of freed 8192-byte region [ffff888027dbc000, ffff888027dbe000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27db8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88813fe41280 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88813fe41280 dead000000000100 dead000000000122 head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea00009f6e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5464, tgid 5464 (S40network), ts 32881035796, free_ts 32800846123 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab mm/slub.c:3481 [inline] new_slab+0xa6/0x6b0 mm/slub.c:3539 refill_objects+0x26b/0x400 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x1ab/0x660 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __kmalloc_cache_noprof+0x493/0x6f0 mm/slub.c:5375 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] tomoyo_print_bprm security/tomoyo/audit.c:26 [inline] tomoyo_init_log+0xc4f/0x20c0 security/tomoyo/audit.c:264 tomoyo_supervisor+0x506/0x1340 security/tomoyo/common.c:2232 tomoyo_audit_env_log security/tomoyo/environ.c:37 [inline] tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:64 tomoyo_environ security/tomoyo/domain.c:673 [inline] tomoyo_find_next_domain+0x13d7/0x2010 security/tomoyo/domain.c:889 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline] tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92 security_bprm_check+0x87/0x1e0 security/security.c:795 search_binary_handler fs/exec.c:1654 [inline] exec_binprm fs/exec.c:1696 [inline] bprm_execve fs/exec.c:1748 [inline] bprm_execve+0x84b/0x1680 fs/exec.c:1724 do_execveat_common.isra.0+0x4a5/0x580 fs/exec.c:1846 __do_sys_execve fs/exec.c:1930 [inline] __se_sys_execve fs/exec.c:1924 [inline] __x64_sys_execve+0x93/0xd0 fs/exec.c:1924 page last free pid 5462 tgid 5462 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x2b9/0x850 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] tomoyo_add_entry security/tomoyo/common.c:2166 [inline] tomoyo_supervisor+0x65d/0x1340 security/tomoyo/common.c:2238 tomoyo_audit_path_log security/tomoyo/file.c:169 [inline] tomoyo_path_permission security/tomoyo/file.c:592 [inline] tomoyo_path_permission+0x270/0x3b0 security/tomoyo/file.c:577 tomoyo_check_open_permission+0x37f/0x3c0 security/tomoyo/file.c:782 tomoyo_file_open+0x6b/0x90 security/tomoyo/tomoyo.c:334 security_file_open+0xb5/0x1e0 security/security.c:2637 do_dentry_open+0x5aa/0x1660 fs/open.c:926 vfs_open+0x82/0x3f0 fs/open.c:1081 do_open fs/namei.c:4677 [inline] path_openat+0x208c/0x31a0 fs/namei.c:4836 do_file_open+0x20e/0x430 fs/namei.c:4865 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x12d/0x210 fs/open.c:1383 Memory state around the buggy address: ffff888027dbc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888027dbc700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888027dbc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888027dbc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888027dbc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in v4l2_fh_init+0x27d/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25 Read of size 8 at addr ffff888027dbc790 by task v4l_id/6174 CPU: 0 UID: 0 PID: 6174 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595 v4l2_fh_init+0x27d/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25 v4l2_fh_open+0x64/0xa0 drivers/media/v4l2-core/v4l2-fh.c:64 em28xx_v4l2_open+0x11e/0x570 drivers/media/usb/em28xx/em28xx-video.c:2153 v4l2_open+0x1d2/0x490 drivers/media/v4l2-core/v4l2-dev.c:433 chrdev_open+0x234/0x6a0 fs/char_dev.c:411 do_dentry_open+0x6d8/0x1660 fs/open.c:949 vfs_open+0x82/0x3f0 fs/open.c:1081 do_open fs/namei.c:4677 [inline] path_openat+0x208c/0x31a0 fs/namei.c:4836 do_file_open+0x20e/0x430 fs/namei.c:4865 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x12d/0x210 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fea248a7407 Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: 002b:00007fff07b26210 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fea2501a880 RCX: 00007fea248a7407 RDX: 0000000000000000 RSI: 00007fff07b27f1c RDI: ffffffffffffff9c RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007fff07b26460 R14: 00007fea25181000 R15: 000055b4a17014d8 Allocated by task 6039: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:415 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] em28xx_v4l2_init.cold+0x94/0x3503 drivers/media/usb/em28xx/em28xx-video.c:2532 em28xx_init_extension+0x13a/0x200 drivers/media/usb/em28xx/em28xx-core.c:1117 request_module_async+0x61/0x80 drivers/media/usb/em28xx/em28xx-cards.c:3457 process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276 process_scheduled_works kernel/workqueue.c:3359 [inline] worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6039: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kfree+0x1f6/0x6b0 mm/slub.c:6483 kref_put.isra.0+0x56/0x90 include/linux/kref.h:65 em28xx_v4l2_init.cold+0x280/0x3503 drivers/media/usb/em28xx/em28xx-video.c:2901 em28xx_init_extension+0x13a/0x200 drivers/media/usb/em28xx/em28xx-core.c:1117 request_module_async+0x61/0x80 drivers/media/usb/em28xx/em28xx-cards.c:3457 process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276 process_scheduled_works kernel/workqueue.c:3359 [inline] worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff888027dbc000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 1936 bytes inside of freed 8192-byte region [ffff888027dbc000, ffff888027dbe000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27db8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88813fe41280 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88813fe41280 dead000000000100 dead000000000122 head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea00009f6e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5464, tgid 5464 (S40network), ts 32881035796, free_ts 32800846123 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3292 [inline] allocate_slab mm/slub.c:3481 [inline] new_slab+0xa6/0x6b0 mm/slub.c:3539 refill_objects+0x26b/0x400 mm/slub.c:7175 refill_sheaf mm/slub.c:2812 [inline] __pcs_replace_empty_main+0x1ab/0x660 mm/slub.c:4615 alloc_from_pcs mm/slub.c:4717 [inline] slab_alloc_node mm/slub.c:4851 [inline] __kmalloc_cache_noprof+0x493/0x6f0 mm/slub.c:5375 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] tomoyo_print_bprm security/tomoyo/audit.c:26 [inline] tomoyo_init_log+0xc4f/0x20c0 security/tomoyo/audit.c:264 tomoyo_supervisor+0x506/0x1340 security/tomoyo/common.c:2232 tomoyo_audit_env_log security/tomoyo/environ.c:37 [inline] tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:64 tomoyo_environ security/tomoyo/domain.c:673 [inline] tomoyo_find_next_domain+0x13d7/0x2010 security/tomoyo/domain.c:889 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline] tomoyo_bprm_check_security+0x12d/0x1d0 security/tomoyo/tomoyo.c:92 security_bprm_check+0x87/0x1e0 security/security.c:795 search_binary_handler fs/exec.c:1654 [inline] exec_binprm fs/exec.c:1696 [inline] bprm_execve fs/exec.c:1748 [inline] bprm_execve+0x84b/0x1680 fs/exec.c:1724 do_execveat_common.isra.0+0x4a5/0x580 fs/exec.c:1846 __do_sys_execve fs/exec.c:1930 [inline] __se_sys_execve fs/exec.c:1924 [inline] __x64_sys_execve+0x93/0xd0 fs/exec.c:1924 page last free pid 5462 tgid 5462 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] __do_kmalloc_node mm/slub.c:5259 [inline] __kmalloc_noprof+0x2b9/0x850 mm/slub.c:5272 kmalloc_noprof include/linux/slab.h:954 [inline] tomoyo_add_entry security/tomoyo/common.c:2166 [inline] tomoyo_supervisor+0x65d/0x1340 security/tomoyo/common.c:2238 tomoyo_audit_path_log security/tomoyo/file.c:169 [inline] tomoyo_path_permission security/tomoyo/file.c:592 [inline] tomoyo_path_permission+0x270/0x3b0 security/tomoyo/file.c:577 tomoyo_check_open_permission+0x37f/0x3c0 security/tomoyo/file.c:782 tomoyo_file_open+0x6b/0x90 security/tomoyo/tomoyo.c:334 security_file_open+0xb5/0x1e0 security/security.c:2637 do_dentry_open+0x5aa/0x1660 fs/open.c:926 vfs_open+0x82/0x3f0 fs/open.c:1081 do_open fs/namei.c:4677 [inline] path_openat+0x208c/0x31a0 fs/namei.c:4836 do_file_open+0x20e/0x430 fs/namei.c:4865 do_sys_openat2+0x10d/0x1e0 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x12d/0x210 fs/open.c:1383 Memory state around the buggy address: ffff888027dbc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888027dbc700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888027dbc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888027dbc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888027dbc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================