Extracting prog: 1h15m19.485912503s
Minimizing prog: 3m39.828535964s
Simplifying prog options: 0s
Extracting C: 1m35.931994764s
Simplifying C: 11m1.824896908s


30 programs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 30 programs
single: executing 5 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): pipe2$9p-write$P9_RVERSION-dup-write$FUSE_BMAP-write$FUSE_DIRENTPLUS-write$FUSE_DIRENTPLUS-syz_mount_image$fuse-mount$9p_fd-lgetxattr
detailed listing:
executing program 0:
pipe2$9p(&(0x7f0000002180)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000200)=ANY=[@ANYBLOB="1500000065ffff0180000008003950323030302e4c"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000000)={0x18}, 0x18)
write$FUSE_DIRENTPLUS(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="3801"], 0x138)
write$FUSE_DIRENTPLUS(r2, &(0x7f00000004c0)=ANY=[@ANYBLOB=' '], 0x120)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
mount$9p_fd(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f0000000280), 0x0, &(0x7f0000000140)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}})
lgetxattr(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000480)=ANY=[@ANYBLOB='user.t'], 0x0, 0x38c)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): lstat
detailed listing:
executing program 0:
lstat(&(0x7f0000000b40)='./file0/file0/file0\x00', 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mlockall-mkdirat-mount-chdir-mremap-mremap-mremap-mkdirat
detailed listing:
executing program 0:
mlockall(0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount(0x0, &(0x7f0000000300)='./file0\x00', &(0x7f0000000040)='mqueue\x00', 0x100001b, 0x0)
chdir(&(0x7f00000057c0)='./file0\x00')
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mremap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x3000, 0x3, &(0x7f0000ff5000/0x3000)=nil)
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-write$tun-clock_gettime-prctl$PR_SCHED_CORE-sched_setaffinity-openat$hwrng-preadv-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-socket$nl_netfilter-sendmsg$NFT_BATCH-ioctl$AUTOFS_DEV_IOCTL_EXPIRE-socket$packet-ioctl$SCSI_IOCTL_SEND_COMMAND-sendmsg$nl_route_sched-sendmsg$NFT_BATCH-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-socket$nl_generic-socket$packet-ioctl$sock_SIOCGIFINDEX-socket$nl_route-sendmsg$nl_route
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
write$tun(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="08000000008400000900000000004500002800000000002f9078ac1e00", @ANYRESHEX, @ANYRESOCT=r0, @ANYRESDEC=r0, @ANYBLOB="07b3cf71c95581f4b30866758d12a2a21ec31f86f0868ae164baa87babe7503409c2a5f4bf679aa4f60afd32097302a3f8018d39379030cf95e9fc948d3139a6537241d999bffab7f7c47ab89cd758a66c72e85a098643a6ab899bb13a474da31bcc73260c9795ce63205bbbb7c3d9ee0b632508b0c18b147e2ad6c50ebc133338a77ae19cb0d5db9c3a101bb6937ce0a23c850346b6deb31e"], 0x36)
clock_gettime(0x0, &(0x7f00000006c0))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x3c1, 0x3, 0x328, 0x128, 0x4c, 0x1a, 0x0, 0x73, 0x258, 0x258, 0x258, 0x258, 0x258, 0x3, 0x0, {[{{@ipv6={@rand_addr=' \x01\x00', @local, [], [], 'wg2\x00', 'macvlan1\x00', {}, {}, 0x11}, 0x0, 0x100, 0x128, 0x0, {}, [@common=@inet=@l2tp={{0x30}, {0x0, 0x0, 0x2, 0x0, 0x5}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@TCPMSS={0x28}}, {{@ipv6={@private2, @dev, [], [], 'veth1_macvtap\x00', 'veth0_macvtap\x00'}, 0x0, 0xf8, 0x130, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@icmp6={{0x28}, {0x0, "e1f6"}}]}, @common=@inet=@SET3={0x38}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x388)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000b40)={{0x14}, [@NFT_MSG_NEWFLOWTABLE={0x5c, 0x16, 0xa, 0x5, 0x0, 0x0, {0x1}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0xc, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x2}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x6}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x1}]}, @NFT_MSG_DELFLOWTABLE={0x30, 0x16, 0xa, 0x0, 0xb00, 0x0, {}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x4}]}], {0x14, 0x10}}, 0xb4}}, 0x0)
ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18}, './file0\x00'})
socket$packet(0x11, 0x0, 0x300)
ioctl$SCSI_IOCTL_SEND_COMMAND(0xffffffffffffffff, 0x1, &(0x7f0000000180))
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000002c0)=@newqdisc={0x24, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0x0, 0xc}}}, 0x24}}, 0x0)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000140)={&(0x7f0000003340)=ANY=[@ANYBLOB="14"], 0x16e8}, 0x1, 0x0, 0x0, 0x64008005}, 0x0)
shutdown(0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x0, 0x0}, &(0x7f0000000180)=0x10)
socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket$packet(0x11, 0x0, 0x300)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', <r5=>0x0})
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYRES64=0x0, @ANYRES32=r5, @ANYBLOB], 0x34}}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io$cdc_ncm-syz_usb_control_io-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_control_io$uac1-syz_usb_control_io$cdc_ncm-syz_usb_control_io$cdc_ncm-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$printer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0xda, 0x35, 0x8e, 0x8, 0x46d, 0x900, 0x669e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xc, 0x22, 0xf}}]}}]}}, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 15s
testing program (duration=22s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [24, 24, 5, 21, 7, 30, 5, 11, 6, 3, 14, 8, 12, 3, 18, 6, 2, 24, 4, 3, 6, 3, 12, 3, 3, 6, 8, 9, 1, 9]
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, 0x0, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000280)=@base={0x1b}, 0x48)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x1, 0x4, 0xfff, 0x5}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0x3f, &(0x7f0000000440)=ANY=[@ANYBLOB="1801000000000020000000000000000018190000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000024"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000040)='sched_switch\x00', r1}, 0x10)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r2 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r2, 0x1, &(0x7f0000000200)=0x5)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000380)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
r5 = socket$inet6(0xa, 0x3, 0x8000000003c)
connect$inet6(r5, &(0x7f0000000140)={0xa, 0x0, 0x0, @dev, 0x9}, 0x1c)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sendmsg(r5, 0x0, 0x44004)
executing program 0:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000380)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000080)='sched_switch\x00'}, 0x10)
syz_extract_tcp_res$synack(&(0x7f0000000240), 0x1, 0x0)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_PRIVFLAGS_GET(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={0x0}}, 0x0)
poll(&(0x7f0000000100)=[{0xffffffffffffffff, 0x8011}, {0xffffffffffffffff, 0x9}, {0xffffffffffffffff, 0xc200}, {0xffffffffffffffff, 0x401}], 0x4, 0x0)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r5, 0x5423, &(0x7f00000000c0)=0xf)
ioctl$TCFLSH(r5, 0x400455c8, 0x0)
ioctl$sock_bt_hci(r4, 0x400448ca, 0x0)
close_range(r3, 0xffffffffffffffff, 0x0)
executing program 1:
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2)
socket$nl_generic(0x10, 0x3, 0x10)
setsockopt$IPT_SO_SET_REPLACE(0xffffffffffffffff, 0x0, 0x40, 0x0, 0x0)
r0 = socket$inet6(0xa, 0x3, 0x3a)
setsockopt$inet6_int(r0, 0x29, 0x7, &(0x7f0000000100), 0x4)
executing program 1:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
r2 = syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
ioctl$EVIOCGABS0(r2, 0x80184540, &(0x7f0000000100)=""/194)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
bind$vsock_stream(r3, &(0x7f0000000000)={0x10}, 0x10)
r4 = syz_open_procfs(0x0, &(0x7f0000000240)='net/netlink\x00')
socket$inet6_dccp(0xa, 0x6, 0x0)
close(0xffffffffffffffff)
socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
preadv(r4, &(0x7f0000000ac0)=[{0x0}, {&(0x7f0000000840)=""/180, 0xb4}], 0x2, 0x0, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
read$FUSE(0xffffffffffffffff, 0x0, 0x0)
shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
mremap(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x1000, 0x3, &(0x7f0000fff000/0x1000)=nil)
executing program 1:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$inet_tcp_int(r0, 0x6, 0x210000000013, &(0x7f00000000c0)=0x100000001, 0x4)
connect$inet(r0, &(0x7f0000000140)={0x2, 0x0, @remote}, 0x10)
setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r0, 0x6, 0x16, &(0x7f0000000000)=[@sack_perm, @window, @sack_perm, @sack_perm, @timestamp, @timestamp, @timestamp, @timestamp], 0x20000149)
setsockopt$inet_tcp_int(r0, 0x6, 0x22, &(0x7f0000000180)=0xfffffffe, 0x4)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000200)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
mmap(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x0, 0x10012, r1, 0x0)
executing program 1:
r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000680)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000400), 0x106}}, 0x20)
write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f00000003c0)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000900), 0x13f}}, 0x20)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$VIDIOC_ENUM_FMT(0xffffffffffffffff, 0xc0405602, &(0x7f0000000040)={0x57, 0xa, 0x0, "3258c546dacccfae1e008faa00000000f4ff4000"})
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f00000000c0)=[{&(0x7f0000001f00)=""/102386, 0x18ff2}], 0x1, 0x0, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000280)={0x0, 0x5, &(0x7f0000000340)=ANY=[@ANYRES64=r1, @ANYRES64], &(0x7f0000000380)='GPL\x00', 0x4, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, r1}, 0x90)
prctl$PR_GET_TSC(0x43, &(0x7f0000000040))
r2 = socket$inet6(0xa, 0x6, 0x0)
bind$inet6(r2, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @rand_addr=' \x01\x00'}, 0x1c)
listen(r2, 0x80080400)
r3 = socket$inet_dccp(0x2, 0x6, 0x0)
connect$inet(r3, &(0x7f0000e5c000)={0x2, 0x4e20, @remote}, 0x10)
getsockopt$inet_int(r3, 0x10d, 0xfa, 0x0, &(0x7f0000000240))
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0)
r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r6 = syz_open_dev$vim2m(&(0x7f0000000080), 0x0, 0x2)
ioctl$vim2m_VIDIOC_CREATE_BUFS(r6, 0xc100565c, &(0x7f0000000100)={0x1000, 0x5, 0x4, {0x2, @sliced={0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e, 0x0, 0x0, 0xb0, 0x0, 0x0, 0x0, 0x0, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf, 0x0, 0x0, 0x43f7, 0x0, 0x0, 0x7000, 0x0, 0xfffe], 0xfffffffd}}, 0x40000000})
ioctl$vim2m_VIDIOC_REQBUFS(r6, 0xc0145608, &(0x7f0000000040)={0x1, 0x1, 0x1})
ioctl$vim2m_VIDIOC_STREAMOFF(r6, 0x40045612, &(0x7f0000000600)=0x2)
ioctl$vim2m_VIDIOC_STREAMOFF(r6, 0x40045612, &(0x7f00000000c0)=0x1)
ppoll(&(0x7f0000000200)=[{r6, 0x42}], 0x1, &(0x7f0000000240), 0x0, 0x0)
r7 = dup3(r5, r4, 0x0)
socket$packet(0x11, 0x3, 0x300)
r8 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@bloom_filter={0x1e, 0x60, 0x3, 0x6, 0x844, r7, 0xb, '\x00', 0x0, r7, 0x2, 0x1, 0x2, 0x3}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000000)={{r8}, &(0x7f0000000580), &(0x7f00000005c0)=r1}, 0x20)
executing program 1:
setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0)
r0 = syz_genetlink_get_family_id$nl80211(&(0x7f00000001c0), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r2=>0x0})
sendmsg$NL80211_CMD_JOIN_MESH(r1, &(0x7f0000001040)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000001140)={0x50, r0, 0x3, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_MESH_CONFIG={0x34, 0x23, 0x0, 0x1, [@NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR={0x8, 0x15, 0x5b}, @NL80211_MESHCONF_ELEMENT_TTL={0x5, 0xf, 0xf}, @NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES={0x5}, @NL80211_MESHCONF_HT_OPMODE={0x6}, @NL80211_MESHCONF_MAX_PEER_LINKS={0x6}, @NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT={0x8}]}]}, 0x50}}, 0x0)
executing program 1:
r0 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0xda, 0x35, 0x8e, 0x8, 0x46d, 0x900, 0x669e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xc, 0x22, 0xf}}]}}]}}, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
executing program 4:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000080)={0x26, 'skcipher\x00', 0x0, 0x0, 'cts(cbc(aes))\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000c18000)="ad56b6c5910fae9d6dcd3292ea54c7b6ef915d564c90c200", 0x18)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$TIPC_NL_MEDIA_SET(r1, &(0x7f0000001800)={0x0, 0x0, &(0x7f00000017c0)={0x0, 0x12f4}}, 0x0)
recvmmsg(r1, &(0x7f0000002e00)=[{{0x0, 0x0, &(0x7f0000002d40)=[{&(0x7f0000002a00)=""/98, 0x62}], 0x1}}], 0x1, 0x0, 0x0)
executing program 4:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(0xffffffffffffffff, 0x0, 0x0)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000500)=ANY=[@ANYBLOB="b80000001900010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000", @ANYRESDEC], 0xb8}}, 0x0)
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
bind$vsock_stream(0xffffffffffffffff, &(0x7f0000000000)={0x10}, 0x10)
socket$inet6_dccp(0xa, 0x6, 0x0)
socket(0xa, 0x1, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
r2 = shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
shmat(0x0, &(0x7f0000ff9000/0x1000)=nil, 0x5000)
shmdt(r2)
executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)
executing program 3:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x2, 0x2172, 0xffffffffffffffff, 0x0)
mremap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x2000, 0x0, &(0x7f0000ffb000/0x2000)=nil)
r0 = syz_io_uring_complete(0x0)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f00000001c0))
r1 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
fchdir(0xffffffffffffffff)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
preadv(r2, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x4)
sendmmsg(0xffffffffffffffff, &(0x7f0000007fc0), 0x800001d, 0xa1a)
userfaultfd(0x80001)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'bridge0\x00'})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[@ANYBLOB="308a4703e3ffffffffdbb50000e7ffff05004000", @ANYBLOB="000000000a000200aaaaaaaaaa"], 0x30}}, 0x0)
syz_io_uring_setup(0x110, &(0x7f0000000140), 0x0, 0x0)
ioctl$sock_SIOCSIFBR(r1, 0x8941, &(0x7f00000003c0)=@get={0x1, &(0x7f0000000300)=""/59, 0xf})
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000000c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe(&(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
splice(r1, 0x0, r2, 0x0, 0x8000f28, 0x0)
vmsplice(r2, &(0x7f0000000740)=[{&(0x7f0000000cc0)="13", 0x1}, {&(0x7f00000007c0)="b4", 0x1}, {&(0x7f0000000300)="b8", 0x1}, {&(0x7f00000008c0)="ff", 0x1}], 0x4, 0x0)
ioctl$sock_inet_sctp_SIOCINQ(r2, 0x541b, &(0x7f0000000000))
write(r0, 0x0, 0x0)
executing program 4:
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x2, 0x42032, 0xffffffffffffffff, 0x0)
move_pages(0x0, 0x3, &(0x7f0000000040)=[&(0x7f0000a0d000/0x3000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f0000a3a000/0x1000)=nil], &(0x7f0000000100)=[0x1], &(0x7f0000000180), 0x0)
executing program 4:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
write$tun(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="08000000008400000900000000004500002800000000002f9078ac1e00", @ANYRESHEX, @ANYRESOCT=r0, @ANYRESDEC=r0, @ANYBLOB="07b3cf71c95581f4b30866758d12a2a21ec31f86f0868ae164baa87babe7503409c2a5f4bf679aa4f60afd32097302a3f8018d39379030cf95e9fc948d3139a6537241d999bffab7f7c47ab89cd758a66c72e85a098643a6ab899bb13a474da31bcc73260c9795ce63205bbbb7c3d9ee0b632508b0c18b147e2ad6c50ebc133338a77ae19cb0d5db9c3a101bb6937ce0a23c850346b6deb31e"], 0x36)
clock_gettime(0x0, &(0x7f00000006c0))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x3c1, 0x3, 0x328, 0x128, 0x4c, 0x1a, 0x0, 0x73, 0x258, 0x258, 0x258, 0x258, 0x258, 0x3, 0x0, {[{{@ipv6={@rand_addr=' \x01\x00', @local, [], [], 'wg2\x00', 'macvlan1\x00', {}, {}, 0x11}, 0x0, 0x100, 0x128, 0x0, {}, [@common=@inet=@l2tp={{0x30}, {0x0, 0x0, 0x2, 0x0, 0x5}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@TCPMSS={0x28}}, {{@ipv6={@private2, @dev, [], [], 'veth1_macvtap\x00', 'veth0_macvtap\x00'}, 0x0, 0xf8, 0x130, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@icmp6={{0x28}, {0x0, "e1f6"}}]}, @common=@inet=@SET3={0x38}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x388)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000b40)={{0x14}, [@NFT_MSG_NEWFLOWTABLE={0x5c, 0x16, 0xa, 0x5, 0x0, 0x0, {0x1}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0xc, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x2}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x6}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x1}]}, @NFT_MSG_DELFLOWTABLE={0x30, 0x16, 0xa, 0x0, 0xb00, 0x0, {}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x4}]}], {0x14, 0x10}}, 0xb4}}, 0x0)
ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18}, './file0\x00'})
socket$packet(0x11, 0x0, 0x300)
ioctl$SCSI_IOCTL_SEND_COMMAND(0xffffffffffffffff, 0x1, &(0x7f0000000180))
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000002c0)=@newqdisc={0x24, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0x0, 0xc}}}, 0x24}}, 0x0)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000140)={&(0x7f0000003340)=ANY=[@ANYBLOB="14"], 0x16e8}, 0x1, 0x0, 0x0, 0x64008005}, 0x0)
shutdown(0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x0, 0x0}, &(0x7f0000000180)=0x10)
socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket$packet(0x11, 0x0, 0x300)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', <r5=>0x0})
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYRES64=0x0, @ANYRES32=r5, @ANYBLOB], 0x34}}, 0x0)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000240)={0x0, 0x8209}, 0x0)
sendto(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
executing program 0:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0xa, &(0x7f0000000180)={0x0, @in, 0x0, 0x0, 0x290}, 0x98)
connect$inet(0xffffffffffffffff, 0x0, 0x0)
executing program 3:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
sendto$inet(r0, 0x0, 0x0, 0x0, 0x0, 0x0)
recvfrom$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
setsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x21, &(0x7f00000003c0)={0x0, 0x4a00}, 0x10)
sendmsg$inet_sctp(r0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20100}, 0x0)
executing program 2:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
socket$inet6_sctp(0x1c, 0x5, 0x84)
socket$inet6_sctp(0x1c, 0x0, 0x84)
connect$inet(0xffffffffffffffff, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(0xffffffffffffffff, 0x84, 0x105, 0x0, &(0x7f0000001700))
socket(0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xb, &(0x7f0000000240), 0x0)
sendmsg$inet_sctp(0xffffffffffffffff, 0x0, 0x0)
socket(0x0, 0x0, 0x0)
renameat(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$inet6_sctp(0x1c, 0x1, 0x84)
bind(r0, &(0x7f0000000000)=@in6={0x1c, 0x1c, 0x3}, 0x1c)
connect$inet6(r0, &(0x7f0000000080)={0x1c, 0x1c, 0x3}, 0x1c)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x200000000000c, &(0x7f0000000080)="eaef125c00000000", 0x8)
socket$inet6_sctp(0x1c, 0x5, 0x84)
executing program 0:
socket$inet_sctp(0x2, 0x0, 0x84)
setsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x9, 0x0, 0x0)
open$dir(0x0, 0x0, 0x0)
executing program 2:
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x0, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000000000000000000000085000000a8000000180100002020692500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000700000095"], &(0x7f0000000600)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x10, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000340)={0x18, 0x3, &(0x7f0000000d00)=ANY=[@ANYBLOB="180000000000000000000000000000009500160000000000e2bac15d3b6641a215f099e26603a050337b2ccc70a9f928ba3c529bb6e7365e7e246317380f5884d79663e7fcaa89795d7b10e88378c33265a7af06040e3d0bbc6a5864dfa023c6ac1da574242785bbb4ece12b11da52496875e1e384042aad63a3094bf3bc0e40a79960f9f1610940e67e30611d9873d1e6cb9c4cce44c999c49ff52a6400192fd021d7158438d7686a6f66778022c93c544189b684754e7e0f77a4f498609e53104c8aa70632fcc58c757bbc06f6472622dce2729d7296959ce003ec84acd015e352484c42fc29e5aea62fb7977813f7254fd6f62fec638abf292e6c33925b29"], &(0x7f0000000000)='syzkaller\x00'}, 0x80)
r2 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000001c0)='sched_process_wait\x00', r1}, 0x10)
r3 = bpf$ITER_CREATE(0xb, &(0x7f0000000100)={r2}, 0x8)
close(r3)
bpf$PROG_BIND_MAP(0xa, &(0x7f0000000000)={r0}, 0xc)
executing program 3:
mlockall(0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount(0x0, &(0x7f0000000300)='./file0\x00', &(0x7f0000000040)='mqueue\x00', 0x100001b, 0x0)
chdir(&(0x7f00000057c0)='./file0\x00')
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mremap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x3000, 0x3, &(0x7f0000ff5000/0x3000)=nil)
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
executing program 2:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c)
listen(r0, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
connect$inet6(r1, &(0x7f0000000300)={0xa, 0x4e22, 0x0, @loopback}, 0x1c)
r2 = dup(r0)
r3 = accept4$inet6(r2, 0x0, 0x0, 0x0)
setsockopt$inet6_tcp_TCP_FASTOPEN_KEY(r3, 0x6, 0x21, 0x0, 0x0)
executing program 0:
lstat(&(0x7f0000000b40)='./file0/file0/file0\x00', 0x0)
executing program 2:
pipe2$9p(&(0x7f0000002180)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000200)=ANY=[@ANYBLOB="1500000065ffff0180000008003950323030302e4c"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000000)={0x18}, 0x18)
write$FUSE_DIRENTPLUS(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="3801"], 0x138)
write$FUSE_DIRENTPLUS(r2, &(0x7f00000004c0)=ANY=[@ANYBLOB=' '], 0x120)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
mount$9p_fd(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f0000000280), 0x0, &(0x7f0000000140)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}})
lgetxattr(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000480)=ANY=[@ANYBLOB='user.t'], 0x0, 0x38c)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 5 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): pipe2$9p-write$P9_RVERSION-dup-write$FUSE_BMAP-write$FUSE_DIRENTPLUS-write$FUSE_DIRENTPLUS-syz_mount_image$fuse-mount$9p_fd-lgetxattr
detailed listing:
executing program 0:
pipe2$9p(&(0x7f0000002180)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000200)=ANY=[@ANYBLOB="1500000065ffff0180000008003950323030302e4c"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000000)={0x18}, 0x18)
write$FUSE_DIRENTPLUS(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="3801"], 0x138)
write$FUSE_DIRENTPLUS(r2, &(0x7f00000004c0)=ANY=[@ANYBLOB=' '], 0x120)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
mount$9p_fd(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f0000000280), 0x0, &(0x7f0000000140)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}})
lgetxattr(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000480)=ANY=[@ANYBLOB='user.t'], 0x0, 0x38c)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): lstat
detailed listing:
executing program 0:
lstat(&(0x7f0000000b40)='./file0/file0/file0\x00', 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mlockall-mkdirat-mount-chdir-mremap-mremap-mremap-mkdirat
detailed listing:
executing program 0:
mlockall(0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount(0x0, &(0x7f0000000300)='./file0\x00', &(0x7f0000000040)='mqueue\x00', 0x100001b, 0x0)
chdir(&(0x7f00000057c0)='./file0\x00')
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mremap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x3000, 0x3, &(0x7f0000ff5000/0x3000)=nil)
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-write$tun-clock_gettime-prctl$PR_SCHED_CORE-sched_setaffinity-openat$hwrng-preadv-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-socket$nl_netfilter-sendmsg$NFT_BATCH-ioctl$AUTOFS_DEV_IOCTL_EXPIRE-socket$packet-ioctl$SCSI_IOCTL_SEND_COMMAND-sendmsg$nl_route_sched-sendmsg$NFT_BATCH-shutdown-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-socket$nl_generic-socket$packet-ioctl$sock_SIOCGIFINDEX-socket$nl_route-sendmsg$nl_route
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
write$tun(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="08000000008400000900000000004500002800000000002f9078ac1e00", @ANYRESHEX, @ANYRESOCT=r0, @ANYRESDEC=r0, @ANYBLOB="07b3cf71c95581f4b30866758d12a2a21ec31f86f0868ae164baa87babe7503409c2a5f4bf679aa4f60afd32097302a3f8018d39379030cf95e9fc948d3139a6537241d999bffab7f7c47ab89cd758a66c72e85a098643a6ab899bb13a474da31bcc73260c9795ce63205bbbb7c3d9ee0b632508b0c18b147e2ad6c50ebc133338a77ae19cb0d5db9c3a101bb6937ce0a23c850346b6deb31e"], 0x36)
clock_gettime(0x0, &(0x7f00000006c0))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x3c1, 0x3, 0x328, 0x128, 0x4c, 0x1a, 0x0, 0x73, 0x258, 0x258, 0x258, 0x258, 0x258, 0x3, 0x0, {[{{@ipv6={@rand_addr=' \x01\x00', @local, [], [], 'wg2\x00', 'macvlan1\x00', {}, {}, 0x11}, 0x0, 0x100, 0x128, 0x0, {}, [@common=@inet=@l2tp={{0x30}, {0x0, 0x0, 0x2, 0x0, 0x5}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@TCPMSS={0x28}}, {{@ipv6={@private2, @dev, [], [], 'veth1_macvtap\x00', 'veth0_macvtap\x00'}, 0x0, 0xf8, 0x130, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@icmp6={{0x28}, {0x0, "e1f6"}}]}, @common=@inet=@SET3={0x38}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x388)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000b40)={{0x14}, [@NFT_MSG_NEWFLOWTABLE={0x5c, 0x16, 0xa, 0x5, 0x0, 0x0, {0x1}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0xc, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x2}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x6}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x1}]}, @NFT_MSG_DELFLOWTABLE={0x30, 0x16, 0xa, 0x0, 0xb00, 0x0, {}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x4}]}], {0x14, 0x10}}, 0xb4}}, 0x0)
ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18}, './file0\x00'})
socket$packet(0x11, 0x0, 0x300)
ioctl$SCSI_IOCTL_SEND_COMMAND(0xffffffffffffffff, 0x1, &(0x7f0000000180))
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000002c0)=@newqdisc={0x24, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0x0, 0xc}}}, 0x24}}, 0x0)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000140)={&(0x7f0000003340)=ANY=[@ANYBLOB="14"], 0x16e8}, 0x1, 0x0, 0x0, 0x64008005}, 0x0)
shutdown(0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x0, 0x0}, &(0x7f0000000180)=0x10)
socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket$packet(0x11, 0x0, 0x300)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', <r5=>0x0})
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYRES64=0x0, @ANYRES32=r5, @ANYBLOB], 0x34}}, 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io$cdc_ncm-syz_usb_control_io-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_control_io$uac1-syz_usb_control_io$cdc_ncm-syz_usb_control_io$cdc_ncm-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$printer
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0xda, 0x35, 0x8e, 0x8, 0x46d, 0x900, 0x669e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xc, 0x22, 0xf}}]}}]}}, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 30 programs with base timeout 1m40s
testing program (duration=1m47s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [24, 24, 5, 21, 7, 30, 5, 11, 6, 3, 14, 8, 12, 3, 18, 6, 2, 24, 4, 3, 6, 3, 12, 3, 3, 6, 8, 9, 1, 9]
detailed listing:
executing program 0:
mkdirat(0xffffffffffffff9c, 0x0, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000280)=@base={0x1b}, 0x48)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r0 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=@base={0x1, 0x4, 0xfff, 0x5}, 0x48)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0x3f, &(0x7f0000000440)=ANY=[@ANYBLOB="1801000000000020000000000000000018190000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000024"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000040)='sched_switch\x00', r1}, 0x10)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r2 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r2, 0x1, &(0x7f0000000200)=0x5)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000380)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
connect$unix(r3, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r3, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
r5 = socket$inet6(0xa, 0x3, 0x8000000003c)
connect$inet6(r5, &(0x7f0000000140)={0xa, 0x0, 0x0, @dev, 0x9}, 0x1c)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)
sendmsg(r5, 0x0, 0x44004)
executing program 0:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000380)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000080)='sched_switch\x00'}, 0x10)
syz_extract_tcp_res$synack(&(0x7f0000000240), 0x1, 0x0)
syz_genetlink_get_family_id$ethtool(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_PRIVFLAGS_GET(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={0x0}}, 0x0)
poll(&(0x7f0000000100)=[{0xffffffffffffffff, 0x8011}, {0xffffffffffffffff, 0x9}, {0xffffffffffffffff, 0xc200}, {0xffffffffffffffff, 0x401}], 0x4, 0x0)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r5, 0x5423, &(0x7f00000000c0)=0xf)
ioctl$TCFLSH(r5, 0x400455c8, 0x0)
ioctl$sock_bt_hci(r4, 0x400448ca, 0x0)
close_range(r3, 0xffffffffffffffff, 0x0)
executing program 1:
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2)
socket$nl_generic(0x10, 0x3, 0x10)
setsockopt$IPT_SO_SET_REPLACE(0xffffffffffffffff, 0x0, 0x40, 0x0, 0x0)
r0 = socket$inet6(0xa, 0x3, 0x3a)
setsockopt$inet6_int(r0, 0x29, 0x7, &(0x7f0000000100), 0x4)
executing program 1:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
r2 = syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
ioctl$EVIOCGABS0(r2, 0x80184540, &(0x7f0000000100)=""/194)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
bind$vsock_stream(r3, &(0x7f0000000000)={0x10}, 0x10)
r4 = syz_open_procfs(0x0, &(0x7f0000000240)='net/netlink\x00')
socket$inet6_dccp(0xa, 0x6, 0x0)
close(0xffffffffffffffff)
socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
preadv(r4, &(0x7f0000000ac0)=[{0x0}, {&(0x7f0000000840)=""/180, 0xb4}], 0x2, 0x0, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
read$FUSE(0xffffffffffffffff, 0x0, 0x0)
shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
mremap(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x1000, 0x3, &(0x7f0000fff000/0x1000)=nil)
executing program 1:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$inet_tcp_int(r0, 0x6, 0x210000000013, &(0x7f00000000c0)=0x100000001, 0x4)
connect$inet(r0, &(0x7f0000000140)={0x2, 0x0, @remote}, 0x10)
setsockopt$inet_tcp_TCP_REPAIR_OPTIONS(r0, 0x6, 0x16, &(0x7f0000000000)=[@sack_perm, @window, @sack_perm, @sack_perm, @timestamp, @timestamp, @timestamp, @timestamp], 0x20000149)
setsockopt$inet_tcp_int(r0, 0x6, 0x22, &(0x7f0000000180)=0xfffffffe, 0x4)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000200)='blkio.bfq.io_merged_recursive\x00', 0x275a, 0x0)
mmap(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x0, 0x10012, r1, 0x0)
executing program 1:
r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440), 0x2, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000680)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000400), 0x106}}, 0x20)
write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f00000003c0)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000900), 0x13f}}, 0x20)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$VIDIOC_ENUM_FMT(0xffffffffffffffff, 0xc0405602, &(0x7f0000000040)={0x57, 0xa, 0x0, "3258c546dacccfae1e008faa00000000f4ff4000"})
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f00000000c0)=[{&(0x7f0000001f00)=""/102386, 0x18ff2}], 0x1, 0x0, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000280)={0x0, 0x5, &(0x7f0000000340)=ANY=[@ANYRES64=r1, @ANYRES64], &(0x7f0000000380)='GPL\x00', 0x4, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, r1}, 0x90)
prctl$PR_GET_TSC(0x43, &(0x7f0000000040))
r2 = socket$inet6(0xa, 0x6, 0x0)
bind$inet6(r2, &(0x7f0000000040)={0xa, 0x4e20, 0x0, @rand_addr=' \x01\x00'}, 0x1c)
listen(r2, 0x80080400)
r3 = socket$inet_dccp(0x2, 0x6, 0x0)
connect$inet(r3, &(0x7f0000e5c000)={0x2, 0x4e20, @remote}, 0x10)
getsockopt$inet_int(r3, 0x10d, 0xfa, 0x0, &(0x7f0000000240))
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0)
r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r6 = syz_open_dev$vim2m(&(0x7f0000000080), 0x0, 0x2)
ioctl$vim2m_VIDIOC_CREATE_BUFS(r6, 0xc100565c, &(0x7f0000000100)={0x1000, 0x5, 0x4, {0x2, @sliced={0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8e, 0x0, 0x0, 0xb0, 0x0, 0x0, 0x0, 0x0, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf, 0x0, 0x0, 0x43f7, 0x0, 0x0, 0x7000, 0x0, 0xfffe], 0xfffffffd}}, 0x40000000})
ioctl$vim2m_VIDIOC_REQBUFS(r6, 0xc0145608, &(0x7f0000000040)={0x1, 0x1, 0x1})
ioctl$vim2m_VIDIOC_STREAMOFF(r6, 0x40045612, &(0x7f0000000600)=0x2)
ioctl$vim2m_VIDIOC_STREAMOFF(r6, 0x40045612, &(0x7f00000000c0)=0x1)
ppoll(&(0x7f0000000200)=[{r6, 0x42}], 0x1, &(0x7f0000000240), 0x0, 0x0)
r7 = dup3(r5, r4, 0x0)
socket$packet(0x11, 0x3, 0x300)
r8 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@bloom_filter={0x1e, 0x60, 0x3, 0x6, 0x844, r7, 0xb, '\x00', 0x0, r7, 0x2, 0x1, 0x2, 0x3}, 0x48)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000000)={{r8}, &(0x7f0000000580), &(0x7f00000005c0)=r1}, 0x20)
executing program 1:
setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0)
r0 = syz_genetlink_get_family_id$nl80211(&(0x7f00000001c0), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r2=>0x0})
sendmsg$NL80211_CMD_JOIN_MESH(r1, &(0x7f0000001040)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000001140)={0x50, r0, 0x3, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_MESH_CONFIG={0x34, 0x23, 0x0, 0x1, [@NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR={0x8, 0x15, 0x5b}, @NL80211_MESHCONF_ELEMENT_TTL={0x5, 0xf, 0xf}, @NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES={0x5}, @NL80211_MESHCONF_HT_OPMODE={0x6}, @NL80211_MESHCONF_MAX_PEER_LINKS={0x6}, @NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT={0x8}]}]}, 0x50}}, 0x0)
executing program 1:
r0 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0xda, 0x35, 0x8e, 0x8, 0x46d, 0x900, 0x669e, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x0, 0xc, 0x22, 0xf}}]}}]}}, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
executing program 4:
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000080)={0x26, 'skcipher\x00', 0x0, 0x0, 'cts(cbc(aes))\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000c18000)="ad56b6c5910fae9d6dcd3292ea54c7b6ef915d564c90c200", 0x18)
r1 = accept4(r0, 0x0, 0x0, 0x0)
sendmsg$TIPC_NL_MEDIA_SET(r1, &(0x7f0000001800)={0x0, 0x0, &(0x7f00000017c0)={0x0, 0x12f4}}, 0x0)
recvmmsg(r1, &(0x7f0000002e00)=[{{0x0, 0x0, &(0x7f0000002d40)=[{&(0x7f0000002a00)=""/98, 0x62}], 0x1}}], 0x1, 0x0, 0x0)
executing program 4:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(0xffffffffffffffff, 0x0, 0x0)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000500)=ANY=[@ANYBLOB="b80000001900010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000", @ANYRESDEC], 0xb8}}, 0x0)
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
bind$vsock_stream(0xffffffffffffffff, &(0x7f0000000000)={0x10}, 0x10)
socket$inet6_dccp(0xa, 0x6, 0x0)
socket(0xa, 0x1, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
r2 = shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
shmat(0x0, &(0x7f0000ff9000/0x1000)=nil, 0x5000)
shmdt(r2)
executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)
executing program 3:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x2, 0x2172, 0xffffffffffffffff, 0x0)
mremap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x2000, 0x0, &(0x7f0000ffb000/0x2000)=nil)
r0 = syz_io_uring_complete(0x0)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f00000001c0))
r1 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
fchdir(0xffffffffffffffff)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
preadv(r2, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x4)
sendmmsg(0xffffffffffffffff, &(0x7f0000007fc0), 0x800001d, 0xa1a)
userfaultfd(0x80001)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'bridge0\x00'})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[@ANYBLOB="308a4703e3ffffffffdbb50000e7ffff05004000", @ANYBLOB="000000000a000200aaaaaaaaaa"], 0x30}}, 0x0)
syz_io_uring_setup(0x110, &(0x7f0000000140), 0x0, 0x0)
ioctl$sock_SIOCSIFBR(r1, 0x8941, &(0x7f00000003c0)=@get={0x1, &(0x7f0000000300)=""/59, 0xf})
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000000c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe(&(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
splice(r1, 0x0, r2, 0x0, 0x8000f28, 0x0)
vmsplice(r2, &(0x7f0000000740)=[{&(0x7f0000000cc0)="13", 0x1}, {&(0x7f00000007c0)="b4", 0x1}, {&(0x7f0000000300)="b8", 0x1}, {&(0x7f00000008c0)="ff", 0x1}], 0x4, 0x0)
ioctl$sock_inet_sctp_SIOCINQ(r2, 0x541b, &(0x7f0000000000))
write(r0, 0x0, 0x0)
executing program 4:
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x2, 0x42032, 0xffffffffffffffff, 0x0)
move_pages(0x0, 0x3, &(0x7f0000000040)=[&(0x7f0000a0d000/0x3000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f0000a3a000/0x1000)=nil], &(0x7f0000000100)=[0x1], &(0x7f0000000180), 0x0)
executing program 4:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
write$tun(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="08000000008400000900000000004500002800000000002f9078ac1e00", @ANYRESHEX, @ANYRESOCT=r0, @ANYRESDEC=r0, @ANYBLOB="07b3cf71c95581f4b30866758d12a2a21ec31f86f0868ae164baa87babe7503409c2a5f4bf679aa4f60afd32097302a3f8018d39379030cf95e9fc948d3139a6537241d999bffab7f7c47ab89cd758a66c72e85a098643a6ab899bb13a474da31bcc73260c9795ce63205bbbb7c3d9ee0b632508b0c18b147e2ad6c50ebc133338a77ae19cb0d5db9c3a101bb6937ce0a23c850346b6deb31e"], 0x36)
clock_gettime(0x0, &(0x7f00000006c0))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x3c1, 0x3, 0x328, 0x128, 0x4c, 0x1a, 0x0, 0x73, 0x258, 0x258, 0x258, 0x258, 0x258, 0x3, 0x0, {[{{@ipv6={@rand_addr=' \x01\x00', @local, [], [], 'wg2\x00', 'macvlan1\x00', {}, {}, 0x11}, 0x0, 0x100, 0x128, 0x0, {}, [@common=@inet=@l2tp={{0x30}, {0x0, 0x0, 0x2, 0x0, 0x5}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@TCPMSS={0x28}}, {{@ipv6={@private2, @dev, [], [], 'veth1_macvtap\x00', 'veth0_macvtap\x00'}, 0x0, 0xf8, 0x130, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@icmp6={{0x28}, {0x0, "e1f6"}}]}, @common=@inet=@SET3={0x38}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x388)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000b40)={{0x14}, [@NFT_MSG_NEWFLOWTABLE={0x5c, 0x16, 0xa, 0x5, 0x0, 0x0, {0x1}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0xc, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x2}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x6}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x1}]}, @NFT_MSG_DELFLOWTABLE={0x30, 0x16, 0xa, 0x0, 0xb00, 0x0, {}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x4}]}], {0x14, 0x10}}, 0xb4}}, 0x0)
ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18}, './file0\x00'})
socket$packet(0x11, 0x0, 0x300)
ioctl$SCSI_IOCTL_SEND_COMMAND(0xffffffffffffffff, 0x1, &(0x7f0000000180))
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000002c0)=@newqdisc={0x24, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0x0, 0xc}}}, 0x24}}, 0x0)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000140)={&(0x7f0000003340)=ANY=[@ANYBLOB="14"], 0x16e8}, 0x1, 0x0, 0x0, 0x64008005}, 0x0)
shutdown(0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x0, 0x0}, &(0x7f0000000180)=0x10)
socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket$packet(0x11, 0x0, 0x300)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', <r5=>0x0})
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYRES64=0x0, @ANYRES32=r5, @ANYBLOB], 0x34}}, 0x0)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000240)={0x0, 0x8209}, 0x0)
sendto(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
executing program 0:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0xa, &(0x7f0000000180)={0x0, @in, 0x0, 0x0, 0x290}, 0x98)
connect$inet(0xffffffffffffffff, 0x0, 0x0)
executing program 3:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
sendto$inet(r0, 0x0, 0x0, 0x0, 0x0, 0x0)
recvfrom$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
setsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x21, &(0x7f00000003c0)={0x0, 0x4a00}, 0x10)
sendmsg$inet_sctp(r0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20100}, 0x0)
executing program 2:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
socket$inet6_sctp(0x1c, 0x5, 0x84)
socket$inet6_sctp(0x1c, 0x0, 0x84)
connect$inet(0xffffffffffffffff, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(0xffffffffffffffff, 0x84, 0x105, 0x0, &(0x7f0000001700))
socket(0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xb, &(0x7f0000000240), 0x0)
sendmsg$inet_sctp(0xffffffffffffffff, 0x0, 0x0)
socket(0x0, 0x0, 0x0)
renameat(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$inet6_sctp(0x1c, 0x1, 0x84)
bind(r0, &(0x7f0000000000)=@in6={0x1c, 0x1c, 0x3}, 0x1c)
connect$inet6(r0, &(0x7f0000000080)={0x1c, 0x1c, 0x3}, 0x1c)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x200000000000c, &(0x7f0000000080)="eaef125c00000000", 0x8)
socket$inet6_sctp(0x1c, 0x5, 0x84)
executing program 0:
socket$inet_sctp(0x2, 0x0, 0x84)
setsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x9, 0x0, 0x0)
open$dir(0x0, 0x0, 0x0)
executing program 2:
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x0, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000000000000000000000085000000a8000000180100002020692500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000700000095"], &(0x7f0000000600)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x10, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000340)={0x18, 0x3, &(0x7f0000000d00)=ANY=[@ANYBLOB="180000000000000000000000000000009500160000000000e2bac15d3b6641a215f099e26603a050337b2ccc70a9f928ba3c529bb6e7365e7e246317380f5884d79663e7fcaa89795d7b10e88378c33265a7af06040e3d0bbc6a5864dfa023c6ac1da574242785bbb4ece12b11da52496875e1e384042aad63a3094bf3bc0e40a79960f9f1610940e67e30611d9873d1e6cb9c4cce44c999c49ff52a6400192fd021d7158438d7686a6f66778022c93c544189b684754e7e0f77a4f498609e53104c8aa70632fcc58c757bbc06f6472622dce2729d7296959ce003ec84acd015e352484c42fc29e5aea62fb7977813f7254fd6f62fec638abf292e6c33925b29"], &(0x7f0000000000)='syzkaller\x00'}, 0x80)
r2 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000001c0)='sched_process_wait\x00', r1}, 0x10)
r3 = bpf$ITER_CREATE(0xb, &(0x7f0000000100)={r2}, 0x8)
close(r3)
bpf$PROG_BIND_MAP(0xa, &(0x7f0000000000)={r0}, 0xc)
executing program 3:
mlockall(0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount(0x0, &(0x7f0000000300)='./file0\x00', &(0x7f0000000040)='mqueue\x00', 0x100001b, 0x0)
chdir(&(0x7f00000057c0)='./file0\x00')
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mremap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x3000, 0x3, &(0x7f0000ff5000/0x3000)=nil)
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
executing program 2:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c)
listen(r0, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
connect$inet6(r1, &(0x7f0000000300)={0xa, 0x4e22, 0x0, @loopback}, 0x1c)
r2 = dup(r0)
r3 = accept4$inet6(r2, 0x0, 0x0, 0x0)
setsockopt$inet6_tcp_TCP_FASTOPEN_KEY(r3, 0x6, 0x21, 0x0, 0x0)
executing program 0:
lstat(&(0x7f0000000b40)='./file0/file0/file0\x00', 0x0)
executing program 2:
pipe2$9p(&(0x7f0000002180)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000200)=ANY=[@ANYBLOB="1500000065ffff0180000008003950323030302e4c"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000000)={0x18}, 0x18)
write$FUSE_DIRENTPLUS(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="3801"], 0x138)
write$FUSE_DIRENTPLUS(r2, &(0x7f00000004c0)=ANY=[@ANYBLOB=' '], 0x120)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
mount$9p_fd(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f0000000280), 0x0, &(0x7f0000000140)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}})
lgetxattr(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000480)=ANY=[@ANYBLOB='user.t'], 0x0, 0x38c)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
bisect: bisecting 30 programs
bisect: split chunks (needed=false): <30>
bisect: split chunk #0 of len 30 into 3 parts
bisect: testing without sub-chunk 1/3
testing program (duration=1m45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 8, 12, 3, 18, 6, 2, 24, 4, 3, 6, 3, 12, 3, 3, 6, 8, 9, 1, 9]
detailed listing:
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
bind$vsock_stream(0xffffffffffffffff, &(0x7f0000000000)={0x10}, 0x10)
socket$inet6_dccp(0xa, 0x6, 0x0)
socket(0xa, 0x1, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
r2 = shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
shmat(0x0, &(0x7f0000ff9000/0x1000)=nil, 0x5000)
shmdt(r2)
executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)
executing program 3:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x2, 0x2172, 0xffffffffffffffff, 0x0)
mremap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x2000, 0x0, &(0x7f0000ffb000/0x2000)=nil)
r0 = syz_io_uring_complete(0x0)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f00000001c0))
r1 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
fchdir(0xffffffffffffffff)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
preadv(r2, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x4)
sendmmsg(0xffffffffffffffff, &(0x7f0000007fc0), 0x800001d, 0xa1a)
userfaultfd(0x80001)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'bridge0\x00'})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[@ANYBLOB="308a4703e3ffffffffdbb50000e7ffff05004000", @ANYBLOB="000000000a000200aaaaaaaaaa"], 0x30}}, 0x0)
syz_io_uring_setup(0x110, &(0x7f0000000140), 0x0, 0x0)
ioctl$sock_SIOCSIFBR(r1, 0x8941, &(0x7f00000003c0)=@get={0x1, &(0x7f0000000300)=""/59, 0xf})
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000000c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe(&(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
splice(r1, 0x0, r2, 0x0, 0x8000f28, 0x0)
vmsplice(r2, &(0x7f0000000740)=[{&(0x7f0000000cc0)="13", 0x1}, {&(0x7f00000007c0)="b4", 0x1}, {&(0x7f0000000300)="b8", 0x1}, {&(0x7f00000008c0)="ff", 0x1}], 0x4, 0x0)
ioctl$sock_inet_sctp_SIOCINQ(r2, 0x541b, &(0x7f0000000000))
write(r0, 0x0, 0x0)
executing program 4:
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x2, 0x42032, 0xffffffffffffffff, 0x0)
move_pages(0x0, 0x3, &(0x7f0000000040)=[&(0x7f0000a0d000/0x3000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f0000a3a000/0x1000)=nil], &(0x7f0000000100)=[0x1], &(0x7f0000000180), 0x0)
executing program 4:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
write$tun(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="08000000008400000900000000004500002800000000002f9078ac1e00", @ANYRESHEX, @ANYRESOCT=r0, @ANYRESDEC=r0, @ANYBLOB="07b3cf71c95581f4b30866758d12a2a21ec31f86f0868ae164baa87babe7503409c2a5f4bf679aa4f60afd32097302a3f8018d39379030cf95e9fc948d3139a6537241d999bffab7f7c47ab89cd758a66c72e85a098643a6ab899bb13a474da31bcc73260c9795ce63205bbbb7c3d9ee0b632508b0c18b147e2ad6c50ebc133338a77ae19cb0d5db9c3a101bb6937ce0a23c850346b6deb31e"], 0x36)
clock_gettime(0x0, &(0x7f00000006c0))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x3c1, 0x3, 0x328, 0x128, 0x4c, 0x1a, 0x0, 0x73, 0x258, 0x258, 0x258, 0x258, 0x258, 0x3, 0x0, {[{{@ipv6={@rand_addr=' \x01\x00', @local, [], [], 'wg2\x00', 'macvlan1\x00', {}, {}, 0x11}, 0x0, 0x100, 0x128, 0x0, {}, [@common=@inet=@l2tp={{0x30}, {0x0, 0x0, 0x2, 0x0, 0x5}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@TCPMSS={0x28}}, {{@ipv6={@private2, @dev, [], [], 'veth1_macvtap\x00', 'veth0_macvtap\x00'}, 0x0, 0xf8, 0x130, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@icmp6={{0x28}, {0x0, "e1f6"}}]}, @common=@inet=@SET3={0x38}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x388)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000b40)={{0x14}, [@NFT_MSG_NEWFLOWTABLE={0x5c, 0x16, 0xa, 0x5, 0x0, 0x0, {0x1}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0xc, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x2}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x6}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x1}]}, @NFT_MSG_DELFLOWTABLE={0x30, 0x16, 0xa, 0x0, 0xb00, 0x0, {}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x4}]}], {0x14, 0x10}}, 0xb4}}, 0x0)
ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18}, './file0\x00'})
socket$packet(0x11, 0x0, 0x300)
ioctl$SCSI_IOCTL_SEND_COMMAND(0xffffffffffffffff, 0x1, &(0x7f0000000180))
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000002c0)=@newqdisc={0x24, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0x0, 0xc}}}, 0x24}}, 0x0)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000140)={&(0x7f0000003340)=ANY=[@ANYBLOB="14"], 0x16e8}, 0x1, 0x0, 0x0, 0x64008005}, 0x0)
shutdown(0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x0, 0x0}, &(0x7f0000000180)=0x10)
socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket$packet(0x11, 0x0, 0x300)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', <r5=>0x0})
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYRES64=0x0, @ANYRES32=r5, @ANYBLOB], 0x34}}, 0x0)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000240)={0x0, 0x8209}, 0x0)
sendto(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
executing program 0:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0xa, &(0x7f0000000180)={0x0, @in, 0x0, 0x0, 0x290}, 0x98)
connect$inet(0xffffffffffffffff, 0x0, 0x0)
executing program 3:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
sendto$inet(r0, 0x0, 0x0, 0x0, 0x0, 0x0)
recvfrom$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
setsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x21, &(0x7f00000003c0)={0x0, 0x4a00}, 0x10)
sendmsg$inet_sctp(r0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20100}, 0x0)
executing program 2:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
socket$inet6_sctp(0x1c, 0x5, 0x84)
socket$inet6_sctp(0x1c, 0x0, 0x84)
connect$inet(0xffffffffffffffff, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(0xffffffffffffffff, 0x84, 0x105, 0x0, &(0x7f0000001700))
socket(0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xb, &(0x7f0000000240), 0x0)
sendmsg$inet_sctp(0xffffffffffffffff, 0x0, 0x0)
socket(0x0, 0x0, 0x0)
renameat(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$inet6_sctp(0x1c, 0x1, 0x84)
bind(r0, &(0x7f0000000000)=@in6={0x1c, 0x1c, 0x3}, 0x1c)
connect$inet6(r0, &(0x7f0000000080)={0x1c, 0x1c, 0x3}, 0x1c)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x200000000000c, &(0x7f0000000080)="eaef125c00000000", 0x8)
socket$inet6_sctp(0x1c, 0x5, 0x84)
executing program 0:
socket$inet_sctp(0x2, 0x0, 0x84)
setsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x9, 0x0, 0x0)
open$dir(0x0, 0x0, 0x0)
executing program 2:
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x0, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000000000000000000000085000000a8000000180100002020692500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000700000095"], &(0x7f0000000600)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x10, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000340)={0x18, 0x3, &(0x7f0000000d00)=ANY=[@ANYBLOB="180000000000000000000000000000009500160000000000e2bac15d3b6641a215f099e26603a050337b2ccc70a9f928ba3c529bb6e7365e7e246317380f5884d79663e7fcaa89795d7b10e88378c33265a7af06040e3d0bbc6a5864dfa023c6ac1da574242785bbb4ece12b11da52496875e1e384042aad63a3094bf3bc0e40a79960f9f1610940e67e30611d9873d1e6cb9c4cce44c999c49ff52a6400192fd021d7158438d7686a6f66778022c93c544189b684754e7e0f77a4f498609e53104c8aa70632fcc58c757bbc06f6472622dce2729d7296959ce003ec84acd015e352484c42fc29e5aea62fb7977813f7254fd6f62fec638abf292e6c33925b29"], &(0x7f0000000000)='syzkaller\x00'}, 0x80)
r2 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000001c0)='sched_process_wait\x00', r1}, 0x10)
r3 = bpf$ITER_CREATE(0xb, &(0x7f0000000100)={r2}, 0x8)
close(r3)
bpf$PROG_BIND_MAP(0xa, &(0x7f0000000000)={r0}, 0xc)
executing program 3:
mlockall(0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount(0x0, &(0x7f0000000300)='./file0\x00', &(0x7f0000000040)='mqueue\x00', 0x100001b, 0x0)
chdir(&(0x7f00000057c0)='./file0\x00')
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mremap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x3000, 0x3, &(0x7f0000ff5000/0x3000)=nil)
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
executing program 2:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c)
listen(r0, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
connect$inet6(r1, &(0x7f0000000300)={0xa, 0x4e22, 0x0, @loopback}, 0x1c)
r2 = dup(r0)
r3 = accept4$inet6(r2, 0x0, 0x0, 0x0)
setsockopt$inet6_tcp_TCP_FASTOPEN_KEY(r3, 0x6, 0x21, 0x0, 0x0)
executing program 0:
lstat(&(0x7f0000000b40)='./file0/file0/file0\x00', 0x0)
executing program 2:
pipe2$9p(&(0x7f0000002180)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000200)=ANY=[@ANYBLOB="1500000065ffff0180000008003950323030302e4c"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000000)={0x18}, 0x18)
write$FUSE_DIRENTPLUS(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="3801"], 0x138)
write$FUSE_DIRENTPLUS(r2, &(0x7f00000004c0)=ANY=[@ANYBLOB=' '], 0x120)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
mount$9p_fd(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f0000000280), 0x0, &(0x7f0000000140)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}})
lgetxattr(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000480)=ANY=[@ANYBLOB='user.t'], 0x0, 0x38c)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/3
testing program (duration=1m42s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 3, 12, 3, 3, 6, 8, 9, 1, 9]
detailed listing:
executing program 3:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
sendto$inet(r0, 0x0, 0x0, 0x0, 0x0, 0x0)
recvfrom$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
setsockopt$inet_sctp_SCTP_DEFAULT_SNDINFO(r0, 0x84, 0x21, &(0x7f00000003c0)={0x0, 0x4a00}, 0x10)
sendmsg$inet_sctp(r0, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20100}, 0x0)
executing program 2:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
socket$inet6_sctp(0x1c, 0x5, 0x84)
socket$inet6_sctp(0x1c, 0x0, 0x84)
connect$inet(0xffffffffffffffff, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(0xffffffffffffffff, 0x84, 0x105, 0x0, &(0x7f0000001700))
socket(0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xb, &(0x7f0000000240), 0x0)
sendmsg$inet_sctp(0xffffffffffffffff, 0x0, 0x0)
socket(0x0, 0x0, 0x0)
renameat(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$inet6_sctp(0x1c, 0x1, 0x84)
bind(r0, &(0x7f0000000000)=@in6={0x1c, 0x1c, 0x3}, 0x1c)
connect$inet6(r0, &(0x7f0000000080)={0x1c, 0x1c, 0x3}, 0x1c)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x200000000000c, &(0x7f0000000080)="eaef125c00000000", 0x8)
socket$inet6_sctp(0x1c, 0x5, 0x84)
executing program 0:
socket$inet_sctp(0x2, 0x0, 0x84)
setsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(0xffffffffffffffff, 0x84, 0x9, 0x0, 0x0)
open$dir(0x0, 0x0, 0x0)
executing program 2:
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x0, 0xc, &(0x7f0000000180)=ANY=[@ANYBLOB="1800000000000000000000000000000085000000a8000000180100002020692500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000700000095"], &(0x7f0000000600)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x10, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000340)={0x18, 0x3, &(0x7f0000000d00)=ANY=[@ANYBLOB="180000000000000000000000000000009500160000000000e2bac15d3b6641a215f099e26603a050337b2ccc70a9f928ba3c529bb6e7365e7e246317380f5884d79663e7fcaa89795d7b10e88378c33265a7af06040e3d0bbc6a5864dfa023c6ac1da574242785bbb4ece12b11da52496875e1e384042aad63a3094bf3bc0e40a79960f9f1610940e67e30611d9873d1e6cb9c4cce44c999c49ff52a6400192fd021d7158438d7686a6f66778022c93c544189b684754e7e0f77a4f498609e53104c8aa70632fcc58c757bbc06f6472622dce2729d7296959ce003ec84acd015e352484c42fc29e5aea62fb7977813f7254fd6f62fec638abf292e6c33925b29"], &(0x7f0000000000)='syzkaller\x00'}, 0x80)
r2 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f00000001c0)='sched_process_wait\x00', r1}, 0x10)
r3 = bpf$ITER_CREATE(0xb, &(0x7f0000000100)={r2}, 0x8)
close(r3)
bpf$PROG_BIND_MAP(0xa, &(0x7f0000000000)={r0}, 0xc)
executing program 3:
mlockall(0x1)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
mount(0x0, &(0x7f0000000300)='./file0\x00', &(0x7f0000000040)='mqueue\x00', 0x100001b, 0x0)
chdir(&(0x7f00000057c0)='./file0\x00')
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mremap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x3000, 0x3, &(0x7f0000ff5000/0x3000)=nil)
mremap(&(0x7f0000ff5000/0x2000)=nil, 0x2000, 0x5000000, 0x3, &(0x7f0000ffd000/0x1000)=nil)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
executing program 2:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c)
listen(r0, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
connect$inet6(r1, &(0x7f0000000300)={0xa, 0x4e22, 0x0, @loopback}, 0x1c)
r2 = dup(r0)
r3 = accept4$inet6(r2, 0x0, 0x0, 0x0)
setsockopt$inet6_tcp_TCP_FASTOPEN_KEY(r3, 0x6, 0x21, 0x0, 0x0)
executing program 0:
lstat(&(0x7f0000000b40)='./file0/file0/file0\x00', 0x0)
executing program 2:
pipe2$9p(&(0x7f0000002180)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x0)
write$P9_RVERSION(r1, &(0x7f0000000200)=ANY=[@ANYBLOB="1500000065ffff0180000008003950323030302e4c"], 0x15)
r2 = dup(r1)
write$FUSE_BMAP(r2, &(0x7f0000000000)={0x18}, 0x18)
write$FUSE_DIRENTPLUS(r2, &(0x7f0000000700)=ANY=[@ANYBLOB="3801"], 0x138)
write$FUSE_DIRENTPLUS(r2, &(0x7f00000004c0)=ANY=[@ANYBLOB=' '], 0x120)
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0)
mount$9p_fd(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f0000000280), 0x0, &(0x7f0000000140)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}})
lgetxattr(&(0x7f00000001c0)='./file0\x00', &(0x7f0000000480)=ANY=[@ANYBLOB='user.t'], 0x0, 0x38c)

program did not crash
bisect: testing without sub-chunk 3/3
testing program (duration=1m42s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 8, 12, 3, 18, 6, 2, 24, 4, 3]
detailed listing:
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
bind$vsock_stream(0xffffffffffffffff, &(0x7f0000000000)={0x10}, 0x10)
socket$inet6_dccp(0xa, 0x6, 0x0)
socket(0xa, 0x1, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
r2 = shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
shmat(0x0, &(0x7f0000ff9000/0x1000)=nil, 0x5000)
shmdt(r2)
executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)
executing program 3:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x2, 0x2172, 0xffffffffffffffff, 0x0)
mremap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x2000, 0x0, &(0x7f0000ffb000/0x2000)=nil)
r0 = syz_io_uring_complete(0x0)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f00000001c0))
r1 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
fchdir(0xffffffffffffffff)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
preadv(r2, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x4)
sendmmsg(0xffffffffffffffff, &(0x7f0000007fc0), 0x800001d, 0xa1a)
userfaultfd(0x80001)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'bridge0\x00'})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[@ANYBLOB="308a4703e3ffffffffdbb50000e7ffff05004000", @ANYBLOB="000000000a000200aaaaaaaaaa"], 0x30}}, 0x0)
syz_io_uring_setup(0x110, &(0x7f0000000140), 0x0, 0x0)
ioctl$sock_SIOCSIFBR(r1, 0x8941, &(0x7f00000003c0)=@get={0x1, &(0x7f0000000300)=""/59, 0xf})
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000000c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe(&(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
splice(r1, 0x0, r2, 0x0, 0x8000f28, 0x0)
vmsplice(r2, &(0x7f0000000740)=[{&(0x7f0000000cc0)="13", 0x1}, {&(0x7f00000007c0)="b4", 0x1}, {&(0x7f0000000300)="b8", 0x1}, {&(0x7f00000008c0)="ff", 0x1}], 0x4, 0x0)
ioctl$sock_inet_sctp_SIOCINQ(r2, 0x541b, &(0x7f0000000000))
write(r0, 0x0, 0x0)
executing program 4:
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x2, 0x42032, 0xffffffffffffffff, 0x0)
move_pages(0x0, 0x3, &(0x7f0000000040)=[&(0x7f0000a0d000/0x3000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f0000a3a000/0x1000)=nil], &(0x7f0000000100)=[0x1], &(0x7f0000000180), 0x0)
executing program 4:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
write$tun(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="08000000008400000900000000004500002800000000002f9078ac1e00", @ANYRESHEX, @ANYRESOCT=r0, @ANYRESDEC=r0, @ANYBLOB="07b3cf71c95581f4b30866758d12a2a21ec31f86f0868ae164baa87babe7503409c2a5f4bf679aa4f60afd32097302a3f8018d39379030cf95e9fc948d3139a6537241d999bffab7f7c47ab89cd758a66c72e85a098643a6ab899bb13a474da31bcc73260c9795ce63205bbbb7c3d9ee0b632508b0c18b147e2ad6c50ebc133338a77ae19cb0d5db9c3a101bb6937ce0a23c850346b6deb31e"], 0x36)
clock_gettime(0x0, &(0x7f00000006c0))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x3c1, 0x3, 0x328, 0x128, 0x4c, 0x1a, 0x0, 0x73, 0x258, 0x258, 0x258, 0x258, 0x258, 0x3, 0x0, {[{{@ipv6={@rand_addr=' \x01\x00', @local, [], [], 'wg2\x00', 'macvlan1\x00', {}, {}, 0x11}, 0x0, 0x100, 0x128, 0x0, {}, [@common=@inet=@l2tp={{0x30}, {0x0, 0x0, 0x2, 0x0, 0x5}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@TCPMSS={0x28}}, {{@ipv6={@private2, @dev, [], [], 'veth1_macvtap\x00', 'veth0_macvtap\x00'}, 0x0, 0xf8, 0x130, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@icmp6={{0x28}, {0x0, "e1f6"}}]}, @common=@inet=@SET3={0x38}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x388)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000b40)={{0x14}, [@NFT_MSG_NEWFLOWTABLE={0x5c, 0x16, 0xa, 0x5, 0x0, 0x0, {0x1}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0xc, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x2}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x6}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x1}]}, @NFT_MSG_DELFLOWTABLE={0x30, 0x16, 0xa, 0x0, 0xb00, 0x0, {}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x4}]}], {0x14, 0x10}}, 0xb4}}, 0x0)
ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18}, './file0\x00'})
socket$packet(0x11, 0x0, 0x300)
ioctl$SCSI_IOCTL_SEND_COMMAND(0xffffffffffffffff, 0x1, &(0x7f0000000180))
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000002c0)=@newqdisc={0x24, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0x0, 0xc}}}, 0x24}}, 0x0)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000140)={&(0x7f0000003340)=ANY=[@ANYBLOB="14"], 0x16e8}, 0x1, 0x0, 0x0, 0x64008005}, 0x0)
shutdown(0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x0, 0x0}, &(0x7f0000000180)=0x10)
socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket$packet(0x11, 0x0, 0x300)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', <r5=>0x0})
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYRES64=0x0, @ANYRES32=r5, @ANYBLOB], 0x34}}, 0x0)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000240)={0x0, 0x8209}, 0x0)
sendto(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
executing program 0:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0xa, &(0x7f0000000180)={0x0, @in, 0x0, 0x0, 0x290}, 0x98)
connect$inet(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <10>
bisect: split chunk #0 of len 10 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 2, 24, 4, 3]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000000c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
pipe(&(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
splice(r1, 0x0, r2, 0x0, 0x8000f28, 0x0)
vmsplice(r2, &(0x7f0000000740)=[{&(0x7f0000000cc0)="13", 0x1}, {&(0x7f00000007c0)="b4", 0x1}, {&(0x7f0000000300)="b8", 0x1}, {&(0x7f00000008c0)="ff", 0x1}], 0x4, 0x0)
ioctl$sock_inet_sctp_SIOCINQ(r2, 0x541b, &(0x7f0000000000))
write(r0, 0x0, 0x0)
executing program 4:
mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800000, 0x2, 0x42032, 0xffffffffffffffff, 0x0)
move_pages(0x0, 0x3, &(0x7f0000000040)=[&(0x7f0000a0d000/0x3000)=nil, &(0x7f0000ffd000/0x1000)=nil, &(0x7f0000a3a000/0x1000)=nil], &(0x7f0000000100)=[0x1], &(0x7f0000000180), 0x0)
executing program 4:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
write$tun(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="08000000008400000900000000004500002800000000002f9078ac1e00", @ANYRESHEX, @ANYRESOCT=r0, @ANYRESDEC=r0, @ANYBLOB="07b3cf71c95581f4b30866758d12a2a21ec31f86f0868ae164baa87babe7503409c2a5f4bf679aa4f60afd32097302a3f8018d39379030cf95e9fc948d3139a6537241d999bffab7f7c47ab89cd758a66c72e85a098643a6ab899bb13a474da31bcc73260c9795ce63205bbbb7c3d9ee0b632508b0c18b147e2ad6c50ebc133338a77ae19cb0d5db9c3a101bb6937ce0a23c850346b6deb31e"], 0x36)
clock_gettime(0x0, &(0x7f00000006c0))
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setaffinity(0x0, 0x8, &(0x7f0000000040)=0x10001)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000780)=@raw={'raw\x00', 0x3c1, 0x3, 0x328, 0x128, 0x4c, 0x1a, 0x0, 0x73, 0x258, 0x258, 0x258, 0x258, 0x258, 0x3, 0x0, {[{{@ipv6={@rand_addr=' \x01\x00', @local, [], [], 'wg2\x00', 'macvlan1\x00', {}, {}, 0x11}, 0x0, 0x100, 0x128, 0x0, {}, [@common=@inet=@l2tp={{0x30}, {0x0, 0x0, 0x2, 0x0, 0x5}}, @inet=@rpfilter={{0x28}}]}, @common=@inet=@TCPMSS={0x28}}, {{@ipv6={@private2, @dev, [], [], 'veth1_macvtap\x00', 'veth0_macvtap\x00'}, 0x0, 0xf8, 0x130, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@icmp6={{0x28}, {0x0, "e1f6"}}]}, @common=@inet=@SET3={0x38}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x388)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000b40)={{0x14}, [@NFT_MSG_NEWFLOWTABLE={0x5c, 0x16, 0xa, 0x5, 0x0, 0x0, {0x1}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0xc, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x2}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x6}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x1}]}, @NFT_MSG_DELFLOWTABLE={0x30, 0x16, 0xa, 0x0, 0xb00, 0x0, {}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_HANDLE={0xc, 0x5, 0x1, 0x0, 0x4}, @NFTA_FLOWTABLE_HOOK={0x4}]}], {0x14, 0x10}}, 0xb4}}, 0x0)
ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18}, './file0\x00'})
socket$packet(0x11, 0x0, 0x300)
ioctl$SCSI_IOCTL_SEND_COMMAND(0xffffffffffffffff, 0x1, &(0x7f0000000180))
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000002c0)=@newqdisc={0x24, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0x0, 0xc}}}, 0x24}}, 0x0)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000100)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000140)={&(0x7f0000003340)=ANY=[@ANYBLOB="14"], 0x16e8}, 0x1, 0x0, 0x0, 0x64008005}, 0x0)
shutdown(0xffffffffffffffff, 0x0)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffffff, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x0, 0x0}, &(0x7f0000000180)=0x10)
socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket$packet(0x11, 0x0, 0x300)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', <r5=>0x0})
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYRES64=0x0, @ANYRES32=r5, @ANYBLOB], 0x34}}, 0x0)
executing program 2:
r0 = socket$inet(0x2, 0x5, 0x0)
setsockopt$inet_opts(r0, 0x0, 0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x29, &(0x7f0000000240)={0x0, 0x8209}, 0x0)
sendto(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0)
executing program 0:
r0 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0xa, &(0x7f0000000180)={0x0, @in, 0x0, 0x0, 0x290}, 0x98)
connect$inet(0xffffffffffffffff, 0x0, 0x0)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m41s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 8, 12, 3, 18]
detailed listing:
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
bind$vsock_stream(0xffffffffffffffff, &(0x7f0000000000)={0x10}, 0x10)
socket$inet6_dccp(0xa, 0x6, 0x0)
socket(0xa, 0x1, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
r2 = shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
shmat(0x0, &(0x7f0000ff9000/0x1000)=nil, 0x5000)
shmdt(r2)
executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)
executing program 3:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x2, 0x2172, 0xffffffffffffffff, 0x0)
mremap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x2000, 0x0, &(0x7f0000ffb000/0x2000)=nil)
r0 = syz_io_uring_complete(0x0)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f00000001c0))
r1 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
fchdir(0xffffffffffffffff)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
preadv(r2, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x4)
sendmmsg(0xffffffffffffffff, &(0x7f0000007fc0), 0x800001d, 0xa1a)
userfaultfd(0x80001)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'bridge0\x00'})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[@ANYBLOB="308a4703e3ffffffffdbb50000e7ffff05004000", @ANYBLOB="000000000a000200aaaaaaaaaa"], 0x30}}, 0x0)
syz_io_uring_setup(0x110, &(0x7f0000000140), 0x0, 0x0)
ioctl$sock_SIOCSIFBR(r1, 0x8941, &(0x7f00000003c0)=@get={0x1, &(0x7f0000000300)=""/59, 0xf})

program crashed: KASAN: use-after-free Read in v4l2_fh_open
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <5>
bisect: split chunk #0 of len 5 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 18]
detailed listing:
executing program 3:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
splice(r0, 0x0, 0xffffffffffffffff, 0x0, 0xf3a, 0x0)
shutdown(r0, 0x0)
executing program 3:
mmap(&(0x7f0000000000/0xa000)=nil, 0xa000, 0x2, 0x2172, 0xffffffffffffffff, 0x0)
mremap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x2000, 0x0, &(0x7f0000ffb000/0x2000)=nil)
r0 = syz_io_uring_complete(0x0)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f00000001c0))
r1 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
fchdir(0xffffffffffffffff)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
r2 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
preadv(r2, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)
syz_open_dev$tty1(0xc, 0x4, 0x4)
sendmmsg(0xffffffffffffffff, &(0x7f0000007fc0), 0x800001d, 0xa1a)
userfaultfd(0x80001)
socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000000)={'bridge0\x00'})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[@ANYBLOB="308a4703e3ffffffffdbb50000e7ffff05004000", @ANYBLOB="000000000a000200aaaaaaaaaa"], 0x30}}, 0x0)
syz_io_uring_setup(0x110, &(0x7f0000000140), 0x0, 0x0)
ioctl$sock_SIOCSIFBR(r1, 0x8941, &(0x7f00000003c0)=@get={0x1, &(0x7f0000000300)=""/59, 0xf})

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 8, 12]
detailed listing:
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
bind$vsock_stream(0xffffffffffffffff, &(0x7f0000000000)={0x10}, 0x10)
socket$inet6_dccp(0xa, 0x6, 0x0)
socket(0xa, 0x1, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
r2 = shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
shmat(0x0, &(0x7f0000ff9000/0x1000)=nil, 0x5000)
shmdt(r2)
executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
bisect: the chunk can be dropped
bisect: split chunks (needed=true): <3>
bisect: split chunk #0 of len 3 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$MAP_CREATE_RINGBUF-prlimit64-getpid-sched_setscheduler-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-fspick-socket$nl_route-openat-read$FUSE
detailed listing:
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program did not crash
bisect: testing without sub-chunk 2/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [14, 8]
detailed listing:
executing program 4:
socket$nl_route(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f00000002c0)={'erspan0\x00'})
syz_open_dev$vim2m(&(0x7f0000000000), 0x101, 0x2)
r1 = fsopen(&(0x7f0000000040)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x8, 0x0, 0x0, 0x0)
syz_open_dev$vcsa(&(0x7f00000000c0), 0x7c0573d, 0x4000)
bind$vsock_stream(0xffffffffffffffff, &(0x7f0000000000)={0x10}, 0x10)
socket$inet6_dccp(0xa, 0x6, 0x0)
socket(0xa, 0x1, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x84, &(0x7f0000000300)={0x0, @in6={{0xa, 0x0, 0x0, @local}}}, 0x0)
r2 = shmat(0x0, &(0x7f0000ffc000/0x2000)=nil, 0x4000)
shmat(0x0, &(0x7f0000ff9000/0x1000)=nil, 0x5000)
shmdt(r2)
executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)

program did not crash
bisect: split chunks (needed=true): <2>, <1>
bisect: split chunk #0 of len 2 into 2 parts
bisect: testing without sub-chunk 1/2
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [8, 12]
detailed listing:
executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
bisect: the chunk can be dropped
bisect: testing without sub-chunk 2/2
bisect: no need to test this chunk, it's definitely needed
bisect: split chunk #1 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: split chunks (needed=true): <1>, <1, final>
bisect: split chunk #0 of len 1 into 2 parts
bisect: no way to further split the chunk
bisect: 2 programs left: 

executing program 4:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
syz_usb_connect$cdc_ncm(0x0, 0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)


bisect: trying to concatenate
bisect: concatenate 2 entries
minimizing program #0 before concatenation
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [7, 12]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
io_submit(0x0, 0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [6, 12]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
ioctl$SNDCTL_TMR_TIMEBASE(0xffffffffffffffff, 0xc0045401, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [5, 12]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
io_setup(0x0, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [4, 12]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(0xffffffffffffffff, 0xc0285700, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [3, 12]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 12]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program did not crash
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [2, 12]
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x2, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 12]
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 3:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)
read$FUSE(r0, &(0x7f00000012c0)={0x2020}, 0x2020)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
minimized 8 calls -> 1 calls
minimizing program #1 before concatenation
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 11]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup/cgroup.procs\x00', 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 10]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 9]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fspick(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 8]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 7]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(0xffffffffffffffff, &(0x7f0000000000), 0x651, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 6]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)
connect$unix(0xffffffffffffffff, &(0x7f000057eff8)=@abs, 0x6e)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 5]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 4]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()
sched_setscheduler(0x0, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 3]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)
getpid()

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 2]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8}, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 1]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000007c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [1, 0]
detailed listing:
executing program 4:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)
executing program 0:

program crashed: KASAN: use-after-free Read in v4l2_fh_open
minimized 12 calls -> 0 calls
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)={{0x12, 0x1, 0x0, 0xb7, 0x93, 0xe3, 0x40, 0xeb1a, 0xe303, 0xfca0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0xa1, 0x7, 0x8a, 0x0, [], [{{0x9, 0x5, 0x82}}]}}]}}]}}, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_fh_open
bisect: concatenation succeeded
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=2m30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in v4l2_fh_open
simplifying C reproducer
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program did not crash
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in v4l2_fh_open
testing compiled C program (duration=2m30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: use-after-free Read in v4l2_fh_open
reproducing took 1h31m37.071369679s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: use-after-free in v4l2_fh_open+0xc7/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
Read of size 8 at addr ffff88801e86c900 by task v4l_id/4297

CPU: 0 PID: 4297 Comm: v4l_id Not tainted 5.15.164-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xc7/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
 em28xx_v4l2_open+0x15d/0xa10 drivers/media/usb/em28xx/em28xx-video.c:2163
 v4l2_open+0x228/0x360 drivers/media/v4l2-core/v4l2-dev.c:427
 chrdev_open+0x54a/0x630 fs/char_dev.c:414
 do_dentry_open+0x807/0xfb0 fs/open.c:826
 do_open fs/namei.c:3608 [inline]
 path_openat+0x2705/0x2f20 fs/namei.c:3742
 do_filp_open+0x21c/0x460 fs/namei.c:3769
 do_sys_openat2+0x13b/0x4f0 fs/open.c:1253
 do_sys_open fs/open.c:1269 [inline]
 __do_sys_openat fs/open.c:1285 [inline]
 __se_sys_openat fs/open.c:1280 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1280
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f9217b8c9a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffea9756f90 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007ffea97571a8 RCX: 00007f9217b8c9a4
RDX: 0000000000000000 RSI: 00007ffea9757f22 RDI: 00000000ffffff9c
RBP: 00007ffea9757f22 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffea97571c0 R14: 000056380b8b4670 R15: 00007f9217fd5a80
 </TASK>

The buggy address belongs to the page:
page:ffffea00007a1b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e86c
head:ffffea00007a1b00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010000(head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 3582, ts 105608959675, free_ts 105589982278
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5423
 kmalloc_order+0x41/0x150 mm/slab_common.c:966
 kmalloc_order_trace+0x15/0xe0 mm/slab_common.c:982
 kmalloc_large include/linux/slab.h:520 [inline]
 kmalloc include/linux/slab.h:584 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 em28xx_v4l2_init+0xe2/0x2d50 drivers/media/usb/em28xx/em28xx-video.c:2542
 em28xx_init_extension+0x11b/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1126
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 process_scheduled_works kernel/workqueue.c:2373 [inline]
 worker_thread+0xd83/0x1280 kernel/workqueue.c:2462
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 free_nonslab_page+0xe4/0x150 mm/slub.c:3535
 kfree+0x1cf/0x270 mm/slub.c:4556
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2128 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x15d7/0x2d50 drivers/media/usb/em28xx/em28xx-video.c:2911
 em28xx_init_extension+0x11b/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1126
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 process_scheduled_works kernel/workqueue.c:2373 [inline]
 worker_thread+0xd83/0x1280 kernel/workqueue.c:2462
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Memory state around the buggy address:
 ffff88801e86c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801e86c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801e86c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffff88801e86c980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801e86ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: use-after-free in v4l2_fh_open+0xc7/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
Read of size 8 at addr ffff88801e86c900 by task v4l_id/4297

CPU: 0 PID: 4297 Comm: v4l_id Not tainted 5.15.164-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x63/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xc7/0x430 drivers/media/v4l2-core/v4l2-fh.c:63
 em28xx_v4l2_open+0x15d/0xa10 drivers/media/usb/em28xx/em28xx-video.c:2163
 v4l2_open+0x228/0x360 drivers/media/v4l2-core/v4l2-dev.c:427
 chrdev_open+0x54a/0x630 fs/char_dev.c:414
 do_dentry_open+0x807/0xfb0 fs/open.c:826
 do_open fs/namei.c:3608 [inline]
 path_openat+0x2705/0x2f20 fs/namei.c:3742
 do_filp_open+0x21c/0x460 fs/namei.c:3769
 do_sys_openat2+0x13b/0x4f0 fs/open.c:1253
 do_sys_open fs/open.c:1269 [inline]
 __do_sys_openat fs/open.c:1285 [inline]
 __se_sys_openat fs/open.c:1280 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1280
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f9217b8c9a4
Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffea9756f90 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007ffea97571a8 RCX: 00007f9217b8c9a4
RDX: 0000000000000000 RSI: 00007ffea9757f22 RDI: 00000000ffffff9c
RBP: 00007ffea9757f22 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffea97571c0 R14: 000056380b8b4670 R15: 00007f9217fd5a80
 </TASK>

The buggy address belongs to the page:
page:ffffea00007a1b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e86c
head:ffffea00007a1b00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010000(head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 3582, ts 105608959675, free_ts 105589982278
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5423
 kmalloc_order+0x41/0x150 mm/slab_common.c:966
 kmalloc_order_trace+0x15/0xe0 mm/slab_common.c:982
 kmalloc_large include/linux/slab.h:520 [inline]
 kmalloc include/linux/slab.h:584 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 em28xx_v4l2_init+0xe2/0x2d50 drivers/media/usb/em28xx/em28xx-video.c:2542
 em28xx_init_extension+0x11b/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1126
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 process_scheduled_works kernel/workqueue.c:2373 [inline]
 worker_thread+0xd83/0x1280 kernel/workqueue.c:2462
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 free_nonslab_page+0xe4/0x150 mm/slub.c:3535
 kfree+0x1cf/0x270 mm/slub.c:4556
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2128 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x15d7/0x2d50 drivers/media/usb/em28xx/em28xx-video.c:2911
 em28xx_init_extension+0x11b/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1126
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 process_scheduled_works kernel/workqueue.c:2373 [inline]
 worker_thread+0xd83/0x1280 kernel/workqueue.c:2462
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Memory state around the buggy address:
 ffff88801e86c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801e86c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88801e86c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffff88801e86c980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801e86ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================